modifying import table [Archive] - RCE Messageboard's Regroupment

Vigual

April 17th, 2010, 10:48

So here is what I have

Code:



00405000   .  64200000      DD 00002064                              ;  Struct 'IMAGE_IMPORT_DESCRIPTOR'

00405004   .  00000000      DD 00000000

00405008   .  00000000      DD 00000000

0040500C   .  CA200000      DD 000020CA

00405010   .  08200000      DD 00002008

00405014   .  5C 20 00      ASCII "\ ",0

00405017      00            DB 00

00405018      00            DB 00

00405019      00            DB 00

0040501A      00            DB 00

0040501B      00            DB 00

0040501C      00            DB 00

0040501D      00            DB 00

0040501E      00            DB 00

0040501F      00            DB 00

00405020      EA            DB EA

00405021      20            DB 20                                    ;  CHAR ' '

00405022      00            DB 00

00405023      00            DB 00

00405024      00            DB 00

00405025      20            DB 20                                    ;  CHAR ' '

00405026      00            DB 00

00405027      00            DB 00

00405028   .  50 50 00      ASCII "PP",0

0040502B      00            DB 00

0040502C      00            DB 00

0040502D      00            DB 00

0040502E      00            DB 00

0040502F      00            DB 00

00405030      00            DB 00

00405031      00            DB 00

00405032      00            DB 00

00405033      00            DB 00

00405034      EA            DB EA

00405035      20            DB 20                                    ;  CHAR ' '

00405036      00            DB 00

00405037      00            DB 00

00405038   .  60 50 00      ASCII "`P",0

0040503B      00            DB 00

0040503C      00            DB 00

0040503D      00            DB 00

0040503E      00            DB 00

0040503F      00            DB 00

00405040      00            DB 00

00405041      00            DB 00

00405042      00            DB 00

00405043      00            DB 00

00405044      00            DB 00

00405045      00            DB 00

00405046      00            DB 00

00405047      00            DB 00

00405048      00            DB 00

00405049      00            DB 00

0040504A      00            DB 00

0040504B      00            DB 00

0040504C      00            DB 00

0040504D      00            DB 00

0040504E      00            DB 00

0040504F      00            DB 00

00405050   .  70 50 00      ASCII "pP",0

00405053      00            DB 00

00405054   .  7C 50 00      ASCII "|P",0

00405057      00            DB 00

00405058      00            DB 00

00405059      00            DB 00

0040505A      00            DB 00

0040505B      00            DB 00

0040505C      00            DB 00

0040505D      00            DB 00

0040505E      00            DB 00

0040505F      00            DB 00

00405060 >    00000000      DD 00000000

00405064 >    00000000      DD 00000000

00405068      00000000      DD 00000000

0040506C      00            DB 00

0040506D      00            DB 00

0040506E      00            DB 00

0040506F      00            DB 00

00405070      00            DB 00

00405071      00            DB 00

00405072   .  57 72 69 74 6>ASCII "WriteFile",0

0040507C      00            DB 00

0040507D      00            DB 00

0040507E   .  56 69 72 74 7>ASCII "VirtualProtect",0

After I had compiled this program, I manually added a new IMAGE_DESCRIPTOR so that I could import the APIs WriteFile and VirtualProtect . The problem is at addresses 00405060 and 00405064. At those addresses, the addresses of the APIs WriteFile and VirtualProtect should be stored. Why doesn't the loader automatically find these addresses when it loads the program? What do I need to do to load these addresses?