Hi
Do you know what is the ForwarderChain in IMAGE_IMPORT_DESCRIPTOR of PE?
I didn't see any comment on this field on any tutorials that I read.

sincerely yours

Well, Matt pietreck does mention it in his "Inside the PE Format" paper.. which you can read here : http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndebug/html/msdn_peeringpe.asp

Looks pretty uninteresting. Basically the DLL says it does have a function by that name, but instead of really having it it forwards any request to that function to some other dll. Probably used for some backwards compatibilities.

>Geesh, 'compatibilities' is a hell of a word..

Once again you seem to be unwilling to do your own homework about things you should search for before asking basic questions. Did you try something, such as "ForwarderChain + IMAGE_IMPORT_DESCRIPTOR + PE" (without the quotes) or even "ForwarderChain + PE" (again with no quotes) in your favorite search engine or is this the first place you post every time there is some programming information you do not already know?

Get off your lazy butt and do some of your own searching FIRST.

The point here is that just because you haven't read anything about the subject yet, doesn't excuse your failure to search for the information BEFORE you post here asking someone to do this minimal effort for you.

Regards,

It's fun to create circular ForwarderChains between DLLs. You get an out of memory error from the image loader.

If i'm not mistaken, I believe forwards are used on Win2K and XP to NTdll.dll from Kernel32.dll. In other words, the PE file points to Kernel32.dll, but then in memory you actually get ntdll.dll function calls. Which of course throws off tools that aren't ready for it (ImpREC handles the situation correctly however)

-nt20

You are not mistaken


I've actually had good luck with all tools despite this. Perhaps it's because it's really not that difficult to code for (again, as long as you watch for loops).