introduction

this entry follows http://d.hatena.ne.jp/takahirox/20110503/1304411632

links

• the blog of the host. handout, togetter and so on.
  • http://d.hatena.ne.jp/n7shi/20110416
• ATND
  • http://atnd.org/events/13353

what i did

i made a PE analysis tool with the knowledge of thunk i learned at the workshop. it shows functions of DLL.

example

% ./analysis.exe ./hoge.exe
*IMAGE_DOS_HEADER
 e_magic    : 5A4D [MZ] <000000>
 e_cblp     : 0090      <000002>
 e_cp       : 0003      <000004>
 e_crlc     : 0000      <000006>

... snip ...

*IMAGE_IMPORT_DESCRIPTOR[0] <KERNEL32.dll>
 Characteristics    : 703C [283C] <002800>
 OriginalFirstThunk : 703C [283C] <002800>
 TimeDateStamp      : 0000        <002804>
 ForwarderChain     : 0000        <002808>
 Name               : 73DC [2BDC] <00280C>
 FirstThunk         : 70E0 [28E0] <002810>
   <functions>
    DeleteCriticalSection <002986>
    EnterCriticalSection <00299E>
    ExitProcess     <0029B6>
    FreeLibrary     <0029C4>
    GetLastError    <0029D2>
    GetModuleHandleA <0029E2>
    GetProcAddress  <0029F6>
    InitializeCriticalSection <002A08>
    LeaveCriticalSection <002A24>
    LoadLibraryA    <002A3C>
    SetUnhandledExceptionFilter <002A4C>
    TlsGetValue     <002A6A>
    VirtualProtect  <002A78>
    VirtualQuery    <002A8A>
*IMAGE_IMPORT_DESCRIPTOR[1] <msvcrt.dll>
 Characteristics    : 7078 [2878] <002814>
 OriginalFirstThunk : 7078 [2878] <002814>
 TimeDateStamp      : 0000        <002818>
 ForwarderChain     : 0000        <00281C>
 Name               : 7450 [2C50] <002820>
 FirstThunk         : 711C [291C] <002824>
   <functions>
    __getmainargs   <002A9A>
    __p__environ    <002AAA>
    __p__fmode      <002ABA>
    __set_app_type  <002AC8>
    _cexit          <002ADA>
    _iob            <002AE4>
    _onexit         <002AEC>
    _setmode        <002AF6>
    _winmajor       <002B02>
    abort           <002B0E>
    atexit          <002B16>
    calloc          <002B20>
    fclose          <002B2A>
    fopen           <002B34>
    fprintf         <002B3C>
    free            <002B46>
    fwrite          <002B4E>
    getc            <002B58>
    getenv          <002B60>
    memcpy          <002B6A>
    printf          <002B74>
    putchar         <002B7E>
    puts            <002B88>
    signal          <002B90>
    vfprintf        <002B9A>

source code

the source code is here. i updated the analysis.c that i made at last entry.

• http://code.google.com/p/ta-binary-edit/source/browse/analysis.c?spec=svnb490cbdf0f3f3dca541d027b888da3b679bc5a2c&r=b490cbdf0f3f3dca541d027b888da3b679bc5a2c

it's too duty code i know. i need to do refactoring...

thunk

thunk is a mechanism to handle dynamic link library. it was difficult for me to understand, so i tried to illustrate it with figures.

the reason that this mechanism is used is not to limit the length of a dll file name, a function name and the number of functions, i guess.

IMAGE_IMPORT_DESCRIPTOR.Name is like this. please see the figure as hex dump of PE.

IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk and IMAGE_IMPORT_DESCRIPTOR.FirstThunk are like this. IMAGE_IMPORT_DESCRIPTOR.FirstThunk is overwritten at executing as an address to a function loaded at executing. that is dynamic link.

according to an intellect, IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk would be used in case loading dll fails or something...??

you can see more information of thunk on the workshop handout.

• http://d.hatena.ne.jp/n7shi/20110416

conclusion

i think, somehow i did understand the thunk mechanism. it was hard for me. but making the tool helps me to understand it.