Click here to Skip to main content
15,877,967 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more: , +
Poking around in a number of native Windows 7 assemblies using PEStudio 3.69, I was surprised to find no imported methods among several native assemblies, like Explorer.exe, notepad.exe, and others. Each referenced a lot of libraries, but no specific methods. I find that vary unusual. Under "Indicators" tab in PEStudio, "The number of imported Symbols is too small" is highlighted when "Show All" items is enabled. However, when I use PEStudio 5.50, a few imported symbols/methods are found for Explorer.exe, but most of the imported libraries still have 0 symbols imported.

If a native assembly doesn't put import symbols (methods referenced from other libraries) in the import table of the PE header, how does the loader know where to find them and where are these symbols being stored? More importantly, how do you compile native assembiles in this manner?

I know you can compile using a .def file to import by ordinal to hide the method name, but still, there should be a pointer referencing the method in the import table. Could the import table be relocated in a different PE section OR is there something else going on, like a PE flag or security feature such as Address Space Layout Randomizon (ASLR) at work?
Posted
Updated 13-Feb-13 14:26pm
v5
Comments
Sergey Alexandrovich Kryukov 13-Feb-13 18:53pm    
Assembly? Do you mean .NET and C++/CLI? Explorer.EXE and Notepad.EXE have nothing to do with .NET and hence assemblies...
And def file have nothing to do with .NET and assemblies.

It seems to me that you are mixing up two different technologies. .NET modules are based on PE, but don't use it the way unmanaged modules do.
—SA
mcrawley 13-Feb-13 19:28pm    
People also use "assembly" to refer to native DLL/EXE/OCX files. It's not exclusive to .NET. By reading my question it should have been obvious I wasn't referring to .NET IL assemblies.
Sergey Alexandrovich Kryukov 13-Feb-13 19:38pm    
Never heard of such term. Then you question make sense, of course...
—SA
Sergey Alexandrovich Kryukov 13-Feb-13 19:52pm    
Def file has nothing to do with PE imports; I mean, it's just one of the ways to pass import modules to the build, nothing else. Different languages or development systems have different syntax for such things; how you do it does not effect the result.
I also doubt that ASLR and security in general have something to do with imports. There should be some way to tell a loader the way to refer to the modules to be bound so the make the calls to the functions of those modules possible. As you correctly put it, "how does the loader know..?"
—SA
Sergey Alexandrovich Kryukov 15-Feb-13 11:07am    
[OP commented:]

After contacting the developer of PeStudio, we have concluded it was a bug in the program that is being fixed in future versions.

1 solution

How hidden? I just tested with notepad.exe:
dumpbin %windir%\notepad.exe /imports


Part of output:
File Type: EXECUTABLE IMAGE

  Section contains the following imports:

    ADVAPI32.dll
             10000C000 Import Address Table
             10000D1E8 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

           7FF7FF21ED0   27E RegSetValueExW
           7FF7FF2C2D0   26E RegQueryValueExW
           7FF7FF21F00   23C RegCreateKeyW
           7FF7FF30710   230 RegCloseKey
           7FF7FF306F0   261 RegOpenKeyExW
           7FF7FF30720   180 IsTextUnicode
           7FF7FF27E04    57 CloseServiceHandle
           7FF7FF1C2A8   1F9 OpenSCManagerW
           7FF7FF1C2C0   1FB OpenServiceW
           7FF7FF1C6FC   224 QueryServiceConfigW

    KERNEL32.dll
             10000C058 Import Address Table
             10000D240 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

              78D2CF20   209 GetLocalTime
              78D2D3F0   1CF GetDateFormatW
              ...
              ...


I don't see anything hidden so far.

—SA
 
Share this answer
 
Comments
H.Brydon 15-Feb-13 1:19am    
If I was able to answer before you, that would have been my answer too. +5
Sergey Alexandrovich Kryukov 15-Feb-13 11:06am    
Thank you,
—SA

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900