get the function address from it's name using IMAGE_IMPORT_DESCRIPTOR
-
I can get the linked functions in any file by using IMAGE_IMPORT_DESCRIPTOR, but how in this world I can get their addresses? Assuming AddAtomA is the target .... Asm code: (jmp dword ptr ds:004050b8)in memory address of 004050b8 is 779B9EB8 which is function AddAtomA so is there any way to show the AddAtomA address while using IMAGE_IMPORT_DESCRIPTOR or showing the place where it will be called in the program?
-
I can get the linked functions in any file by using IMAGE_IMPORT_DESCRIPTOR, but how in this world I can get their addresses? Assuming AddAtomA is the target .... Asm code: (jmp dword ptr ds:004050b8)in memory address of 004050b8 is 779B9EB8 which is function AddAtomA so is there any way to show the AddAtomA address while using IMAGE_IMPORT_DESCRIPTOR or showing the place where it will be called in the program?
The actual address of a function that is imported from another module is resolved while loading your image. If the other image is a dll then it can be loaded to any address if it has a relocation table. If you are curious about the address of a function whose code is in a builtin system dll then you can ask the function address with (GetModuleHandle() or LoadLibrary()) + GetProcAddress() yourself in your program without reading anything from an exe/dll file as some builtin dlls (kernel32, user32) are loaded to the same virtual address in the virtual memory space of every process in the system (at least on 32 bit windows versions, never tried the 64 bit ones). This is an old trick. This has nothing to do with the IMAGE_IMPORT_DESCRITPTOR of a specific image, this way you retrieve a constant that is guaranteed to be constant from system startup to system shutdown.
-
The actual address of a function that is imported from another module is resolved while loading your image. If the other image is a dll then it can be loaded to any address if it has a relocation table. If you are curious about the address of a function whose code is in a builtin system dll then you can ask the function address with (GetModuleHandle() or LoadLibrary()) + GetProcAddress() yourself in your program without reading anything from an exe/dll file as some builtin dlls (kernel32, user32) are loaded to the same virtual address in the virtual memory space of every process in the system (at least on 32 bit windows versions, never tried the 64 bit ones). This is an old trick. This has nothing to do with the IMAGE_IMPORT_DESCRITPTOR of a specific image, this way you retrieve a constant that is guaranteed to be constant from system startup to system shutdown.
-
You are welcome! Was everything clear?
-
BTW, this trick is guaranteed to work only with user32 and kernel32, I never tried it with other dlls. These dlls are usually mapped to 7xxxxxxx addresses as you see in your example.
-
The actual address of a function that is imported from another module is resolved while loading your image. If the other image is a dll then it can be loaded to any address if it has a relocation table. If you are curious about the address of a function whose code is in a builtin system dll then you can ask the function address with (GetModuleHandle() or LoadLibrary()) + GetProcAddress() yourself in your program without reading anything from an exe/dll file as some builtin dlls (kernel32, user32) are loaded to the same virtual address in the virtual memory space of every process in the system (at least on 32 bit windows versions, never tried the 64 bit ones). This is an old trick. This has nothing to do with the IMAGE_IMPORT_DESCRITPTOR of a specific image, this way you retrieve a constant that is guaranteed to be constant from system startup to system shutdown.
-
You are right, thank you for mentioning. I was playing around with these things long ago...
