Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-13-2005, 11:03
ancev
 
Posts: n/a
Bizarre problem resolving imports from KERNEL32

hi guys,

i am resolving imports from kernel32, using my own routine (that scan dll export table, in the classical and tested way), but i am getting weird results with some APIs...

for example, when trying to get the address of HeapAlloc, i get a address... but in this address, isnt function code, but a string: NTDLL.HeapAllocate

the same happen with others APIs, like RtlUnwind

anybody know whats happening? i am using xp sp2, and i already coded that dll export scan routine 100 times, and it always worked

thanks in advance,
ancev
Reply With Quote
  #2  
Old 12-13-2005, 11:40
nskSem
 
Posts: n/a
Google keyword: import forwarding. If you know Russian:h++p://wasm.ru/print.php?article=packlast01

Last edited by nskSem; 12-13-2005 at 11:46.
Reply With Quote
  #3  
Old 12-13-2005, 17:50
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 207
Rept. Given: 14
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 134 Times in 40 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Hello ancev:

This happens in NT OS. Their kernel imports some apis' performed by ntdll.dll. This could be fixed in your import table just renaming that string NTDLL.HeapAllocate that you obtained, by HeapAlloc in the function names table.

Do the same with the others api exported by ntdll.dll to kernel32.dll. Just take the name of the api that is compatible to that of Win98 (no NT OS) and voil¨¤!

I hope this helps.


Cheers

Nacho_dj

BTW: This workaround is not performed by Import Reconstructor, so if used it is giving you the same problem. I have read in some part of the forum that certain patch for this tool is fixing this.
Reply With Quote
  #4  
Old 12-13-2005, 19:59
ancev
 
Posts: n/a
thanks nacho_dj and nskSem,

i am coding a new pe packer(once again), and found this problem packing the own packer´s .exe, compiled with msvc .net 2003

i am kinda ashamed of not knowing this, as i play with pe files at long time: i always thought that import forwarding has to do with the ForwarderChain field in iat dir

as i never found a sample of this (as i used w9x till few time ago), i just thought that the whole dll was forwarded, and that in ForwarderChain field was the dll base address

i think i can resolve this doing something like this:

Code:
if((api_address>pe->exportbase)&&(api_address<(pe->exportbase+pe->exportsize)))
  api_address=getproc_by_hash(api_address,hash(api_address+strpos(api_address,".")));
thanks for the help, guys

ancev
Reply With Quote
  #5  
Old 12-13-2005, 20:36
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 207
Rept. Given: 14
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 134 Times in 40 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
That code seems interesting. Could you update here if it was working as you wanted?

I used in a built-in import reconstructor for an unpacker the method I explained before. So, I would like to know if your code is performing fine the task required in your first post.

Thanks and cheers!

Nacho_dj
Reply With Quote
  #6  
Old 12-14-2005, 07:14
goggles99 goggles99 is offline
Friend
 
Join Date: Aug 2004
Posts: 62
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 4 Times in 4 Posts
goggles99 Reputation: 0
Lightbulb Here is an interesting example

MASM example of Alternative to GetProcAddress API
http://win.asmcommunity.net/board/index.php?topic=17130.msg133137#msg133137

Also handles export forwarding (Even with Ordinals).
Reply With Quote
  #7  
Old 12-14-2005, 19:44
ancev
 
Posts: n/a
nacho_dj,

the code work, but with some small changes... the point is that there&#180;s a "." between dll and apiname that i need turn to 0 (which i forgot in my lil snippet)

and there&#180;s the fact i can write my 0 in kernel mem... so, i need copy the string to a buffer, before do the trick

but, in general lines, my idea work, and i am using it

thanks once again for the help
ancev

ps: thanks for the code, goggles99!
Reply With Quote
  #8  
Old 12-14-2005, 23:15
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 207
Rept. Given: 14
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 134 Times in 40 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Thanks for the link, goggles99
Sure, I could pick of it some good way to perform the rebuilding of the IAT.

ancev, I think I will try your code, when done I will tell you how it is working.


Thanks!

Nacho_dj
Reply With Quote
  #9  
Old 12-15-2005, 23:11
Maximus Maximus is offline
Friend
 
Join Date: Nov 2005
Posts: 39
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Maximus Reputation: 0
go to code-breakers journal site, and read the essay about PE.
There you will find how import tables are built. For maintaining portability across versions, m$ allows redirection of api from a DLL to another, thus freeing from the need to implement all the prior version calls within a module, or making stubs for compatibility issues.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Resolving Stack Pointer problem java3ever General Discussion 1 06-20-2017 13:57
Any idea, problem after resolving? MAHMUT General Discussion 2 02-10-2005 00:01
KERNEL32 imports in IDA Pro pez General Discussion 9 08-27-2004 05:10
how to replace kernel32.dll in win2k/xp tAz General Discussion 12 02-06-2004 03:46


All times are GMT +8. The time now is 22:24.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )