View Full Version : what is a thunk???
yaa
February 22nd, 2004, 07:05
Hello,
I already asked this question in other forums time ago, without really getting an answer that satisfied me (when I find this word I'm still puzzled). I often see this word pop up in articles and essays, and the idea I made myself of it is that it is a "a sequence of memory addresses or jumps to memory addresses" .... so, the IAT could be called a thunk.
In a book I also found the following:
Quote:
In 32-bit environments, the linker generates a thunk of which it does know the address. The thunk looks like:
0x40000000: jmp DWORD PTR __imp_func1
Here __imp_func1 is the address for func1's slot in the import address table of the .EXE file. All the addresses are thus known to the linker. The loader only has to update the .EXE file's import address table at load time for everything to work correctly. |
A definition of thunk I found is "A piece of coding which provides an address".
Could someone clarify this term?????
yaa
[NtSC]
February 22nd, 2004, 07:52
Actually an Iat-Thunk is a Pointer to an Import Ascii (if its no Ordinal).
And this Pointer to the Import Ascii will be filled by the OS when the Exe is executed aka. the OS Loader resolves the Import Table...
Lets say:
Thunk: points to --> GetVersion Ascii
after the Program was loaded by the OS.. The Pointer to the Ascii is replaced with the Memory-Address of GetVersion.
If you want to go like Hook Apis with this Method.. Be aware that the Import Table for example under W2k isnt automaticlly loaded when you create an Exe suspended. You should place a Break on its Entrypoint and then traverse the Import Table for the initialized Thunk-Adress you wanna redirect/hijack.
I would suggest you to study some good PE Documents,lets say Yates Pe-Notes or something to get better into that stuff..

esther
February 22nd, 2004, 08:37
Although this article is very old but it certainly explains what are thunks
hXXp://mup.anticrack.de/Matt%20Pietrek%20-%20PE%20Format.html
yaa
February 22nd, 2004, 10:08
[NtSC], your use of the word ASCII is confusing.
Isn't the IAT a set of DWORDs (not ASCII???!!!) updated by the loader with the real entry point to the imported dll functions?
Still, I'm surprised by the fact that everyone is using this thunk word and yet no one is able to give a clear definition of it.
yaa
[NtSC]
February 22nd, 2004, 11:16
Well...
Actually the Thunks contain Addresses that POINT to Ascii-Strings with the acoording Functions..
And the OS grabs these Ascii-Strings + acoording DllNames and resolves the Entry and writes the Adress of the Function into the ThunkSlot..
So its like..
Pointer to Ascii (Pointer to Function-Name) gets overwritten with the Function Address.
Aimless
February 23rd, 2004, 02:18
OK Yaa, here it is:
Imagine that there is an exe file. Note that this is a very rough representation just for understanding purposes. The words XXX stands for instructions (normal ones). The exe would look like this:
---Begin Exe----
XXX
XXX
XXX
call MessageBoxA
XXX
XXX
Call MessageBoxA
XX
XX
XX
Call MessageBoxA
----End Exe-----
What is the problem here?
The problem is, in my computer, the function MessageBoxA is actually located at memory addres 700999F. But in your computer it is loaded at 7884FF54. So, when you run the exe in my computer, the exe looks like this:
---Begin Exe----
XXX
XXX
XXX
call 700999F
XXX
XXX
Call 700999F
XX
XX
XX
Call 700999F
----End Exe-----
but in your computer, it may look like this:
---Begin Exe----
XXX
XXX
XXX
call 7884FF54
XXX
XXX
Call 7884FF54
XX
XX
XX
Call 7884FF54
----End Exe-----
Get that? Now we go further:
First of all, who does this? Who changes the address in memory to 7884FF54 in your machine and to 700999F in mine? Simple. Its the Operating System Loader. This is generally the process in all machines. So to summarize, the OS loads the addresses of the API in the memory (complicated process, but for now, keep it simple). OK? Easy as pie!!
Now, what is the further problem? Imagine messagebox, instead of being called around 3 times as shown in our exe, is now called 60 times!!! Uff!!! that's quite a headache for the OS loader. It has to now scan the exe in memory and replace ALL 60 occassions of MessageBoxA with the address (say 700999F or 7884FF54 - my machine or your machine). Is there not a simple way? Of course!!! What if I modify my exe in this manner:
---Begin Exe----
0001:00000001 XXX
0001:00000003 XXX
0001:00000005 XXX
0001:00000007 jmp 0001:00000090
0001:00000009 XXX
0001:00000011 XXX
0001:00000013 jmp 0001:00000090
0001:00000015 XXX
0001:00000017 XXX
0001:00000019 XXX
0001:00000021 jmp 0001:00000090
:
:
0001:00000090 Call MessageBoxA
----End Exe-----
Wow!!! Now all the loader has to do, it simply put the value in memory from your computer or my computer in one single place, instead of the 60 places. So, the exe on my computer would look like:
---Begin Exe----
0001:00000001 XXX
0001:00000003 XXX
0001:00000005 XXX
0001:00000007 jmp 0001:00000090
0001:00000009 XXX
0001:00000011 XXX
0001:00000013 jmp 0001:00000090
0001:00000015 XXX
0001:00000017 XXX
0001:00000019 XXX
0001:00000021 jmp 0001:00000090
:
:
0001:00000090 Call 700999F (in memory, which is MessageBoxA)
----End Exe-----
Simple to understand, is it not? Here, all jumps are called, well JUMPS. But the call at 0001:00000090? Its called as THUNKS. Get it? Simple is it not?
