News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Import APIs by ordinal...

Started by chetnik, January 10, 2005, 12:04:10 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

chetnik

January 10, 2005, 12:04:10 AM
Well idea to write this program came to me by discusing at : http://www.masmforum.com/simple/index.php?topic=352.msg2317

Program simply scans IAT table of PE file, and changes OriginalFirstThunk so APIs aren't imported by name anymore, but by ordinalĀ  :green
I don't know if there is any practical use for this piece of code. But it was fun to code it, and I want to share it with everybody.
I guess that Loader is faster when it uses ordinal to import APIs, so I guess that Microsoft will love me b/c of thisĀ  :green :green
My Approach on changing OriginalFirstThunk was like this(maybe wrong but it works) =>>>
map pe file to memory, allocate enough memory for whole image and copy only section that has Import Table so I can use RVAs from import table without any problem =) Then I change every pointer to API name with : MBS-ordinal and store it insted of API name pointer. I also zero all API names, b/c I don't need them any more in test.exe, it also worked with other programs that I've tested. I have included only test.exe (not modified with this progy) in attachment




[attachment deleted by admin]

Jibz

#1
January 10, 2005, 09:47:21 AM
Nice work :U.

Importing by ordinal doesn't sound too portable across windows versions .. perhaps it would be better to just set the hint to the right value for the current system? Or use bind like Microsoft intended?

Ghirai

#2
January 10, 2005, 10:20:08 AM
Nice example chetnik , nonetheless  :
MASM32 Project/RadASM mirror - http://ghirai.com/hutch/mmi.html

Vortex

#3
January 10, 2005, 11:43:16 AM
Hi chetnik,

I will have a look at your work, nice idea :U

GoAsm has the capability of importing API's by ordinal, Donkey coded various examples about it.

chetnik

#4
January 10, 2005, 11:57:07 AM Last Edit: January 10, 2005, 06:05:44 PM by chetnik
Thanks  :green

Yap, importing by ordinal isn't portable  :( That's why I've included test.exe not modified in attachment  :green :green

Vortex : I will take a look at GoAsm  :U

sbrown

#5
January 12, 2005, 04:23:16 PM
Quote from: Jibz on January 10, 2005, 09:47:21 AM
Nice work :U.

Importing by ordinal doesn't sound too portable across windows versions .. perhaps it would be better to just set the hint to the right value for the current system? Or use bind like Microsoft intended?
I agree. Importing by ordinal is to be considered as a last result. ;)


Scott

donkey

#6
January 12, 2005, 04:51:53 PM
Hi Chetnik,

Importing by ordinal with GoAsm is very simple...

invoke Shell32.DLL:71, offset hSysImlLarge, offset hSysImlSmall

You can also equate the import so it is a little clearer in the source...

Shell_GetImageLists = Shell32.DLL:71

invoke Shell_GetImageLists, offset hSysImlLarge, offset hSysImlSmall

However, as you say there are issues using the more non-standard ordinal values, some such as the one above are needed to maintain compatibility of MS software and are included in all OS versions.
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable

chetnik

#7
January 12, 2005, 09:04:51 PM
yap really nice featur by GoAsm =)
I'm testing it right now =)
Print
Go Up Pages1
User actions