hint in the _IMAGE_IMPORT_BY_NAME structure

[Mikl__]

When importing the "by name" function, the _IMAGE_IMPORT_BY_NAME structure is used

Code Select Expand

_IMAGE_IMPORT_BY_NAME STRUCT
     Hint DW ?
     Name_  DB ? DUP (?), 0; the name of the imported function, ASCIIZ string
     Pad DB ($ and 1) DUP (0); the length of the line is aligned to an even boundary of another 0
_IMAGE_IMPORT_BY_NAME ends
Hint ("MessageBoxA") = 0x1E2 = 482
Hint ("ExitProcess") = 0xBC = 188
Hint ("CreateWindowsExA") = 0x60 = 96
Hint ("DefWindowProcA") = 0x8E = 142
Hint ("GetMessageA") = 0x13C = 316
Hint is Hash("MessageBoxA")=?

• What is hint for?
• How is hint calculated?

[mabdelouahab]

What is hint for?

Hint contains the index into the export table of the DLL the function resides in. This field is for use by the PE loader so it can look up the function in the DLL's export table quickly.This value is not essential and some linkers may set the value in this field to 0.

From Import Table

How is hint calculated?

Code Select Expand


PCHAR       pThunk;
PCHAR       pHintName;
DWORD       dwAPIaddress;
PCHAR       pDllName;
PCHAR       pAPIName;
//----------------------------------------
DWORD dwImportDirectory= RVA2Offset(pImageBase, pimage_nt_headers->
    OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
    VirtualAddress);
//----------------------------------------
PIMAGE_IMPORT_DESCRIPTOR pimage_import_descriptor= (PIMAGE_IMPORT_DESCRIPTOR)
                                                   (pImageBase+
                                                        dwImportDirectory);
//----------------------------------------
while(pimage_import_descriptor->Name!=0)
{
    pThunk= pImageBase+pimage_import_descriptor->FirstThunk;
    pHintName= pImageBase;
    if(pimage_import_descriptor->OriginalFirstThunk!=0)
    {
        pHintName+= RVA2Offset(pImageBase, pimage_import_descriptor->
            OriginalFirstThunk);
    }
    else
    {
        pHintName+= RVA2Offset(pImageBase, pimage_import_descriptor->
            FirstThunk);
    }
    pDllName= pImageBase + RVA2Offset(pImageBase, pimage_import_descriptor->
        Name);
    printf(" DLL Name: %s First Thunk: 0x%x", pDllName,
           pimage_import_descriptor->FirstThunk);
    PIMAGE_THUNK_DATA pimage_thunk_data= (PIMAGE_THUNK_DATA) pHintName;
    while(pimage_thunk_data->u1.AddressOfData!=0)
    {
        dwAPIaddress= pimage_thunk_data->u1.AddressOfData;
        if((dwAPIaddress&0x80000000)==0x80000000)
        {
            dwAPIaddress&= 0x7FFFFFFF;
            printf("Proccess: 0x%x", dwAPIaddress);
        }
        else
        {
            pAPIName= pImageBase+RVA2Offset(pImageBase, dwAPIaddress)+2;
            printf("Proccess: %s", pAPIName);
        }
        pThunk+= 4;
        pHintName+= 4;
        pimage_thunk_data++;
    }
    pimage_import_descriptor++;
}
from : https://www.codeproject.com/Articles/14360/WebControls/

[ragdog]

https://win32assembly.programminghorizon.com/pe-tut6.html

IMAGE_IMPORT_BY_NAME STRUCT
  Hint dw ?
  Name1 db ?
IMAGE_IMPORT_BY_NAME ENDS

Hint contains the index into the export table of the DLL the function resides in. This field is for use by the PE loader so it can look up the function in the DLL's export table quickly.This value is not essential and some linkers may set the value in this field to 0.
Name1 contains the name of the import function. The name is an ASCIIZ string. Note that Name1's size is defined as byte but it's really a variable-sized field. It's just that there is no way to represent a variable-sized field in a structure. The structure is provided so that you can refer to the data structure with descriptive names.

I hope it helps.

