#1
|
||||
|
||||
How to shuffle names in the PE import table?
Hi Guys.
As I tried, it does not matter how the order of functions and API calls is in my C/C++ source code. Microsoft Visual Studio Linker fills the import table in a specific way, which is not clear to me; but the order of API names is constant for my code. For instance, it does not matter I call ReadFile() before or after SetFilePointer(). In a compiled EXE file, SetFilePointer may come even before CreateFileA/W. Is there any way to change this order, literally shuffle the order of names at each compile? The hardest way is to rebuild the import table; but it needs searching and patching the code to point to new import table. I'm looking for a quick way. Any idea?
__________________
In memory of UnREal RCE... Last edited by Newbie_Cracker; 08-18-2019 at 16:19. |
#2
|
||||
|
||||
Independently of the fact that if this can/cannot be achieved by some compiler directives (I really don't know), if you are only pretending to change the order in the function names, well every entry in Original First Thunk is a pointer to a function name (this is not true if the entry comes as an ordinal), so if you want exclusively to get shuffled function names, you can build a "simple" tool to modify the order within import table area of every function name string, and then accordingly modify the pointers to those name of funtions in the Original First Thunk. This could be performed statically in the PE file.
Best regards Nacho_dj
__________________
http://arteam.accessroot.com |
The Following 2 Users Say Thank You to Nacho_dj For This Useful Post: | ||
Newbie_Cracker (08-20-2019), tonyweb (08-25-2019) |
#3
|
|||
|
|||
I would imagine the order is based on the .lib file being linked. Your code usage is irrelevant as is the declspec dllimport beyond indicating a cummulative inclusive filter on the final .lib linking. After all these imports are shared by all code modules. Maybe can change lib files or just use LoadLibrary/GetProcAddress to put them into an ordered array at runtime. Otherwise static modification as per above is okay. If willing to remap relocations maybe more complicated approaches than just name pointer swaps are possible.
|
#4
|
||||
|
||||
Quote:
It might be true; but the order of libs has no effect on the order of APIs imported from each lib. For instance, CreateFileA, SetFilePointer, and ReadFile belong to Kernel32.lib.
__________________
In memory of UnREal RCE... |
The Following User Says Thank You to Newbie_Cracker For This Useful Post: | ||
chants (08-20-2019) |
#5
|
|||
|
|||
Yes I had thought the relocations would need to be fixed as well. I was not sure if there was a novel way to change the name addresses without doing so. Anyway the PE file format is reasonably well documented so I think fixing imports and relocations is still not overly difficult.
But I would challenge to try DUMPBIN /EXPORTS on kernel32.lib and see if the order is in the same order the executable table is compiled with. It might not be but it would seem likely otherwise the linker has some strange ordering algorithm - if it enumerates a hash table for example it would seemingly have no rational logic behind the order. Certainly doubtful a setting exists for this as it is a detail that is supposed to be encapsulated in file format internals. As for the order of the libs themselves, I think that would be determined by the order specified in the project settings presumably. Again hash table enumeration is always possible. All of these details are up to the linker type of things. Maybe could remake a .lib file to reorder the exports, but doubtful that it is worth the effort and as alluded might not even work. |
The Following User Says Thank You to chants For This Useful Post: | ||
Newbie_Cracker (08-25-2019) |
#6
|
||||
|
||||
I was thinking about patching the linker to shuffle the orders of APIs; but I don't know if it is possible.
__________________
In memory of UnREal RCE... |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Add imports to DLL import table | jonwil | General Discussion | 5 | 09-07-2020 16:47 |
Reliable PE Library or DLL for Adding Functions to Import Table | omidgl | General Discussion | 3 | 06-28-2008 09:53 |
Import Rebuilding Without Import Table | Kerlingen | General Discussion | 11 | 01-13-2005 10:24 |
Can`t restore import table | thechatter | General Discussion | 9 | 11-14-2003 21:01 |
Changing Import Table?? | magic | General Discussion | 3 | 09-14-2003 01:59 |