Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C++ C DLL linker compilation , +
Poking around in a number of native Windows 7 assemblies using PEStudio 3.69, I was surprised to find no imported methods among several native assemblies, like Explorer.exe, notepad.exe, and others. Each referenced a lot of libraries, but no specific methods. I find that vary unusual. Under "Indicators" tab in PEStudio, "The number of imported Symbols is too small" is highlighted when "Show All" items is enabled. However, when I use PEStudio 5.50, a few imported symbols/methods are found for Explorer.exe, but most of the imported libraries still have 0 symbols imported.
 
If a native assembly doesn't put import symbols (methods referenced from other libraries) in the import table of the PE header, how does the loader know where to find them and where are these symbols being stored? More importantly, how do you compile native assembiles in this manner?
 
I know you can compile using a .def file to import by ordinal to hide the method name, but still, there should be a pointer referencing the method in the import table. Could the import table be relocated in a different PE section OR is there something else going on, like a PE flag or security feature such as Address Space Layout Randomizon (ASLR) at work?
Posted 13-Feb-13 12:34pm
Edited 13-Feb-13 14:26pm
v5
Comments
Sergey Alexandrovich Kryukov at 13-Feb-13 18:53pm
   
Assembly? Do you mean .NET and C++/CLI? Explorer.EXE and Notepad.EXE have nothing to do with .NET and hence assemblies...
And def file have nothing to do with .NET and assemblies.
 
It seems to me that you are mixing up two different technologies. .NET modules are based on PE, but don't use it the way unmanaged modules do.
—SA
mcrawley at 13-Feb-13 19:28pm
   
People also use "assembly" to refer to native DLL/EXE/OCX files. It's not exclusive to .NET. By reading my question it should have been obvious I wasn't referring to .NET IL assemblies.
Sergey Alexandrovich Kryukov at 13-Feb-13 19:38pm
   
Never heard of such term. Then you question make sense, of course...
—SA
Sergey Alexandrovich Kryukov at 13-Feb-13 19:52pm
   
Def file has nothing to do with PE imports; I mean, it's just one of the ways to pass import modules to the build, nothing else. Different languages or development systems have different syntax for such things; how you do it does not effect the result.
I also doubt that ASLR and security in general have something to do with imports. There should be some way to tell a loader the way to refer to the modules to be bound so the make the calls to the functions of those modules possible. As you correctly put it, "how does the loader know..?"
—SA
Sergey Alexandrovich Kryukov at 15-Feb-13 11:07am
   
[OP commented:]
 
After contacting the developer of PeStudio, we have concluded it was a bug in the program that is being fixed in future versions.
Sergey Alexandrovich Kryukov at 15-Feb-13 11:09am
   
Please don't post comments like that as "solution". You should comment on any posts, reply to existing comments, use "Improve question". And accepting your own answer is not correct at all. Anyone can ask her/his own "questions" and then "answer" them...
 
Will you accept my answer formally (green button), which turns out to be correct? — thanks.
—SA

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

How hidden? I just tested with notepad.exe:
dumpbin %windir%\notepad.exe /imports
 
Part of output:
File Type: EXECUTABLE IMAGE
 
  Section contains the following imports:
 
    ADVAPI32.dll
             10000C000 Import Address Table
             10000D1E8 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference
 
           7FF7FF21ED0   27E RegSetValueExW
           7FF7FF2C2D0   26E RegQueryValueExW
           7FF7FF21F00   23C RegCreateKeyW
           7FF7FF30710   230 RegCloseKey
           7FF7FF306F0   261 RegOpenKeyExW
           7FF7FF30720   180 IsTextUnicode
           7FF7FF27E04    57 CloseServiceHandle
           7FF7FF1C2A8   1F9 OpenSCManagerW
           7FF7FF1C2C0   1FB OpenServiceW
           7FF7FF1C6FC   224 QueryServiceConfigW
 
    KERNEL32.dll
             10000C058 Import Address Table
             10000D240 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference
 
              78D2CF20   209 GetLocalTime
              78D2D3F0   1CF GetDateFormatW
              ...
              ...
 
I don't see anything hidden so far.
 
—SA
  Permalink  
Comments
H.Brydon at 15-Feb-13 1:19am
   
If I was able to answer before you, that would have been my answer too. +5
Sergey Alexandrovich Kryukov at 15-Feb-13 11:06am
   
Thank you,
—SA

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 Maciej Los 200
1 Kornfeld Eliyahu Peter 175
2 BillWoodruff 160
3 George Jonsson 140
4 OriginalGriff 136


Advertise | Privacy | Mobile
Web03 | 2.8.141015.1 | Last Updated 14 Feb 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100