Hi,
I am 'playing' with an api hooker and i stumbled against an executable (compiled by delphi i guess...) with say 3 IID structures who are pointing to their respective names (3x KERNEL32.DLL) and all 3 IID's have different imported functions.
My question is: why are the 3 IID's with the same name and different imported functions, when 'normally' there is 1 IID (KERNEL32.DLL) with all imported functions (from KERNEL32.DLL)?
Tia,
Slash0r
I am 'playing' with an api hooker and i stumbled against an executable (compiled by delphi i guess...) with say 3 IID structures who are pointing to their respective names (3x KERNEL32.DLL) and all 3 IID's have different imported functions.
My question is: why are the 3 IID's with the same name and different imported functions, when 'normally' there is 1 IID (KERNEL32.DLL) with all imported functions (from KERNEL32.DLL)?
Tia,
Slash0r
that didn't make too much sense? Do you mean multiple imported names pointing to the same RVA? Or something completely different?
I meant this:
IMAGE_IMPORT_DESCRIPTOR 1 (57A00)
---------------------------------
0000 0000 0000 0000 0000 0000 5CB7 0500 (5B75C) 18B1 0500 (5B118)
{OrignalFirstThunk} {TimeDateStamp} {ForwardChain} {Name} {First Thunk}
Name = 5B75C - (Virtual size - Raw size) = 5B75C - (5B000 - 57A00) = 5B75C - 3600 = 5815C = KERNEL32.DLL
first thunk = 5B118 - 3600 = 57B18
1st imported function (57B18) = 5B7FA - 3600 = 581FA = 0,0,GetCurrentThreadId
...
43rd imported function (57BC0) = 5BAAC - 3600 = 584AC = 0,0,CloseHandle
IMAGE_IMPORT_DESCRIPTOR 2 (57A14)
---------------------------------
0000 0000 0000 0000 0000 0000 69B7 0500 (5B769) 0CB2 0500 (5B20C)
{OrignalFirstThunk} {TimeDateStamp} {ForwardChain} {Name} {First Thunk}
Name = 5B769 - 3600 = 58169 = KERNEL32.DLL
first thunk = 5B20C - 3600 = 57C0C
1st imported function (57C0C) = 5BABA - 3600 = 584BA = 0,0,TlsSetValue
...
5th imported function (57C1C) = 5BAF4 - 3600 = 584F4 = 0,0,GetModuleFileNameA
IMAGE_IMPORT_DESCRIPTOR 3 (57A28)
---------------------------------
0000 0000 0000 0000 0000 0000 76B7 0500 (5B776) 34B2 0500 (5B234)
{OrignalFirstThunk} {TimeDateStamp} {ForwardChain} {Name} {First Thunk}
Name = 5B776 - 3600 = 58176 = KERNEL32.DLL
first thunk = 5B234 - 3600 = 57C34
1st imported function (57C34) = 5BB08 - 3600 = 58508 = 0,0,lstrcpyA
...
67th imported function (57D3C) = 5BF3E - 3600 = 5893E = 0,0,CloseHandle
IMAGE_IMPORT_DESCRIPTOR 4 (....)
---------------------------------
blah blah blah
This doesn't make much sense....why didn't the compiler take the imported functions together?
IMAGE_IMPORT_DESCRIPTOR 1 (57A00)
---------------------------------
0000 0000 0000 0000 0000 0000 5CB7 0500 (5B75C) 18B1 0500 (5B118)
{OrignalFirstThunk} {TimeDateStamp} {ForwardChain} {Name} {First Thunk}
Name = 5B75C - (Virtual size - Raw size) = 5B75C - (5B000 - 57A00) = 5B75C - 3600 = 5815C = KERNEL32.DLL
first thunk = 5B118 - 3600 = 57B18
1st imported function (57B18) = 5B7FA - 3600 = 581FA = 0,0,GetCurrentThreadId
...
43rd imported function (57BC0) = 5BAAC - 3600 = 584AC = 0,0,CloseHandle
IMAGE_IMPORT_DESCRIPTOR 2 (57A14)
---------------------------------
0000 0000 0000 0000 0000 0000 69B7 0500 (5B769) 0CB2 0500 (5B20C)
{OrignalFirstThunk} {TimeDateStamp} {ForwardChain} {Name} {First Thunk}
Name = 5B769 - 3600 = 58169 = KERNEL32.DLL
first thunk = 5B20C - 3600 = 57C0C
1st imported function (57C0C) = 5BABA - 3600 = 584BA = 0,0,TlsSetValue
...
5th imported function (57C1C) = 5BAF4 - 3600 = 584F4 = 0,0,GetModuleFileNameA
IMAGE_IMPORT_DESCRIPTOR 3 (57A28)
---------------------------------
0000 0000 0000 0000 0000 0000 76B7 0500 (5B776) 34B2 0500 (5B234)
{OrignalFirstThunk} {TimeDateStamp} {ForwardChain} {Name} {First Thunk}
Name = 5B776 - 3600 = 58176 = KERNEL32.DLL
first thunk = 5B234 - 3600 = 57C34
1st imported function (57C34) = 5BB08 - 3600 = 58508 = 0,0,lstrcpyA
...
67th imported function (57D3C) = 5BF3E - 3600 = 5893E = 0,0,CloseHandle
IMAGE_IMPORT_DESCRIPTOR 4 (....)
---------------------------------
blah blah blah
This doesn't make much sense....why didn't the compiler take the imported functions together?
Maybe you are looking at a tampered exe.
Yeah that is also possible...
I couldn't place it and was curious about it.
I couldn't place it and was curious about it.