[Mikl__]

I created bat-file

Code Select Expand

%masm64%\bin\dumpbin.exe /EXPORTS %windir%\System32\user32.dll /OUT:user32.txtcontent of the user32.txt

Code Select Expand

Dump of file user32.dll

File Type: DLL

  Section contains the following exports for USER32.dll

    00000000 characteristics
    4CE799CD time date stamp Sat Nov 20 17:50:05 2010
        0.00 version
        1500 ordinal base
        1003 number of functions
         830 number of names

    ordinal hint RVA      name

       1502    0 000083C0 ActivateKeyboardLayout
       1503    1 0002AD40 AddClipboardFormatListener
       1504    2 000235B8 AdjustWindowRect
       1505    3 00017CE4 AdjustWindowRectEx
       1506    4 0007F30C AlignRects
       1507    5 00042164 AllowForegroundActivation
       1508    6 00007D80 AllowSetForegroundWindow
       1509    7 0001BFF0 AnimateWindow
       1510    8 0007A810 AnyPopup
       1511    9 0007D85C AppendMenuA
       1512    A 000136F4 AppendMenuW
       1513    B 00041B04 ArrangeIconicWindows
       1514    C 0000D240 AttachThreadInput
        .....
       2040  20F 00042974 MenuWindowProcA
       2041  210 00042908 MenuWindowProcW
       2042  211 0001E6F0 MessageBeep
       2043  212 000712B8 MessageBoxA
       2044  213 00071370 MessageBoxExA
       2045  214 00071394 MessageBoxExW
       .....The hint is an index value used to quickly find the import name. It is just an incrementing number. If the hint is correct and the index points to the named function then the import is found quickly. If the hint is incorrect and doesn't point to the named function then a slower search by string is used to find the import.
Ordinal = hint + 1502

[mineiro]

hello sir Mikl__;
maybe too later but Sven have done a peexport and a linker with public domain release and source coded with masm.

Code Select Expand

Some PE files, most notably some of the Windows NT core DLL.s, don.t export
their functions in a separate .edata section, as the Microsoft PE/COFF
specification 4.1 suggests. Instead, they include them in the .text
(KERNEL32.DLL, ADVAPI32.DLL) or .rdata (USER32.DLL) sections. To find the
exports anyway, PEexport examines the PE "Optional Header Data Directories"
at the end of the PE "Optional Header", where the relative virtual address
(RVA) of the export data is held. Then it loops through the "Section Table" to
identify the section where the data belongs to. This ensures that PEexport
always finds the exported function names, where ever they might be buried.

Search about "walk32_1.zip"

[Mikl__]

Boa noite, senhor mineiro!
Eu mostrei as funções que são importados de uma biblioteca de vínculo dinâmico user32.dll no windose Sete x64. Desculpe, mas o Inglês Eu sei piores Português. E o que é o "walk32_1.zip"?

[mineiro]

Senhor Mikhail suponho, bom dia;
Esse arquivo foi feito em 1996 durante a transição do windows 95 para o Nt.  O autor do livro windows não-documentado, Sven B. Schreiber analisou isto durante aquela passagem. Percebi que o senhor fez para arquivos PE+.
Naquele pacote estão código fonte de um vinculador e um analisador de funções exportadas de bibliotecas, porém feito para windows 32 bit.
Existe inclusive um jeito de não precisarmos de bibliotecas (.lib) se soubermos o endereço exato das funções carregadas na memória que chamamos em nosso programa, mas um usuário no fórum me alertou que a partir do windows vista isto não funciona. É uma soma de endereço preferível a ser carregada determinada dll com o endereço da função. Na hora de realizarmos uma chamada de função devemos subtrair o endereço que o atual programa (image base) foi carregado.
Os contras deste método é que é totalmente estático, com isto um programa feito em uma versão de determinada biblioteca não funciona em outra, em melhores palavras, o programa só funciona geralmente em nosso próprio computador.
abraços irmão russo

[Mikl__]

Muito obrigado pela explicação!
abraços irmão brasileiro

[newrobert]

if you know hint, then you need use by name and can use by index;

[Mikl__]

if you know hint, then you need use by name and can use by index;

hi, newrobert!
I am writing a small article and I am comparing:

• import by names
• import by ordinals
• delay import
• bound import "old style"
• bound import "new style"