I am testing an assembly program that is compiled by flatassembler, and it needs to modify the import table, so when I run objdump I can see which external functions the program is trying to call.
So, I start off with:
format PE GUI
section '.flat' readable writeable executable
It is calling some functions in MS dlls, but the import table is wrong.
Here is a simple part showing how I am including two dlls and a function:
;user32
_MessageBoxA dw $0
db 'MessageBoxA', $0
kernel32_name db 'kernel32.dll', $0
user32_name db 'user32.dll', $0
What must be done in an assembly program to have the external functions show up in the import table?
The import table is a 0-terminated array of import descriptors, the Import Directory fields in the Data Directories of the header points to the first item.
struct ImportDescriptor // size = 20 bytes
{
dword ILTRVA; // RVA to Import Lookup Table
dword Timestamp; // you can usually ignore
dword ForwarderChain; // these two
dword DllNameRVA; // RVA to 0-terminated dll name
dword IATRVA // RVA to Import Address Table
}
The ILT and IAT should be different locations but copies of each other (not necessarily, but that's a normal thing to do). The IAT is the one that will hold the pointers to imported functions. They're both 0-terminated arrays of RVA's to function names. The function names consist of a "hint" word and a 0-terminated ascii string. The hint word can be zero, or the actual index of that function in the export table of the DLL it's from, or some random value, it's just a hint.