Explorer.exe，Notepad.exe和其他人隐藏的导入符号......？ [英] Hidden Import Symbols in Explorer.exe, Notepad.exe, and others...?

问题描述

使用PEStudio 3.69在许多本机Windows 7程序集中进行浏览时，我惊讶地发现在几个本机程序集中没有导入的方法，如Explorer.exe，notepad.exe等。每个引用了很多库，但没有具体的方法。我发现变化异常。在PEStudio的指标选项卡下， 导入的符号数太小 在启用显示全部项目时突出显示。但是，当我使用PEStudio 5.50时，会发现一些导入的符号/方法用于Explorer.exe，但是大多数导入的库仍然导入了0个符号。



如果本机程序集不会在PE头的导入表中放置导入符号（从其他库引用的方法），加载程序如何知道在哪里找到它们以及这些符号存储在何处？更重要的是，如何以这种方式编译本机组合？



我知道你可以使用.def文件进行编译，以便按顺序导入以隐藏方法名称，但是仍然，应该有一个引用导入表中的方法的指针。导入表是否可以重新定位在不同的PE部分中，或者是否有其他事情发生，例如PE标志或安全功能，例如地址空间布局Randomizon（ASLR）在工作？

Poking around in a number of native Windows 7 assemblies using PEStudio 3.69, I was surprised to find no imported methods among several native assemblies, like Explorer.exe, notepad.exe, and others. Each referenced a lot of libraries, but no specific methods. I find that vary unusual. Under "Indicators" tab in PEStudio, "The number of imported Symbols is too small" is highlighted when "Show All" items is enabled. However, when I use PEStudio 5.50, a few imported symbols/methods are found for Explorer.exe, but most of the imported libraries still have 0 symbols imported.

If a native assembly doesn''t put import symbols (methods referenced from other libraries) in the import table of the PE header, how does the loader know where to find them and where are these symbols being stored? More importantly, how do you compile native assembiles in this manner?

I know you can compile using a .def file to import by ordinal to hide the method name, but still, there should be a pointer referencing the method in the import table. Could the import table be relocated in a different PE section OR is there something else going on, like a PE flag or security feature such as Address Space Layout Randomizon (ASLR) at work?

推荐答案

如何隐藏？我刚用 notepad.exe测试：

How hidden? I just tested with notepad.exe:

dumpbin %windir%\notepad.exe /imports

部分输出：

Part of output:

File Type: EXECUTABLE IMAGE

  Section contains the following imports:

    ADVAPI32.dll
             10000C000 Import Address Table
             10000D1E8 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

           7FF7FF21ED0   27E RegSetValueExW
           7FF7FF2C2D0   26E RegQueryValueExW
           7FF7FF21F00   23C RegCreateKeyW
           7FF7FF30710   230 RegCloseKey
           7FF7FF306F0   261 RegOpenKeyExW
           7FF7FF30720   180 IsTextUnicode
           7FF7FF27E04    57 CloseServiceHandle
           7FF7FF1C2A8   1F9 OpenSCManagerW
           7FF7FF1C2C0   1FB OpenServiceW
           7FF7FF1C6FC   224 QueryServiceConfigW

    KERNEL32.dll
             10000C058 Import Address Table
             10000D240 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

              78D2CF20   209 GetLocalTime
              78D2D3F0   1CF GetDateFormatW
              ...
              ...

到目前为止我什么都看不到。

-SA

这篇关于Explorer.exe，Notepad.exe和其他人隐藏的导入符号......？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！