Trying to call functions directly through the Import Section

1
votes

I have been messing around with the PE file structure in Assembly Language. I'm pretty sure I have gotten to the the Import Section correctly. I am using this as a reference where each box is equal to 4 bytes:

+-------------------------+-------------------------+
|     RVA to a list of    |       DATE/TIME         |
| pointer to APIs names   |                         |  IMPORT DATA DIRECTORY
+-------------------------+-------------------------+          #1
| .DLL address (unused)   |     RVA to .DLL name    |
+-------------------------+-------------------------+
|RVA to API address list  | 
+-------------------------+

Ollydbg. Notice the value of eax on the right side (00402048) which is the value I looked up in the import section and then look at the value of the highlighted instruction (00402000)

Ollydbg. Notice the value of eax on the right side (00402048) and then look at the value of the highlighted call instruction is jumping to(00402000).

I attempted to call the first first function from the (RVA to API address list) which is ExitProcess however when I tried issuing a call to the address, it caused my program to crash. When I debugged it with Ollydbg, I found out that the address when call ExitProcess was issued was different than the address I found in the list. In Ollydbg the address I found pointed to <&KERNEL32.ExitProcess> while the call ExitProcess pointed to < JMP.&KERNEL32.ExitProcess>. I have read somewhere about some kind of jmp stub. Is that what this is? How am I supposed to call the functions in the "RVA to API address list"?

I know this may be confusing. If you need more clarification let me know.

Here is the code:

extern printf
extern ExitProcess
global _start
section .code
 _start:
    mov eax, [imagebase]
    mov esi, eax
    add eax, 3ch
    mov eax, DWORD [eax]
    add eax, esi; PE header pointer in eax
    add eax, 128; 24 for PE Optional Header offset and then 104 for import RVA
    mov ebx, DWORD [eax]
    add ebx, DWORD [imagebase]; ebx now has import section offset
    mov eax, DWORD [ebx+16]
    add eax, DWORD [imagebase]; has array offset
    mov ecx, ExitProcess
    push 0
    call ecx
    ;call eax
    ;jmp ecx
    ;call ExitProcess

imagebase: db 0,0,64,0; 0x00400000; This is right
1
windowsx86nasmportable-executable
A screenshot of the problem would help. - Jens Björnhager
Calling a function directly using import table entry should not cause problem. I suspect somewhere in your called function(s) must have returned without restoring register, stack, or excepting handler. You can test it by using CALL DWORD PTR [EAX] at program entry point. Where EAX is the address of the import table entry for ExitProcess. - Jay
Actually right now I just tried moving the address of ExitProcess into ecx and then call ecx. Looking with ollydbg I'm still getting the same address I did in the function pointer list and it isn't working. The only time it does work is when I do "call ExitProcess". I also tried just jumping to ecx instead. That didn't work either. - Hudson Worden

1 Answers

1
votes

It seems as though I had found array but I never retrieved the value at that address. So I was trying to call the function at the address of the array not the at the first element of the array. 

extern printf
extern ExitProcess
global _start
section .code
_start:
    mov eax, [imagebase]
    mov esi, eax
    add eax, 3ch
    mov eax, DWORD [eax]
    add eax, esi; PE header pointer in eax
    add eax, 128; 24 for PE Optional Header offset and then 104 for import RVA
    mov ebx, DWORD [eax]
    add ebx, DWORD [imagebase]; ebx now has import section offset
    mov eax, DWORD [ebx+16]
    add eax, DWORD [imagebase]; has array offset
    mov eax, [eax];This is what I needed to do
    push 0
    call eax

imagebase: db 0,0,64,0;