Does anybody know some functions (public, not undocumented) to enlarge the import table of in-memory module?
And one more question - can anyone explain me what BindImage function do? In msdn i found that: "The BindImage function computes the virtual address of each imported function.". But where can i find result? 8)
And one more question - can anyone explain me what BindImage function do? In msdn i found that: "The BindImage function computes the virtual address of each imported function.". But where can i find result? 8)
Suppose that it returns the value in eax.
/siddhartha
/siddhartha
nop. the result is bool. i mean where can i find the result of compution "the virtual address of each imported function"?
BOOL BindImage(
IN LPSTR ImageName,
IN LPSTR DllPath,
IN LPSTR SymbolPath
);
BOOL BindImage(
IN LPSTR ImageName,
IN LPSTR DllPath,
IN LPSTR SymbolPath
);
You can use BindImageEx to have the computed address sent to a callback routine.
Does anybody know some functions (public, not undocumented) to enlarge the import table of in-memory module?
Do you mean "running process" or "manually loaded to memory"? If you're working on a PE editing tool, you should have a look at SantMat's IIDKing. I think he's working on a new version of the tool that's going to be a lot better, btw.
And one more question - can anyone explain me what BindImage function do? In msdn i found that: "The BindImage function computes the virtual address of each imported function.". But where can i find result? 8)
I would assume you find the result in the PE? =) As donkey says, you might want to check out BindImageEx... if you don't want to modify the exe file, specify BIND_NO_UPDATE as flag. You'll probably be interested in the StatusRoutine called with Parameter of BindImportProcedure.
f0dder, donkey thnx a lot :]
i understood it (i also found it in Richter's book =))... It shoud help me...
Im not working on new PE Tool, but i made some new injection method (multiplatform method which doesnt use any additional dll file) and when i tried to use it in delphi (i mean {$L obfile} ;)) i found out that delphi linker makes very specific import table, so standart code which works with VC and masm doesnt work :(
Im too lazy to rewrite my code :) so i began to search the easiest way 8)
i understood it (i also found it in Richter's book =))... It shoud help me...
Im not working on new PE Tool, but i made some new injection method (multiplatform method which doesnt use any additional dll file) and when i tried to use it in delphi (i mean {$L obfile} ;)) i found out that delphi linker makes very specific import table, so standart code which works with VC and masm doesnt work :(
Im too lazy to rewrite my code :) so i began to search the easiest way 8)
Hm, what's with the delphi import tables?
I know that borland linkers have had a lot of bugs, like firstthunk/originalfirstthunk, messed-up section virtualsize, etc... but what's with the import tables?
I know that borland linkers have had a lot of bugs, like firstthunk/originalfirstthunk, messed-up section virtualsize, etc... but what's with the import tables?
for example (the worst problem) there is no function names in import table (i guess u meant that when u wrote about firstthunk/originalfirstthunk problem) of in-memory module so i have to work with 2 import tables: from disk and from memory.
yup, only having FirstThunk and no OFT...