Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-18-2019, 16:08
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 46
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
How to shuffle names in the PE import table?

Hi Guys.

As I tried, it does not matter how the order of functions and API calls is in my C/C++ source code. Microsoft Visual Studio Linker fills the import table in a specific way, which is not clear to me; but the order of API names is constant for my code. For instance, it does not matter I call ReadFile() before or after SetFilePointer(). In a compiled EXE file, SetFilePointer may come even before CreateFileA/W.

Is there any way to change this order, literally shuffle the order of names at each compile?

The hardest way is to rebuild the import table; but it needs searching and patching the code to point to new import table. I'm looking for a quick way.

Any idea?
__________________
In memory of UnREal RCE...

Last edited by Newbie_Cracker; 08-18-2019 at 16:19.
Reply With Quote
  #2  
Old 08-19-2019, 21:07
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 207
Rept. Given: 14
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 134 Times in 40 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Independently of the fact that if this can/cannot be achieved by some compiler directives (I really don't know), if you are only pretending to change the order in the function names, well every entry in Original First Thunk is a pointer to a function name (this is not true if the entry comes as an ordinal), so if you want exclusively to get shuffled function names, you can build a "simple" tool to modify the order within import table area of every function name string, and then accordingly modify the pointers to those name of funtions in the Original First Thunk. This could be performed statically in the PE file.

Best regards

Nacho_dj
__________________
http://arteam.accessroot.com
Reply With Quote
The Following 2 Users Say Thank You to Nacho_dj For This Useful Post:
Newbie_Cracker (08-20-2019), tonyweb (08-25-2019)
  #3  
Old 08-20-2019, 00:41
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 723
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 665
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
I would imagine the order is based on the .lib file being linked. Your code usage is irrelevant as is the declspec dllimport beyond indicating a cummulative inclusive filter on the final .lib linking. After all these imports are shared by all code modules. Maybe can change lib files or just use LoadLibrary/GetProcAddress to put them into an ordered array at runtime. Otherwise static modification as per above is okay. If willing to remap relocations maybe more complicated approaches than just name pointer swaps are possible.
Reply With Quote
  #4  
Old 08-20-2019, 06:29
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 46
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by Nacho_dj View Post
Independently of the fact that if this can/cannot be achieved by some compiler directives (I really don't know), if you are only pretending to change the order in the function names, well every entry in Original First Thunk is a pointer to a function name (this is not true if the entry comes as an ordinal), so if you want exclusively to get shuffled function names, you can build a "simple" tool to modify the order within import table area of every function name string, and then accordingly modify the pointers to those name of funtions in the Original First Thunk. This could be performed statically in the PE file.

Best regards

Nacho_dj
Displacing the API names and the corresponding Thunk Value is the only way I tested (manually); but this does not change the order of resolved APIs by Windows Loader in memory (import address table if I referred to the correct name). Any changes in that table needs to find and patch all references and modifying the relocation table.


Quote:
Originally Posted by chants View Post
I would imagine the order is based on the .lib file being linked.
It might be true; but the order of libs has no effect on the order of APIs imported from each lib. For instance, CreateFileA, SetFilePointer, and ReadFile belong to Kernel32.lib.
__________________
In memory of UnREal RCE...
Reply With Quote
The Following User Says Thank You to Newbie_Cracker For This Useful Post:
chants (08-20-2019)
  #5  
Old 08-20-2019, 08:16
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 723
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 665
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
Yes I had thought the relocations would need to be fixed as well. I was not sure if there was a novel way to change the name addresses without doing so. Anyway the PE file format is reasonably well documented so I think fixing imports and relocations is still not overly difficult.

But I would challenge to try DUMPBIN /EXPORTS on kernel32.lib and see if the order is in the same order the executable table is compiled with. It might not be but it would seem likely otherwise the linker has some strange ordering algorithm - if it enumerates a hash table for example it would seemingly have no rational logic behind the order. Certainly doubtful a setting exists for this as it is a detail that is supposed to be encapsulated in file format internals. As for the order of the libs themselves, I think that would be determined by the order specified in the project settings presumably. Again hash table enumeration is always possible. All of these details are up to the linker type of things.

Maybe could remake a .lib file to reorder the exports, but doubtful that it is worth the effort and as alluded might not even work.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
Newbie_Cracker (08-25-2019)
  #6  
Old 08-25-2019, 03:59
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 46
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by chants View Post
Maybe could remake a .lib file to reorder the exports, but doubtful that it is worth the effort and as alluded might not even work.
I was thinking about patching the linker to shuffle the orders of APIs; but I don't know if it is possible.
__________________
In memory of UnREal RCE...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Add imports to DLL import table jonwil General Discussion 5 09-07-2020 16:47
Reliable PE Library or DLL for Adding Functions to Import Table omidgl General Discussion 3 06-28-2008 09:53
Import Rebuilding Without Import Table Kerlingen General Discussion 11 01-13-2005 10:24
Can`t restore import table thechatter General Discussion 9 11-14-2003 21:01
Changing Import Table?? magic General Discussion 3 09-14-2003 01:59


All times are GMT +8. The time now is 15:22.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )