Click here to Skip to main content
Search within:



Next

Hidden Import Symbols in Explorer.exe, Notepad.exe, and others...?
Sign Up to vote bad
good
See more: C++CDLLlinkercompilation, +
Poking around in a number of native Windows 7 assemblies using PEStudio 3.69, I was surprised to find no imported methods among several native assemblies, like Explorer.exe, notepad.exe, and others. Each referenced a lot of libraries, but no specific methods. I find that vary unusual. Under "Indicators" tab in PEStudio, "The number of imported Symbols is too small" is highlighted when "Show All" items is enabled. However, when I use PEStudio 5.50, a few imported symbols/methods are found for Explorer.exe, but most of the imported libraries still have 0 symbols imported.
 
If a native assembly doesn't put import symbols (methods referenced from other libraries) in the import table of the PE header, how does the loader know where to find them and where are these symbols being stored? More importantly, how do you compile native assembiles in this manner?
 
I know you can compile using a .def file to import by ordinal to hide the method name, but still, there should be a pointer referencing the method in the import table. Could the import table be relocated in a different PE section OR is there something else going on, like a PE flag or security feature such as Address Space Layout Randomizon (ASLR) at work?
Posted 13 Feb '13 - 12:34
mcrawley306
Edited 13 Feb '13 - 14:26
v5
Add a Solution

Comments
Sergey Alexandrovich Kryukov - 13 Feb '13 - 18:53
Assembly? Do you mean .NET and C++/CLI? Explorer.EXE and Notepad.EXE have nothing to do with .NET and hence assemblies... And def file have nothing to do with .NET and assemblies. It seems to me that you are mixing up two different technologies. .NET modules are based on PE, but don't use it the way unmanaged modules do. —SA
mcrawley - 13 Feb '13 - 19:28
People also use "assembly" to refer to native DLL/EXE/OCX files. It's not exclusive to .NET. By reading my question it should have been obvious I wasn't referring to .NET IL assemblies.
Sergey Alexandrovich Kryukov - 13 Feb '13 - 19:38
Never heard of such term. Then you question make sense, of course... —SA
Sergey Alexandrovich Kryukov - 13 Feb '13 - 19:52
Def file has nothing to do with PE imports; I mean, it's just one of the ways to pass import modules to the build, nothing else. Different languages or development systems have different syntax for such things; how you do it does not effect the result. I also doubt that ASLR and security in general have something to do with imports. There should be some way to tell a loader the way to refer to the modules to be bound so the make the calls to the functions of those modules possible. As you correctly put it, "how does the loader know..?" —SA
Sergey Alexandrovich Kryukov - 15 Feb '13 - 11:07
[OP commented:] After contacting the developer of PeStudio, we have concluded it was a bug in the program that is being fixed in future versions.
Sergey Alexandrovich Kryukov - 15 Feb '13 - 11:09
Please don't post comments like that as "solution". You should comment on any posts, reply to existing comments, use "Improve question". And accepting your own answer is not correct at all. Anyone can ask her/his own "questions" and then "answer" them... Will you accept my answer formally (green button), which turns out to be correct? — thanks. —SA

1 solution

How hidden? I just tested with notepad.exe:
dumpbin %windir%\notepad.exe /imports
 
Part of output:
File Type: EXECUTABLE IMAGE
 
  Section contains the following imports:
 
    ADVAPI32.dll
             10000C000 Import Address Table
             10000D1E8 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference
 
           7FF7FF21ED0   27E RegSetValueExW
           7FF7FF2C2D0   26E RegQueryValueExW
           7FF7FF21F00   23C RegCreateKeyW
           7FF7FF30710   230 RegCloseKey
           7FF7FF306F0   261 RegOpenKeyExW
           7FF7FF30720   180 IsTextUnicode
           7FF7FF27E04    57 CloseServiceHandle
           7FF7FF1C2A8   1F9 OpenSCManagerW
           7FF7FF1C2C0   1FB OpenServiceW
           7FF7FF1C6FC   224 QueryServiceConfigW
 
    KERNEL32.dll
             10000C058 Import Address Table
             10000D240 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference
 
              78D2CF20   209 GetLocalTime
              78D2D3F0   1CF GetDateFormatW
              ...
              ...
 
I don't see anything hidden so far.
 
—SA
  Permalink  
Posted 13 Feb '13 - 13:46
Sergey Alexandrovich Kryukov588K
Comments
H.Brydon - 15 Feb '13 - 1:19
If I was able to answer before you, that would have been my answer too. +5
Sergey Alexandrovich Kryukov - 15 Feb '13 - 11:06
Thank you, —SA
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Your Filters
Interested
Ignored
     
0 OriginalGriff 178
1 Tadit Dash 144
2 Santhosh G_ 140
3 Sergey Alexandrovich Kryukov 134
4 Espen Harlinn 120
0 Sergey Alexandrovich Kryukov 10,348
1 OriginalGriff 7,965
2 CPallini 4,241
3 Rohan Leuva 3,522
4 Maciej Los 3,184


Advertise | Privacy | Mobile
Web03 | 2.6.130523.1 | Last Updated 14 Feb 2013
Copyright © CodeProject, 1999-2013
All Rights Reserved. Terms of Use
Layout: fixed | fluid