Re: code for flushing imports to .idata in exe - Grupy dyskusyjne w eGospodarka.pl

eGospodarka.pl › Grupy › pl.comp.programming › code for flushing imports to .idata in exe › Re: code for flushing imports to .idata in exe

X-Received: by 10.31.137.76 with SMTP id l73mr85461vkd.10.1503157249570; Sat, 19 Aug
2017 08:40:49 -0700 (PDT)
X-Received: by 10.31.137.76 with SMTP id l73mr85461vkd.10.1503157249570; Sat, 19 Aug
2017 08:40:49 -0700 (PDT)
Path: news-archive.icm.edu.pl!news.icm.edu.pl!news.nask.pl!news.nask.org.pl!news.unit
0.net!weretis.net!feeder6.news.weretis.net!feeder.usenetexpress.com!feeder-in1.
iad1.usenetexpress.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!i19no11
56520qte.1!news-out.google.com!i9ni21801qte.0!nntp.google.com!i19no1156515qte.1
!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail
Newsgroups: pl.comp.programming
Date: Sat, 19 Aug 2017 08:40:49 -0700 (PDT)
In-Reply-To: <2...@g...com>
Complaints-To: g...@g...com
Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=5.172.255.148;
posting-account=Sb6m8goAAABbWsBL7gouk3bfLsuxwMgN
NNTP-Posting-Host: 5.172.255.148
References: <2...@g...com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <2...@g...com>
Subject: Re: code for flushing imports to .idata in exe
From: fir <p...@g...com>
Injection-Date: Sat, 19 Aug 2017 15:40:49 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 74
Xref: news-archive.icm.edu.pl pl.comp.programming:211192
[ ukryj nagłówki ]
W dniu sobota, 19 sierpnia 2017 15:22:46 UTC+2 użytkownik fir napisał:
> I think i need some code that would work like
> that
>
> AddImportsForModule("KERNEL32.DLL", "ExitProcess", "GetModuleHandleA",
"GetProcAddress");
>
> AddImportsForModule("msvcrt.dll", "fopen", "free", "printf", "exit", "fclose",
"fread");
>
>
>
> well maybe it would be more like
>
> char* import_names[] = {"fopen", "free", "printf", "exit", "fclose", "fread");
>
> AddImportsForModule("msvcrt.dll", import_names);
>
> but this is detail
>
> the code just need to build binary block of .idata section that i can flush to exe
file
> when flushing exe to disk in my assembler
>
> im howewer a bit confused how weirdly this .idata binary is build, so maybe some
hints on that?
>
> btw some best info i found on this topic is here
>
> https://github.com/macton/x64-fasm-examples/blob/mas
ter/Windows/00_BasicOS/00_pe_return_03.asm
>
> or around here, so if someone would like to focus on this and give me some hints
may use it
>
> tnx

after contemplating that sht for a while

https://github.com/macton/x64-fasm-examples/blob/mas
ter/Windows/00_BasicOS/02_pe_messagebox_03.asm

it seems to me that i need to do such things
(say i got N modules of import)

- flush N of those 40-byte-long module describing records and finish it with zero
record

- flush N module names

- flush so called ILT and IAT for each module (slightly confused here)

- flush all function names (intermixed with 'hints')

would it be all? if so it seems less confusing i previously thought (though those
import-adding-api should be redefined as i need to build a wholle collection before
flushing it in last step

somethink like

AddImport("KERNEL32.DLL", "ExitProcess");
AddImport("KERNEL32.DLL", "GetModuleHandleA");
AddImport("KERNEL32.DLL", "GetProcAddress");

AddImport("msvcrt.dll", "fopen");
AddImport("msvcrt.dll", "free");
AddImport("msvcrt.dll", "printf");
AddImport("msvcrt.dll", ""exit");
AddImport("msvcrt.dll", "fclose");
AddImport("msvcrt.dll", "fread");

FlushIDataSection();