So in order to parse the IAT table inside the memory of a PE process and get the names of imported functions, we have to iterate over functions of each module, and for each of them, use thunkData->u1.AddressOfData + 2 to get to the start of the Function name string (I don't want to start explaining what these pointers are because i assume anyone who knows the answer to this already knows this. and u1 is a predefined structure that Windows has and it always has AddressOfData in it)
so basically for every function inside the IAT, we have to use u1.AddressOfData + 2 to get the address of the start of the string, but i don't get what is the beginning 2 bytes of it? Microsoft documents don't explain this :
https://learn.microsoft.com/en-us/windows/win32/debug/pe-format
(look for Delay Import Name Table)
i tried debugging it and looking what the value in the beginning of them are, and they were stuff like 0x8600 and 0xe700, so usually 1 byte of data and one byte of 00
so what is this?
in IMAGE_THUNK_DATAstructure, if function address yet not resolved and function not snap by ordinal - AddressOfData is point to PIMAGE_IMPORT_BY_NAME (this is visible if look in winnt.h and/or ntimage.h )
typedef struct _IMAGE_IMPORT_BY_NAME {
USHORT Hint;
CHAR Name[1];
} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
the first 2 bytes before name - this is Hint index in AddressOfNames - exported names table (look for IMAGE_EXPORT_DIRECTORY ). this table of names sorted in alphabetical order for fast binary search function by name. Hint used for fast check, before drop into binary search. how it can used we can view in wrk src code
//
// Lookup Name in NameTable
//
NameTableBase = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNames);
NameOrdinalTableBase = (PUSHORT)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
//
// Before dropping into binary search, see if
// the hint index results in a successful
// match. If the hint index is zero, then
// drop into binary search.
//
HintIndex = ((PIMAGE_IMPORT_BY_NAME)NameThunk->u1.AddressOfData)->Hint;
if ((ULONG)HintIndex < ExportDirectory->NumberOfNames &&
!strcmp((PSZ)((PIMAGE_IMPORT_BY_NAME)NameThunk->u1.AddressOfData)->Name,
(PSZ)((PCHAR)DllBase + NameTableBase[HintIndex]))) {
OrdinalNumber = NameOrdinalTableBase[HintIndex];
}
else {
//
// Lookup the import name in the name table using a binary search.
//
however this index usually can be valid only in system images. if we build image yourself - in best cast this Hint can be valid only for one windows version (we got Hint from lib file) - when new version windows created - usually new export api added, because table is sorted alphabetical - indexes is [can] changed