Explorer.exe,Notepad.exe和其他人隐藏的导入符号......? [英] Hidden Import Symbols in Explorer.exe, Notepad.exe, and others...?
问题描述
使用PEStudio 3.69在许多本机Windows 7程序集中进行浏览时,我惊讶地发现在几个本机程序集中没有导入的方法,如Explorer.exe,notepad.exe等。每个引用了很多库,但没有具体的方法。我发现变化异常。在PEStudio的指标选项卡下, 导入的符号数太小 在启用显示全部项目时突出显示。但是,当我使用PEStudio 5.50时,会发现一些导入的符号/方法用于Explorer.exe,但是大多数导入的库仍然导入了0个符号。
如果本机程序集不会在PE头的导入表中放置导入符号(从其他库引用的方法),加载程序如何知道在哪里找到它们以及这些符号存储在何处?更重要的是,如何以这种方式编译本机组合?
我知道你可以使用.def文件进行编译,以便按顺序导入以隐藏方法名称,但是仍然,应该有一个引用导入表中的方法的指针。导入表是否可以重新定位在不同的PE部分中,或者是否有其他事情发生,例如PE标志或安全功能,例如地址空间布局Randomizon(ASLR)在工作?
Poking around in a number of native Windows 7 assemblies using PEStudio 3.69, I was surprised to find no imported methods among several native assemblies, like Explorer.exe, notepad.exe, and others. Each referenced a lot of libraries, but no specific methods. I find that vary unusual. Under "Indicators" tab in PEStudio, "The number of imported Symbols is too small" is highlighted when "Show All" items is enabled. However, when I use PEStudio 5.50, a few imported symbols/methods are found for Explorer.exe, but most of the imported libraries still have 0 symbols imported.
If a native assembly doesn''t put import symbols (methods referenced from other libraries) in the import table of the PE header, how does the loader know where to find them and where are these symbols being stored? More importantly, how do you compile native assembiles in this manner?
I know you can compile using a .def file to import by ordinal to hide the method name, but still, there should be a pointer referencing the method in the import table. Could the import table be relocated in a different PE section OR is there something else going on, like a PE flag or security feature such as Address Space Layout Randomizon (ASLR) at work?
推荐答案
如何隐藏?我刚用notepad.exe测试
:
How hidden? I just tested withnotepad.exe
:
dumpbin %windir%\notepad.exe /imports
部分输出:
Part of output:
File Type: EXECUTABLE IMAGE
Section contains the following imports:
ADVAPI32.dll
10000C000 Import Address Table
10000D1E8 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
7FF7FF21ED0 27E RegSetValueExW
7FF7FF2C2D0 26E RegQueryValueExW
7FF7FF21F00 23C RegCreateKeyW
7FF7FF30710 230 RegCloseKey
7FF7FF306F0 261 RegOpenKeyExW
7FF7FF30720 180 IsTextUnicode
7FF7FF27E04 57 CloseServiceHandle
7FF7FF1C2A8 1F9 OpenSCManagerW
7FF7FF1C2C0 1FB OpenServiceW
7FF7FF1C6FC 224 QueryServiceConfigW
KERNEL32.dll
10000C058 Import Address Table
10000D240 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
78D2CF20 209 GetLocalTime
78D2D3F0 1CF GetDateFormatW
...
...
到目前为止我什么都看不到。
这篇关于Explorer.exe,Notepad.exe和其他人隐藏的导入符号......?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!