How to shuffle names in the PE import table?
 

Hi Guys.

As I tried, it does not matter how the order of functions and API calls is in my C/C++ source code. Microsoft Visual Studio Linker fills the import table in a specific way, which is not clear to me; but the order of API names is constant for my code. For instance, it does not matter I call ReadFile() before or after SetFilePointer(). In a compiled EXE file, SetFilePointer may come even before CreateFileA/W.

Is there any way to change this order, literally shuffle the order of names at each compile?

The hardest way is to rebuild the import table; but it needs searching and patching the code to point to new import table. I'm looking for a quick way.

Any idea?

Independently of the fact that if this can/cannot be achieved by some compiler directives (I really don't know), if you are only pretending to change the order in the function names, well every entry in Original First Thunk is a pointer to a function name (this is not true if the entry comes as an ordinal), so if you want exclusively to get shuffled function names, you can build a "simple" tool to modify the order within import table area of every function name string, and then accordingly modify the pointers to those name of funtions in the Original First Thunk. This could be performed statically in the PE file.

Best regards

Nacho_dj

I would imagine the order is based on the .lib file being linked. Your code usage is irrelevant as is the declspec dllimport beyond indicating a cummulative inclusive filter on the final .lib linking. After all these imports are shared by all code modules. Maybe can change lib files or just use LoadLibrary/GetProcAddress to put them into an ordered array at runtime. Otherwise static modification as per above is okay. If willing to remap relocations maybe more complicated approaches than just name pointer swaps are possible.

Displacing the API names and the corresponding Thunk Value is the only way I tested (manually); but this does not change the order of resolved APIs by Windows Loader in memory (import address table if I referred to the correct name). Any changes in that table needs to find and patch all references and modifying the relocation table.


It might be true; but the order of libs has no effect on the order of APIs imported from each lib. For instance, CreateFileA, SetFilePointer, and ReadFile belong to Kernel32.lib.

Yes I had thought the relocations would need to be fixed as well. I was not sure if there was a novel way to change the name addresses without doing so. Anyway the PE file format is reasonably well documented so I think fixing imports and relocations is still not overly difficult.

But I would challenge to try DUMPBIN /EXPORTS on kernel32.lib and see if the order is in the same order the executable table is compiled with. It might not be but it would seem likely otherwise the linker has some strange ordering algorithm - if it enumerates a hash table for example it would seemingly have no rational logic behind the order. Certainly doubtful a setting exists for this as it is a detail that is supposed to be encapsulated in file format internals. As for the order of the libs themselves, I think that would be determined by the order specified in the project settings presumably. Again hash table enumeration is always possible. All of these details are up to the linker type of things.

Maybe could remake a .lib file to reorder the exports, but doubtful that it is worth the effort and as alluded might not even work.

I was thinking about patching the linker to shuffle the orders of APIs; but I don't know if it is possible.