Exe that modify self import table before loader proceeds

[neodemon]

Hi it's my first post on this forum, i'm wondering if it's possible to build executable that runs code which modify it's own import table ,but before loader translates that table to addresse's.

I saw exe that puts import table pointer at address where 2 last bytes of loaded file resides, in that exe author put string kernel32.dll just after "MZ" symbol(first 2 bytes of exe file) so from my point of view loader should try to load MZkernel32.dll file not kernel32.dll because loaderwhen aligning data in memory fill not aligned data with zeros so from my point of view I MAGE_IMPORT_DESCRIPTOR should looks like this:

  OriginalFirstThunk dd -< the last 2 bytes of file + 2 bytes filled with zeros by loader
  TimeDateStamp dd- 0
  ForwarderChain dd - 0
  Name1 dd - 0
  FirstThunk dd - 0

however i dont know why Name1 equals 0x00000002 not 0x00000000 and it loads kernel32.dll

http://blogs.securiteam.com/index.php/archives/675 <- that's exe what i'm talkin about, just download exe file and take a look at what address DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]->VirtualAddress point to and follow that address trying to find out how it loads kernel32.dll and not MZkernel32.dll, i just can't understand that.

[ecube]

yeah an exe can modify it's own import table but only in memory via IAT hooking or self loading via a code based GetProcaddress, also note that on windows nt+ every exe must have atleast 1 import for it to run.

[neodemon]

But to use GetProcAddress that file must import it from kernel32.dll, and in the tiny.exe if u follow the import table address u will see that it should try to load MZkernel32.dll but it doesn't it loads kernel32.dll. I tried to add at the end of that file rest of the import table and add size of added bytes to section.SizeOfRawData, but when i dissasembled it with PE Explorer the code at end of file(where my code should reside) was diffrent than mine, and i don't know how it is possible.

[ecube]

kernel32.dll is automatically in every process, and there are code based getprocaddr on the board, you can get and use them without importing anything. just look

[neodemon]

Let me explain the problem with some help from .gif images :]

First look at the pe information for original tiny.exe:





And here is dissassembly of that file at address 0x005E116Eh, where data directory for imports point to:



address 0x005E116Fh is the last byte of exe file


Now let's take a look what's happening when i change "Size of Headers" in "Headers info" from 180h to 192h, and "Size of Raw Data" in "Section headers" from 170h to 182h:



I only changed values in header, i don't extended file size, however if i add this 12h bytes physically at end of the file ( all bytes have value 00h ) and i look in disassembly it looks exactly the same as when i only changed values in headers, why values in address range 0x005E1170h - 0x005E1181h are not 00h ???

I just can't understand that.

//EDIT I extended size of file and updated "Size of Raw Data" more and my values started to show in disassembly at address 0x005E1192

//EDIT2 Nevermind it was my mistake now i understand everything :]