Have Phun
akimp3
February 23rd, 2004, 13:04
Hi
@slayer
Thank you very much this is one of the best definition of thunks
that i have ever seen.
bye
esther
February 23rd, 2004, 23:25
Hmm to what I know the os loaders searches for the dll address,depends on the os.The address jmp dword ptr[xxxxxx] only appears once while the call function repeats 2 or 3 times in the file.
The jmp table is the thunk as explain in the above docs.
Regards
yaa
February 24th, 2004, 18:08
esther is right.
The multiple calls to a given API use a CALL instruction. The thunk instead uses unconditional jumps (JMP). Otherwise the API closing RET would take back to the thunk, not to the instruction following the API call.
Is the IAT itself a thunk???
hxxp://www.hyperdictionary.com/computing/thunk
yaa
Aimless
February 25th, 2004, 01:44
Hrrr.....!!!!! Must be the fight with my wife I had last night on spending too much time on Woodmann's board.
Esther, you are correct. The above explanation got me mixed up in call/jumps. Here's the correct explanation.
Look Sharp!!
--------------------Begin New Explanation-------------------------
OK Yaa, here it is:
Imagine that there is an exe file. Note that this is a very rough representation just for understanding purposes. The words XXX stands for instructions (normal ones). The exe would look like this:
---Begin Exe----
XXX
XXX
XXX
call MessageBoxA
XXX
XXX
Call MessageBoxA
XX
XX
XX
Call MessageBoxA
----End Exe-----
What is the problem here?
The problem is, in my computer, the function MessageBoxA is actually located at memory addres 700999F. But in your computer it is loaded at 7884FF54. So, when you run the exe in my computer, the exe looks like this:
---Begin Exe----
XXX
XXX
XXX
call 700999F
XXX
XXX
Call 700999F
XX
XX
XX
Call 700999F
----End Exe-----
but in your computer, it may look like this:
---Begin Exe----
XXX
XXX
XXX
call 7884FF54
XXX
XXX
Call 7884FF54
XX
XX
XX
Call 7884FF54
----End Exe-----
Get that? Now we go further:
First of all, who does this? Who changes the address in memory to 7884FF54 in your machine and to 700999F in mine? Simple. Its the Operating System Loader. This is generally the process in all machines. So to summarize, the OS loads the addresses of the API in the memory (complicated process, but for now, keep it simple). OK? Easy as pie!!
Now, what is the further problem? Imagine messagebox, instead of being called around 3 times as shown in our exe, is now called 60 times!!! Uff!!! that's quite a headache for the OS loader. It has to now scan the exe in memory and replace ALL 60 occassions of MessageBoxA with the address (say 700999F or 7884FF54 - my machine or your machine). Is there not a simple way? Of course!!! What if I modify my exe in this manner:
---Begin Exe----
0001:00000001 XXX
0001:00000003 XXX
0001:00000005 XXX
0001:00000007 call 0001:00000090
0001:00000009 XXX
0001:00000011 XXX
0001:00000013 call 0001:00000090
0001:00000015 XXX
0001:00000017 XXX
0001:00000019 XXX
0001:00000021 call 0001:00000090
:
:
0001:00000090 jmp MessageBoxA
----End Exe-----
Wow!!! Now all the loader has to do, it simply put the value in memory from your computer or my computer in one single place, instead of the 60 places. So, the exe on my computer would look like:
---Begin Exe----
0001:00000001 XXX
0001:00000003 XXX
0001:00000005 XXX
0001:00000007 call 0001:00000090
0001:00000009 XXX
0001:00000011 XXX
0001:00000013 call 0001:00000090
0001:00000015 XXX
0001:00000017 XXX
0001:00000019 XXX
0001:00000021 call 0001:00000090
:
:
0001:00000090 jmp 700999F (in memory, which is MessageBoxA)
----End Exe-----
Simple to understand, is it not? Here, all CALLS are called, well CALLS. But the jump at 0001:00000090? Its called as THUNKS. Get it? Simple is it not?
Have Phun
-----------Close New Explanation---------------------------
Hope nobody crashed his computer because of this :P
Have Phun
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.