Dependency walker (depends.exe) shows a 'Hint' column for exported functions. As far as I understand the Portable Executable format, exported functions do not have hint. Can someone tell me whether or not exported functions have hint? Actually, only imported functions should have hint..
I finally found the answer to my question...:
In dependency Walker (as well as in Dumpbin), the "Hint" is the position of the Exported Function in the EAT (Export Address Table)! This position has been named "Hint" since the the Loader will use this position when searching for the Functions from the IAT (Import Address Table). As, simple as that!
thanks.
Apparently not - see here. I suspect Dependency Walker is calculating the hint for the export 'to be nice'.
Related
Can anybody provide a definitive description of what an "exported symbol" is with respect to an executable binary, and NOT a library?
They are the same thing. You export a procedure in a dll so other code can call that procedure by name/ordinal from the dll/lib. You do the same thing with an exe, you can export functions to be used the same way.
How would I do Export Address Table (EAT) Hooking?
I'm able to do IAT (Import Address Table) hooking.
Can someone give me a example?
Thank You!
EAT hooking follows a very similar method to IAT hooking, the major difference is a change in where you look, have a look at the PE File Exports section of the Win32 PE format.
A very simple (although in C) example can be found here, just compile and disassemble if you really need it in assembly form.
I would like to know any difference between ordinal and hint value in the native dlls? Anyone knows?
Ordinals can be thought of as the alternative (internal) name of a exported function (All exports have a ordinal and some only have the ordinal a.k.a. NONAME). They were common in 16-bit windows but not so much these days (The import/export tables are smaller if you don't include the "string name"). They are slightly faster for the loader to look-up and are often used for undocumented functions. The downside is that they might not be stable from release to release.
The hint is used by the loader as a shortcut into the dll export table, if the hint offset does not match the expected function name the normal search is used.
Take a look at An In-Depth Look into the Win32 Portable Executable File Format for more details about the different PE sections.
tools like dependencywalkers and PeStudio show the relation between ordinals and hints.
I just changed from (F)ASM to C and saw that I get for a MessageBox 25kb (vs 3kb). I just included windows.h, but I see that windows.h includes about 22kb that I don't need ;).
At ASM I'm able to define the IAT (Import Address Table) and this I want to do with the GCC to reduce the oversized executable.
SO does anyone know how I can do this? Is it possible?
PS: If you know a solution for an other compiler please post it too (then I'll use the other one).
OK because I can't find any way to do it, I read about shell code (which has to be small and position independend).
harmonysecurity.com wrote about this and so I would solve my problem with inline-ASM.
This is the blog.
I hope that helps.
I've been looking into the implementation of a device library that doesn't explicitly support my operating system. In particular, I have a disassembled DLL, and a fair amount of supporting source code. Now, how is the function table/export table structured?
My understanding is that the first structure of the .data section is a table of RVAs. Next is a table of strings linked by index to that first address table. This makes sense to me, as a linker could translate between symbols and addresses.
How do functions referenced by ordinals fit into this picture? How does one know which function has such and such ordinal number, and how does the linker resolve this? In other words, given that some other DLL imports SOME_LIBRARY_ordinal_7, how does the linker know which function to work with?
Thanks, all!
edit
More information...
Im working with the FTDI libraries, and would like to resolve which function is being invoked. In particular, I see something like:
extern FTD2XX_Ordinal_28: near
how might I go about determining which function is being referenced, and how does the linker do this?
To learn how the linkers and the loader works on Windows, probably the most accessible information comes from a set of columns Matt Pietrek did more than a decade ago:
July 1997: http://www.microsoft.com/msj/0797/hood0797.aspx
April 1998: http://www.microsoft.com/msj/0498/hood0498.aspx
September 1999: http://www.microsoft.com/msj/0999/hood/hood0999.aspx
And the biggest and best one:
Peering Inside the PE: A tour of the Win32 Portable Executable File Format (from 1994!)