Introduction to reverse debugging PE structure input table output table 05/07

Input table

Input function , Indicates that it is called by a program, but its code is not in the program code , And in the dll The function in . For these functions , The executable file on the disk just keeps the relevant function information , Such as function name ,dll File name, etc. . Before the program runs , The program does not save the address of these functions in memory . When the program runs ,windows The loader will put the relevant dll Load memory , And connect the instruction of the input function with the address of the function in memory . Input table （ The import table ） It is used to save the information of these functions .

Structure

      
      

       
       typedef struct _IMAGE_IMPORT_DESCRIPTOR {
       
       
  _ANONYMOUS_UNION union {              //00h
       
       
    DWORD Characteristics;
       
       
    DWORD OriginalFirstThunk; 
       
       
  } DUMMYUNIONNAME;
       
       
  DWORD TimeDateStamp;                  //04h
       
       
  DWORD ForwarderChain;                 //08h
       
       
  DWORD Name;                           //0Ch
       
       
  DWORD FirstThunk;                     //10h
       
       
} IMAGE_IMPORT_DESCRIPTOR,*PIMAGE_IMPORT_DESCRIPTOR;
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
       
       
4.
       
       
5.
       
       
6.
       
       
7.
       
       
8.
       
       
9.
       
       
10.
      
      

      
      

       
       typedef struct _IMAGE_THUNK_DATA32 {
       
       
  union {
       
       
    DWORD ForwarderString;
       
       
    DWORD Function;
       
       
    DWORD Ordinal;
       
       
    DWORD AddressOfData;
       
       
  } u1;
       
       
} IMAGE_THUNK_DATA32,*PIMAGE_THUNK_DATA32;
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
       
       
4.
       
       
5.
       
       
6.
       
       
7.
       
       
8.
      
      

The functions of the two structures are the same , All for the convenience of finding DLL Function of .

IMT Is the location of the file on the disk

IAT Is the location pointed to by the file after it is loaded into memory

We use Stud_PE To view the

Program hello Its function is to pop up a dialog box

Therefore, we judge that MessagesBox

Use this tool to open a copy of the program

In the head of the file , You can view the information of the input table

We turn on “ stay 16 View file header tree in hexadecimal editor ”

Let's check the directory of data

You can see the location of the input table in the file

There are two arrays , Two functions , the reason being that 8 Bytes

stay 282acH in

Let's use OD Conduct case analysis

We are going to have a hello file

The function of this program is to pop up a dialog box .

We use OD Software debugging program

stay call Problem found in function

Found out MessageBoxA

F7 Get into

Found at the highland site messageBoxtimeoutA

Then we can know , The previous paragraph is all about this function .

Export table

The structure of the exported table is relatively simple .