Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential issue of accessing random memory address #5

Open
anr2me opened this issue Sep 21, 2023 · 2 comments
Open

Potential issue of accessing random memory address #5

anr2me opened this issue Sep 21, 2023 · 2 comments

Comments

@anr2me
Copy link

anr2me commented Sep 21, 2023
edited
Loading

As there are 2 ways to import functions, either by ordinal or by name, we should ensure that the function is imported by name before comparing the name, since treating the Hint as RVA could potentially leads to some random memory address when trying to compare the name.

I changed this line:

DInput8HookingExample/MinimalDInput8Hook/Hook.cpp

Lines 44 to 45 in b9b7e79

// The import name table is a null terminated array, so iterate until we either found it or reach the null termination
while (ImportNameTable->u1.AddressOfData != 0)

With this line, using an existing macro to check the MSB:

// The import name table is a null terminated array, so iterate until we either found it or reach the null termination
// Note: If the MSB is set the function is imported by using Ordinal/Hint instead of Name (the Hint value is the lowest WORD), otherwise it's an RVA to a IMAGE_IMPORT_BY_NAME structure
while ((ImportNameTable->u1.AddressOfData != 0) && (!IMAGE_SNAP_BY_ORDINAL(ImportNameTable->u1.Ordinal)))

PS: u1.AddressOfData and u1.Ordinal is the same thing as they're a union, but i'm using Ordinal just because the argument name on the macro is also called Ordinal.
@pampersrocker
Copy link
Owner

Question is, are the imports from a DLL mutually exclusive by name or by ordinal? Or in other words, should the iteration continue after one import by ordinal has been found from a DLL?
It probably should be more like this?:

// The import name table is a null terminated array, so iterate until we either found it or reach the null termination
// Note: If the MSB is set the function is imported by using Ordinal/Hint instead of Name (the Hint value is the lowest WORD), otherwise it's an RVA to a IMAGE_IMPORT_BY_NAME structure
while (ImportNameTable->u1.AddressOfData != 0) {
    if( (!IMAGE_SNAP_BY_ORDINAL(ImportNameTable->u1.Ordinal))
    {
        // ...
    }
    ++ImportNameTable;
}

@anr2me
Copy link
Author

anr2me commented Sep 21, 2023

You're right, since each array element in ImportNameTable can be either ordinal or RVA it should continue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pampersrocker @anr2me