Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-18-2019, 16:08
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 221
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 35
Thanks Rcvd at 19 Times in 15 Posts
Newbie_Cracker Reputation: 26
How to shuffle names in the PE import table?

Hi Guys.

As I tried, it does not matter how the order of functions and API calls is in my C/C++ source code. Microsoft Visual Studio Linker fills the import table in a specific way, which is not clear to me; but the order of API names is constant for my code. For instance, it does not matter I call ReadFile() before or after SetFilePointer(). In a compiled EXE file, SetFilePointer may come even before CreateFileA/W.

Is there any way to change this order, literally shuffle the order of names at each compile?

The hardest way is to rebuild the import table; but it needs searching and patching the code to point to new import table. I'm looking for a quick way.

Any idea?
__________________
In memory of UnREal RCE...

Last edited by Newbie_Cracker; 08-18-2019 at 16:19.
Reply With Quote
  #2  
Old 08-19-2019, 21:07
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 195
Rept. Given: 12
Rept. Rcvd 169 Times in 30 Posts
Thanks Given: 26
Thanks Rcvd at 76 Times in 27 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Independently of the fact that if this can/cannot be achieved by some compiler directives (I really don't know), if you are only pretending to change the order in the function names, well every entry in Original First Thunk is a pointer to a function name (this is not true if the entry comes as an ordinal), so if you want exclusively to get shuffled function names, you can build a "simple" tool to modify the order within import table area of every function name string, and then accordingly modify the pointers to those name of funtions in the Original First Thunk. This could be performed statically in the PE file.

Best regards

Nacho_dj
__________________
http://arteam.accessroot.com
Reply With Quote
The Following 2 Users Say Thank You to Nacho_dj For This Useful Post:
Newbie_Cracker (08-20-2019), tonyweb (08-25-2019)
  #3  
Old 08-20-2019, 00:41
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 456
Rept. Given: 2
Rept. Rcvd 30 Times in 18 Posts
Thanks Given: 372
Thanks Rcvd at 714 Times in 331 Posts
chants Reputation: 30
I would imagine the order is based on the .lib file being linked. Your code usage is irrelevant as is the declspec dllimport beyond indicating a cummulative inclusive filter on the final .lib linking. After all these imports are shared by all code modules. Maybe can change lib files or just use LoadLibrary/GetProcAddress to put them into an ordered array at runtime. Otherwise static modification as per above is okay. If willing to remap relocations maybe more complicated approaches than just name pointer swaps are possible.
Reply With Quote
  #4  
Old 08-20-2019, 06:29
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 221
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 35
Thanks Rcvd at 19 Times in 15 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by Nacho_dj View Post
Independently of the fact that if this can/cannot be achieved by some compiler directives (I really don't know), if you are only pretending to change the order in the function names, well every entry in Original First Thunk is a pointer to a function name (this is not true if the entry comes as an ordinal), so if you want exclusively to get shuffled function names, you can build a "simple" tool to modify the order within import table area of every function name string, and then accordingly modify the pointers to those name of funtions in the Original First Thunk. This could be performed statically in the PE file.

Best regards

Nacho_dj
Displacing the API names and the corresponding Thunk Value is the only way I tested (manually); but this does not change the order of resolved APIs by Windows Loader in memory (import address table if I referred to the correct name). Any changes in that table needs to find and patch all references and modifying the relocation table.


Quote:
Originally Posted by chants View Post
I would imagine the order is based on the .lib file being linked.
It might be true; but the order of libs has no effect on the order of APIs imported from each lib. For instance, CreateFileA, SetFilePointer, and ReadFile belong to Kernel32.lib.
__________________
In memory of UnREal RCE...
Reply With Quote
The Following User Says Thank You to Newbie_Cracker For This Useful Post:
chants (08-20-2019)
  #5  
Old 08-20-2019, 08:16
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 456
Rept. Given: 2
Rept. Rcvd 30 Times in 18 Posts
Thanks Given: 372
Thanks Rcvd at 714 Times in 331 Posts
chants Reputation: 30
Yes I had thought the relocations would need to be fixed as well. I was not sure if there was a novel way to change the name addresses without doing so. Anyway the PE file format is reasonably well documented so I think fixing imports and relocations is still not overly difficult.

But I would challenge to try DUMPBIN /EXPORTS on kernel32.lib and see if the order is in the same order the executable table is compiled with. It might not be but it would seem likely otherwise the linker has some strange ordering algorithm - if it enumerates a hash table for example it would seemingly have no rational logic behind the order. Certainly doubtful a setting exists for this as it is a detail that is supposed to be encapsulated in file format internals. As for the order of the libs themselves, I think that would be determined by the order specified in the project settings presumably. Again hash table enumeration is always possible. All of these details are up to the linker type of things.

Maybe could remake a .lib file to reorder the exports, but doubtful that it is worth the effort and as alluded might not even work.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
Newbie_Cracker (08-25-2019)
  #6  
Old 08-25-2019, 03:59
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 221
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 35
Thanks Rcvd at 19 Times in 15 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by chants View Post
Maybe could remake a .lib file to reorder the exports, but doubtful that it is worth the effort and as alluded might not even work.
I was thinking about patching the linker to shuffle the orders of APIs; but I don't know if it is possible.
__________________
In memory of UnREal RCE...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 12:10.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX