Click here to Skip to main content
14,924,665 members
Please Sign up or sign in to vote.
5.00/5 (2 votes)
basically i understand what are unions they share same memory and whatever happens to 1 member it effects the others and vice versa.... now am trying to understand this part of code :
struct _IMAGE_THUNK_DATA64 {
 union { 
  ULONGLONG ForwarderString; // PBYTE
  ULONGLONG Function; // PDWORD 
  ULONGLONG Ordinal; 
      } u1; 

am trying to read/parse a process Import address table now what am doing is basically this
if (!memory::Read(process_base_address + import_desc.FirstThunk,&first_thunk,sizeof(first_thunk))) return 0;

am reading the data from firstThunk and storing it inside my IMAGE_THUNK_DATA which has the size of 8 bytes since its using a union now the real question is

- when i do this read memory operation which variable exactly am i reading is it the last one that got written to assuming from my target process?

- how would i read for example Ordinal from that union considring its the same value as Function which is wrong

- lastly i found some people doing this
auto function_address = process_base_address + import_desc.FirstThunk + func_index * sizeof(std::uintptr_t); 
where function index is equal to 0,1,2 etc.. and by doing this without reading this line from memory i get access to an array i guess of function pointers that resides in the [.rdata] section and if i try to read it from memory using ReadprocessMemory i get the address of actual function inside the [.text] section and by multiplying it by 8 bytes i go to the next function pointer in memory.

i hope that someone could clarify this since i have been trying to understand it since 3 days and still don't understand how its supposed to work.

What I have tried:

i have done what i posted in my question paragraph but i would like to understand it more.
Updated 5-Aug-20 2:42am

1 solution

You understood that unions share the same memory but you also need to understand that each member only interprets the same memory as its own value. It is an inventions of the old timers to save memory.

So you have all values read with the FirstThunk. Use the debugger or print the values to see it.
zeroaceee 7-Aug-20 11:54am
@KarstenK but how when i print there values i get the same value for all of them also trying to cast them to there types doesn't change anything and points to invalid memory can you show me an example reading memory from an external process and printing there values?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900