usernombre
August 29th, 2009, 09:53
I was manually adding a dll to a program's import table. Took me awhile, but I finally got it to work. I had trouble figuring out where to place the IMAGE_IMPORT_DESCRIPTOR.FirstThunk because of memory access violations.
This is what I did, the problem that arose, and how I fixed it. I am hoping someone here can explain why this occurred.
I copied the IMAGE_IMPORT_DESCRIPTOR array into the unused space at the end of the same section they were in.
I added my IMAGE_IMPORT_DESCRIPTOR to the front of the list.
I changed the IMAGE_DATA_DIRECTORY for the import section to point to my new set, and updated the size.
After the blank IMAGE_IMPORT_DESCRIPTOR at the end of the array, i put the dll name, then the IMAGE_IMPORT_BY_NAME with the hint and the function I wanted to use.
I placed the IMAGE_THUNK_DATA32 dwords for my OriginalFirstThunk and FirstThunk at the end.
I set everything in my IMPORT_IMAGE_DESCRIPTOR and my thunks correctly, then verified my work with Dependency Walker and LordPE.
When executed, the program crashed. Under a debugger I found out that a memory access violation was occurring when Windows was setting the actual address for my imported function.
I then changed the section header VirtualSize to include all the stuff I had added, but still got the memory access error.
I ended up having to point my FirstThunk to some space that I found at the beginning of the section, amongst the FirstThunks for the imports the program originally had.
What I don't understand is why, if all my modifications are in the same section, would having my FirstThunk at the beginning of the section work fine, but fail if it is at the end? When I looked at the program's address space (after it was running successfully) the whole section was mapped Execute/Read but had been allocated as WriteCopy. Does Windows insist that the IAT be at the start of a section? Does it have to fit in a certain size? Does the loader map the first part of a section differently than the rest?
This is what I did, the problem that arose, and how I fixed it. I am hoping someone here can explain why this occurred.
I copied the IMAGE_IMPORT_DESCRIPTOR array into the unused space at the end of the same section they were in.
I added my IMAGE_IMPORT_DESCRIPTOR to the front of the list.
I changed the IMAGE_DATA_DIRECTORY for the import section to point to my new set, and updated the size.
After the blank IMAGE_IMPORT_DESCRIPTOR at the end of the array, i put the dll name, then the IMAGE_IMPORT_BY_NAME with the hint and the function I wanted to use.
I placed the IMAGE_THUNK_DATA32 dwords for my OriginalFirstThunk and FirstThunk at the end.
I set everything in my IMPORT_IMAGE_DESCRIPTOR and my thunks correctly, then verified my work with Dependency Walker and LordPE.
When executed, the program crashed. Under a debugger I found out that a memory access violation was occurring when Windows was setting the actual address for my imported function.
I then changed the section header VirtualSize to include all the stuff I had added, but still got the memory access error.
I ended up having to point my FirstThunk to some space that I found at the beginning of the section, amongst the FirstThunks for the imports the program originally had.
What I don't understand is why, if all my modifications are in the same section, would having my FirstThunk at the beginning of the section work fine, but fail if it is at the end? When I looked at the program's address space (after it was running successfully) the whole section was mapped Execute/Read but had been allocated as WriteCopy. Does Windows insist that the IAT be at the start of a section? Does it have to fit in a certain size? Does the loader map the first part of a section differently than the rest?
