Databases
StackOverflow2013
Postsdbo
POTrying to call functions directly through the Import Section
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POTrying to call functions directly through the Import Section
    primarykey
    data
    text
    <p>I have been messing around with the PE file structure in Assembly Language. I'm pretty sure I have gotten to the the Import Section correctly. I am using this as a reference where each box is equal to 4 bytes:</p> <pre><code>+-------------------------+-------------------------+ | RVA to a list of | DATE/TIME | | pointer to APIs names | | IMPORT DATA DIRECTORY +-------------------------+-------------------------+ #1 | .DLL address (unused) | RVA to .DLL name | +-------------------------+-------------------------+ |RVA to API address list | +-------------------------+ </code></pre> <p><img src="https://i.stack.imgur.com/Zx59g.png" alt="Ollydbg. Notice the value of eax on the right side (00402048) which is the value I looked up in the import section and then look at the value of the highlighted instruction (00402000)"></p> <p>Ollydbg. Notice the value of eax on the right side (00402048) and then look at the value of the highlighted call instruction is jumping to(00402000).</p> <p>I attempted to call the first first function from the (RVA to API address list) which is <strong>ExitProcess</strong> however when I tried issuing a call to the address, it caused my program to crash. When I debugged it with Ollydbg, I found out that the address when <strong>call ExitProcess</strong> was issued was different than the address I found in the list. In Ollydbg the address I found pointed to &lt;&amp;KERNEL32.ExitProcess> while the <strong>call ExitProcess</strong> pointed to &lt; JMP.&amp;KERNEL32.ExitProcess>. I have read somewhere about some kind of jmp stub. Is that what this is? How am I supposed to call the functions in the "RVA to API address list"?</p> <p>I know this may be confusing. If you need more clarification let me know.</p> <p>Here is the code:</p> <pre><code>extern printf extern ExitProcess global _start section .code _start: mov eax, [imagebase] mov esi, eax add eax, 3ch mov eax, DWORD [eax] add eax, esi; PE header pointer in eax add eax, 128; 24 for PE Optional Header offset and then 104 for import RVA mov ebx, DWORD [eax] add ebx, DWORD [imagebase]; ebx now has import section offset mov eax, DWORD [ebx+16] add eax, DWORD [imagebase]; has array offset mov ecx, ExitProcess push 0 call ecx ;call eax ;jmp ecx ;call ExitProcess imagebase: db 0,0,64,0; 0x00400000; This is right </code></pre>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USHudson Worden
    1. USHudson Worden
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POTrying to call functions directly through the Import Section
      1. USMaximus
      1. VTFavorite
    2. VO
      singulars
      1. POTrying to call functions directly through the Import Section
      1. This table or related slice is empty.
      1. VTUpMod
    1. COA screenshot of the problem would help.
      singulars
      1. POTrying to call functions directly through the Import Section
      1. USJens Björnhager
    2. COCalling a function directly using import table entry should not cause problem. I suspect somewhere in your called function(s) must have returned without restoring register, stack, or excepting handler. You can test it by using `CALL DWORD PTR [EAX]` at program entry point. Where `EAX` is the address of the import table entry for `ExitProcess`.
      singulars
      1. POTrying to call functions directly through the Import Section
      1. USJay
    3. COActually right now I just tried moving the address of ExitProcess into ecx and then call ecx. Looking with ollydbg I'm still getting the same address I did in the function pointer list and it isn't working. The only time it does work is when I do "call ExitProcess". I also tried just jumping to ecx instead. That didn't work either.
      singulars
      1. POTrying to call functions directly through the Import Section
      1. USHudson Worden
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload