Title: [stupid cainiao should understand] association between IAT table and import table
Author: Stupid To Learn to crack
Foreign Name: EasyStudy
Date: NOP out
Tool: everything! :)
Note: You can save it! Too tired! Just plain text!
I. Preface
Hello everyone! I want to write XXX 2 again. However, I do not think it is good to write! Next year! Haha ~~
Recently, I want to send something to you, but I am suffering from nothing. Because I am a good cook, I am afraid of making jokes! During the period of thinking, I still don't think about it. A few days ago, I spoke a lot (that is, one of the leaders who taught me how to do this): "Do not shake things! Low profile !". However, I never thought there was nothing wrong with what he said. Recently, especially some time ago, I wrote some emotion! Likes and likes that are scolded by online friends. Indeed, the impact was so bad that I did not expect such a big response! A few days ago, I also learned how to study the PE Structure and share it with you. I really didn't expect it to be treated with the essence! Therefore, I have always wanted to make some more classic ones. I can see the snow, but I cannot find the blueprint! Today, I have just learned how to share it with you! Favorite favorites, by the way! If you don't like it, just take a look at it! I really don't know if it can be excellent :)
1. Import table:
Ah! I know many articles have said this thing now. It takes a few minutes to see what I wrote. Maybe it's really different from what others have said. Let's not talk about other tools. Let's take a look at what kind of import tables are. We mainly use the new version PNHookApi1.00.05 to support a lot of PE class information. If not, you can go to the download area, or you can just take LoadPE and take VC for a WIN32 program.
01. jpg
We can see that the above is the import module, and the following is the information about the import function. We can see it clearly, but I would like to ask you how all those things come from? No one knows! Let me explain it. First, I understand the imported table as a whole. It can prove that the imported table has its own structure.
// Configure //-------------------------------------------------------------------------------------------------
In winnt. h, I found its structure:
Typedef struct _ IMAGE_IMPORT_DESCRIPTOR {
Union {
DWORD Characteristics; // 0 for terminating null import descriptor is always NULL
DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
};
DWORD TimeDateStamp; // 0 if not bound, date stamp
//-1 if bound, and real dateime stamp
// In IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
// O. W. date/time stamp of DLL bound to (Old BIND)
DWORD ForwarderChain; //-1 if no forwarders is mostly 0
DWORD Name; // subsequent description
DWORD FirstThunk; // descriptions after RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
Typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED * PIMAGE_IMPORT_DESCRIPTOR;
In terms of structure, the declared types are:
_ IMAGE_IMPORT_DESCRIPTOR
IMAGE_IMPORT_DESCRIPTOR
* PIMAGE_IMPORT_DESCRIPTOR // This is different from the previous one. It indicates the pointer of this structure. The first two are of the structure type.
// Configure //------------------------------------------------------------------------------------------------
Let's take a look at it. The first of course is OriginalFirstThunk. I didn't translate it into English. I hope you will have a concept first! The import table has a lot to do with the IAT table.
First, PUSH and save the previous content, and then POP it later! First, let's look at the hexadecimal format of the imported table.
First, let's use WINHEX to open the previous program! Let's first let LoadPE or PNHookApi check the address of the import table. Here I am 0002A000, with a length of 3C. The address we see is RVA, you need to convert the table to the real virtual address or physical address of the import table. (It is not clear without adding a diagram :()
02. jpg
The figure shows that our corresponding address is 00028000, and we are looking for an integer, which is not converted at the beginning of the section. If not, we need to replace it. As for the conversion, I have already mentioned it in my previous post and released the conversion function. You don't have to worry about it. Use it as needed :). 00028000 is the physical offset address we are looking for. Take a look at it with WINHEX, as shown below:
// Configure //--------------------------------------------------------------------------------------------------
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00028000 3C A0 02 00 00 00 00 00 00 00 B4 A3 02 00 <?......... ..
00028010 F0 A1 02 00 5C A1 02 00 00 00 00 00 00 00 00 00 large ..?.........
00028020 26 A5 02 00 10 A3 02 00 00 00 00 00 00 00 &?..?.........
00028030 00 00 00 00 00 00 00 00 00 00 A4 A3 02 00 ..
Let's take a look at the knowledge we pushed in and POP it out!
We can see the corresponding information through DWORD:
3CA00200 // OriginalFirstThunk;
00000000 // TimeDateStamp
00000000 // ForwarderChain
B4A30200 // Name
F0A10200 // FirstThunk
// Configure //--------------------------------------------------------------------------------------------------
Every five Dwords represents a structure. Let's look at the first address, 0002A03C, which is also a relatively virtual address! It also needs to be converted. In reality, the simplest way is to calculate the number of words, and some friends will say it ......, Hexadecimal format! Method 1: You will be able to learn it! Do we know that 0002A000 = 00028000? Let's take 0002A03C-002A000 = 000003C to calculate the offset address, and then use 00028000 + 0000003C = 0002803C to calculate the physical offset address! :) It's a matter of IQ! Let's take a look at what 0002803C looks like!
// Configure //-----------------------------------------------------------------------------------------------------
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00028030 00 00 00 00 00 00 00 00 00 00 A4 A3 02 00 ..
00028040 8A A8 02 00 7A A8 02 00 68 A8 02 00 56 A8 02 00 large... z ?. H ?. V ?.
00028050 44 A8 02 00 34 A8 02 00 24 A8 02 00 0E A8 02 00 D ?. 4 ?. $ ?..?.
00028060 00 A8 02 00 F0 A7 02 00 E4 A7 02 00 D8 A7 02 00 .?. Contents... contents ..
00028070 CE A7 02 00 C2 A7 02 00 B2 A7 02 00 A2 A7 02 00 wai ..
// Configure //------------------------------------------------------------------------------------------------------
We can clearly see that 0002803C is 0002A3A4, and then use the above method to calculate the physical offset address as 000283A4. WINHEX shows the following:
// Configure //-----------------------------------------------------------------------------------------------
Offset 0 1 2 3 4 5 6 7 8 9 A B C D