Heap Based Resolve of Imports
Issue #1
resolved
The following resolving of imports was observed in an executable.
mov edi, ds:GetProcAddress
push offset aNss_init ; "NSS_Init"
push dword ptr [esi+31Ch] ; hModule
call edi ; GetProcAddress
push offset aNss_shutdown ; "NSS_Shutdown"
push dword ptr [esi+31Ch] ; hModule
mov [esi+32Ch], eax
call edi ; GetProcAddress
push offset aPk11_getintern ; "PK11_GetInternalKeySlot"
push dword ptr [esi+31Ch] ; hModule
mov [esi+330h], eax
call edi ; GetProcAddress
push offset aPk11_freeslot ; "PK11_FreeSlot"
push dword ptr [esi+31Ch] ; hModule
mov [esi+334h], eax
The imported addresses were saved into a data structure. A nice feature would be to build a dictionary of these and be able to access them if needed.
Example: obj.dynIAT = { "[esi+32Ch]" : "NSS_Init" , "[esi+330h]" : "NSS_Shutdown", " [esi+334h]" : "PK11_GetInternalKeySlot" }
Comments (2)
-
reporter
-
reporter
- changed status to resolved
Created an object that can used when working with this style of imports
- Log in to comment
WTF was this from?
Mental note: Add the MD5 for sample examples...