When I create the following executable the address doesn't match to the address that was filled in by the IAT/Import Table/Loader.
OllyDbg Output:
00401000 >/$ A1 06204000 MOV EAX,DWORD PTR DS:[402006]
00401005 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00401007 |. 6A 00 PUSH 0 ; /ExitCode = 0
00401009 \. E8 F20F0000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
It should be
MOV EAX,DWORD PTR DS:[40204C]
or
OllyDbg Output:
00401000 > A1 4C204000 MOV EAX,DWORD PTR DS:[<&kbhook.counter>]
00401005 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00401007 |. 6A 00 PUSH 0 ; /ExitCode = 0
00401009 \. E8 F20F0000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
Anyone?
[attachment deleted by admin]
Well found something..
Using:
golink testkbhook.obj /entry Start kernel32.dll user32.dll kbhook.dll
or
golink testkbhook.obj /entry Start user32.dll kernel32.dll
produces a bad file(s)
Using:
golink testkbhook.obj /entry Start kbhook.dll kernel32.dll user32.dll
produces a good file
Hi Infro_X
Do you think this has something to do with the order in which you declare the Dlls?
GoLink looks inside the Dlls from left to right to see if they contain the imported function.
You can override this using eg. CALL kbhook:function
This will cause GoLink only to look inside kbhook.dll for the imported function.
Not 100 percent sure, but i think it has to do with the number of imports before the "bugged" import is imported.
698-user32
548-gdi32
832-kernel32
(# of imports)
If i do, gdi,user,mydll,kernel, it works
If i do, gdi,kernel,mydll,user, it works ;564 imports
If i do, user,kernel,mydll,gdi, it DOES NOT work ;5FA imports
If i do, any,any,any,mydll, it DOES NOT work
If i do, any,mydll,any,any, it works
If i do, mydll,any,any,any, it works
,but, that doesn't conicide with what was happening before
goasm assembledangit.asm
golink assembledangit.obj /entry Start kernel32.dll kbhook.dll
= bad file
Infro_x
Looking more closely at your file, this certainly seems to be a bug in GoLink, involving importing pointers to data where that data is contained in a dll.
I'll try to produce a fix for this asap.
Hi Infro_x
I believe I have fixed the problem in GoLink causing your difficulties. An internal pointer within GoLink used when setting up the import address table was sometimes 6 bytes behind where it should have been. This made no difference in most cases since the pointer was only important for data pointer imports. However if you used a data pointer import immediately after a particular type of code import the data import might not be found properly. I suppose, since data pointer imports are not used very often this is why this has not been reported before as an error.
Thanks a lot for letting me know about this bug!
The fix is attached.
[attachment deleted by admin]
No Problem, It helps me more than you (I think ;) ) Thank you for fixing it jorgon
Infro