Well idea to write this program came to me by discusing at : http://www.masmforum.com/simple/index.php?topic=352.msg2317
Program simply scans IAT table of PE file, and changes OriginalFirstThunk so APIs aren't imported by name anymore, but by ordinalĀ :green
I don't know if there is any practical use for this piece of code. But it was fun to code it, and I want to share it with everybody.
I guess that Loader is faster when it uses ordinal to import APIs, so I guess that Microsoft will love me b/c of thisĀ :green :green
My Approach on changing OriginalFirstThunk was like this(maybe wrong but it works) =>>>
map pe file to memory, allocate enough memory for whole image and copy only section that has Import Table so I can use RVAs from import table without any problem =) Then I change every pointer to API name with : MBS-ordinal and store it insted of API name pointer. I also zero all API names, b/c I don't need them any more in test.exe, it also worked with other programs that I've tested. I have included only test.exe (not modified with this progy) in attachment
[attachment deleted by admin]
Nice work :U.
Importing by ordinal doesn't sound too portable across windows versions .. perhaps it would be better to just set the hint to the right value for the current system? Or use bind like Microsoft intended?
Nice example chetnik , nonetheless :
Hi chetnik,
I will have a look at your work, nice idea :U
GoAsm has the capability of importing API's by ordinal, Donkey coded various examples about it.
Thanks :green
Yap, importing by ordinal isn't portable :( That's why I've included test.exe not modified in attachment :green :green
Vortex : I will take a look at GoAsm :U
Quote from: Jibz on January 10, 2005, 09:47:21 AM
Nice work :U.
Importing by ordinal doesn't sound too portable across windows versions .. perhaps it would be better to just set the hint to the right value for the current system? Or use bind like Microsoft intended?
I agree. Importing by ordinal is to be considered as a last result. ;)
Scott
Hi Chetnik,
Importing by ordinal with GoAsm is very simple...
invoke Shell32.DLL:71, offset hSysImlLarge, offset hSysImlSmall
You can also equate the import so it is a little clearer in the source...
Shell_GetImageLists = Shell32.DLL:71
invoke Shell_GetImageLists, offset hSysImlLarge, offset hSysImlSmall
However, as you say there are issues using the more non-standard ordinal values, some such as the one above are needed to maintain compatibility of MS software and are included in all OS versions.
yap really nice featur by GoAsm =)
I'm testing it right now =)