I faced the following problem today
Aim adding dll to a program
its quite simple :
using LoadLibraryA, GetProcAddress, FreeLibrary
if some function is not imported its possible to
get its handle from system dlls like kernel32.dll
by using GetProcAddress
But what to do if GetProcAddress is not imported also?
thats the question
thanx for help.

sorry if this has already been talked

you can always write your own GetProcAddress if you know the base of the dll file, its not that hard, just scan export table, but i would advice to first load kernel and find out real GetProcAddress, and then use it to find other apis (you might have some troubles with forwarded apis)

http://scifi.pages.at/yoda9k/snippets/kernel.zip ("http://scifi.pages.at/yoda9k/snippets/kernel.zip")
http://scifi.pages.at/yoda9k/snippets/kernel2.zip ("http://scifi.pages.at/yoda9k/snippets/kernel2.zip")

Hi cooper,
can't you add the function inside the file, changing the Import Table ?

thank you you advices helped me


only if you teach me how to do it

Now that might turn this thread into a Miniproject after all, hint, hint...:-)

Ok cooper/foreigner/Kayaker, a new miniproject will begin.

I have attached a stupid program; the program contains two calls, one for GetModuleHandleA and the other for ExitProcess. Our task is to display a messagebox with caption "I am the caption" and text "I am the text".
This can be done in two different ways:
1. Using LoadLibraryA/GetProcAddress combo. If you look at the imported functions you will only see LoadLibraryA, GetProcAddress is not imported and you have to add it manually.
2. Adding user32.dll to the import table and then adding MessageBoxA function.

In the first point you have to change Original First Thunk and First Thunk arrays only, in the other one you have to play also with Image_Import_Descriptor structure. I suggest you to try both of them, you will find how easy is to work with these structures

Some nice tutorial that may help you:
Iczelion's Import Table Tutorial: http://spiff.tripnet.se/~iczelion/pe-tut6.html
[yAtEs] Pe Notes (http://www.woodmann.net/yates/YATES.PE.txt[/url)
[yAtEs] Understanding Import Tables (http://www.woodmann.net/yates/Import_tables.txt[/url)
Also, take a look at this thread: Messin' with the import table (http://www.woodmann.net/forum/showthread.php?t=162)

Good luck,
ZaiRoN

i failed..help me

but instead created new 1byte puzzle on this theme
uploaded in puzzles thread.

@ evaluator )))))

OK i've made it the first way by now
i added new function to First Thunk
but had to fill with zeroes Original First Thunk
(as far as I understood this array is not important)
so now I know how to do it
tomorrow I'll try adding user32.dll

Hey everybody It's my first time posting here so please forgive my n00bish question. I have attempted to complete this mini-project so far using the first method mentioned in the instructions. I added the zero-terminated function name ("GetProcAddress" preceded by an ordinal of "00 00" to the list of function/dll names and added an RVA to the newly added name in the OriginalFirstThunk and FirstThunk members of the array of IMAGE_IMPORT_DESCRIPTOR structures. Now when I try to run the proggy under WinXP, I get the following error message:

"The application failed to initialize properly (0xC0000005). Click on OK to terminate the application"

Any thoughts would be greatly appreciated....

Hi br00t_4_c,
seems like there is a problem with the new added function (GetProcAddress). I bet you have added the rva of the new function directly at offset 0x648, am I right? OriginalFirstThunk has a final 00 dword at the end. Is this your problem?

ZaiRoN

Oops, never mind, forgot to terminate the IAT with a null pointer -sorry for the wasted forum space...

I did indeed add the rva to the new function at 648. Then i inserted a 00 dword to terminate the OriginalFirstThunk with a null pointer. Then I adjusted the rvas for anything that would have been affected by this insertion by adding 4... ran the thing again and no more crash

Thanx for the speedy reply ZaiRoN