Hi,

I do need some help for the program i am creating. I am trying to create a Program that reads the import table. However due to some problems that i do not understand the code will crash due to Access execption. Here's the part of code that crash


mov edi,pMapping
assume edi:PTR IMAGE_DOS_HEADER
add edi,[edi].e_lfanew
assume edi:PTR IMAGE_NT_HEADERS
mov ebx,edi
mov cx,[edi].FileHeader.NumberOfSections
movzx ecx,cx
mov edi,[edi].OptionalHeader.DataDirectory[sizeof IMAGE_DATA_DIRECTORY].VirtualAddress
add ebx, SIZEOF IMAGE_NT_HEADERS
invoke RVAToOffset, ebx,edi
mov edi,eax ;edi = fileoffset
add edi,pMapping
assume edi:PTR IMAGE_IMPORT_DESCRIPTOR
invoke MessageBox,0,[edi].Name1,ADDR Error,MB_OK
.while !([edi].OriginalFirstThunk==0 && [edi].TimeDateStamp==0 && [edi].ForwarderChain==0 && [edi].Name1==0 && [edi].FirstThunk==0) <----- the place where the code crash
;End of import table = null array of IMAGE_IMPORT_DESCRIPTOR
test [edi].OriginalFirstThunk,0
jnz aa
jmp ab
aa:
mov esi, [edi].OriginalFirstThunk
jmp ac
ab:
mov esi, [edi].FirstThunk
ac:
invoke RVAToOffset,ebx,esi
xor esi,esi
xchg esi,eax
add esi, pMapping
invoke MessageBox,0,[edi].ForwarderChain,Error,MB_OK
loopc:
test DWORD PTR [esi],0
jz breakloopc
test DWORD PTR [esi],IMAGE_ORDINAL_FLAG32
jnz ImportByOrdinal
invoke RVAToOffset, ebx,DWORD PTR [esi]
mov edx,eax
add edx,pMapping
assume edx:PTR IMAGE_IMPORT_BY_NAME
mov cx,[edx].Hint
movzx ecx,cx
ImportByOrdinal:
add esi,4
breakloopc:
add edi, SIZEOF IMAGE_SECTION_HEADER
.endw


The code for RVAToOffset is


RVAToOffset proc SectionHeaderAddress:DWORD, RVA
push ebx
push edi
mov edi, RVA
mov ebx,SectionHeaderAddress
assume ebx:PTR IMAGE_SECTION_HEADER
loopa: ;Change RVA to offset
test edi,[ebx].VirtualAddress
jng contiuneloopa ;edi>=ebx
mov eax,[ebx].VirtualAddress
add eax,[ebx].SizeOfRawData
test eax,edi ;edi<eax
jg contiuneloopa
mov eax,[ebx].VirtualAddress
sub edi,eax
mov eax,[ebx].PointerToRawData
add eax,edi
jmp breakloopa
contiuneloopa:
add ebx, SIZEOF IMAGE_SECTION_HEADER
loop loopa
breakloopa:
mov eax,edi
pop edi
pop ebx
ret
RVAToOffset Endp


Hope someone will help me. Thank you
Posted on 2002-09-04 07:47:13 by roticv
Hi roticv, do you have OllyDbg installed on your system? It helps me really a lot if a program of mine had crashed. Maybe you should try it! It shows you where the fault has occured, mostly you're able to detect the procedure where the fault is (because you could compare the code where the exception has occured an the code you've currently changed in you program. I hope you've understood what I mean. If not, just ask. OllyDbg is a very helpfull tool, if you don't need it know, you'll need it later.

:) Marwin
Posted on 2002-09-04 08:21:09 by Marwin
I did used OllyDbg to debug the code and found out that part causing the error comes from the while loop. However it is the edi that cause the problem. I just do not know what did i do wrong with the edi register, that's why i asked for help :p

Thanks anyway
Posted on 2002-09-04 10:08:44 by roticv
roticv could you please specify the point (the line) where the error occures, because it's a wide range of code you've posted here!

:) Marwin
Posted on 2002-09-04 12:29:07 by Marwin
Marvin,

He posted this:



.while !([edi].OriginalFirstThunk==0 && [edi].TimeDateStamp==0 \
&& [edi].ForwarderChain==0 && [edi].Name1==0 && [edi].FirstThunk==0) <----- the place where the code crash


If it's exactly at this point, try rewriting it like this:


d$ TEXTEQU <dword ptr>
.while (d$ [edi].OriginalFirstThunk!=0 && d$ [edi].TimeDateStamp!=0 \
&& d$ [edi].ForwarderChain!=0 && d$ [edi].Name1!=0 && d$ [edi].FirstThunk!=0)


I also realize that you're quite a fan of assume :) , personally I don't like it but I seem to remember that you might have to use assume edi:NOTHING after being done with it ?

Also this could be rewritten ;)


test [edi].OriginalFirstThunk,0
jnz aa
jmp ab
aa:
mov esi, [edi].OriginalFirstThunk
jmp ac
ab:
mov esi, [edi].FirstThunk

to:



test [edi].OriginalFirstThunk,0
jz ab
aa:
mov esi, [edi].OriginalFirstThunk
jmp ac
ab:
mov esi, [edi].FirstThunk


Take Marvin's advice tho... Single step that snippet in Olly and see where exactly it fails :grin:
Posted on 2002-09-04 12:56:13 by JimmyClif
The while loop


.while !([edi].OriginalFirstThunk==0 && [edi].TimeDateStamp==0 && [edi].ForwarderChain==0 && [edi].Name1==0 && [edi].FirstThunk==0)

expands to this following


00401A44 cmp dword ptr [edi],0 <------crash on this code
00401A47 jne 004019E0
00401A49 cmp dword ptr [edi+4],0
00401A4D jne 004019E0
00401A4F cmp dword ptr [edi+8],0
00401A53 jne 004019E0
00401A55 cmp dword ptr [edi+0Ch],0
00401A59 jne 004019E0
00401A5B cmp dword ptr [edi+10h],0
00401A5F jne 004019E0
00401A65 jmp 00401A8A



Thanks Jimmy I tried assume edi:NOTHING and nothing happened.
Posted on 2002-09-04 20:22:15 by roticv
roticv,
have you verified that edi holds a valid pointer before you start trying to use it?
Posted on 2002-09-05 00:20:15 by sluggy
sluggy,

how do you verify that edi holds a valid pointer? Thanks anyway.
Posted on 2002-09-05 01:19:57 by roticv
assume edi:PTR IMAGE_IMPORT_DESCRIPTOR

.while !([edi].OriginalFirstThunk==0 && ...)

. . . . . . . . .

breakloopc:
add edi, SIZEOF [COLOR=red]IMAGE_SECTION_HEADER[/COLOR]
.endw


I guess it should be IMAGE_IMPORT_DESCRIPTOR if you try to fetch PE import.
Posted on 2002-09-05 02:40:14 by Four-F
I changed that code and it still crashed. Thanks anyway, i think that was my mistake.
Posted on 2002-09-05 03:48:28 by roticv
May be:
invoke RVAToOffset, [COLOR=red][B]ebx[/B][/COLOR], edi

Should be:
invoke RVAToOffset, [COLOR=red][B]pMapping[/B][/COLOR], edi
Posted on 2002-09-05 04:46:58 by Four-F
yea.. i figured it out that the problem with the code is with RVAToOffset Proc.
Thanks to everyone that helped me
Posted on 2002-09-05 10:13:22 by roticv