Mail Archives: cygwin-apps/2002/04/25/13:31:28
> -----Original Message-----
> > From: Ralf Habacker [mailto:Ralf DOT Habacker AT freenet DOT de]
> > Sent: Friday, April 26, 2002 12:09 AM
> >
> > Any comments ?
>
> Looks reasonable to me (on first glances). I'll try and have a closer
> look this weekend if no-one else does.
Perhaps it helps, if I tell some details of this topic. At first the basics are
described in http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/PE2.asp. See
the chapter "The import sections"
Normally the image_import_descriptor and the Image Adress Table (IAT) identifed
by "first_thunk" are located behind the text segment and idx2 is positive.
On a auto-import image descriptor the main difference is, that the first_thunk
does not point to the import address table (IAT), instead it points to an adress
in the text segment where the opcode reads or write the (auto-imported) data
values. This let idx2 be negative, which I have used for decision.
pe_print_idata (abfd, vfile)
<snip>
adj = section->vma - extra->ImageBase;
0x00400000
<snip>
hint_addr = bfd_get_32 (abfd, data + i + dataoff);
time_stamp = bfd_get_32 (abfd, data + i + 4 + dataoff);
forward_chain = bfd_get_32 (abfd, data + i + 8 + dataoff);
dll_name = bfd_get_32 (abfd, data + i + 12 + dataoff);
first_thunk = bfd_get_32 (abfd, data + i + 16 + dataoff);
<snip>
if (hint_addr != first_thunk && time_stamp == 0)
{
int differ = 0;
int idx2;
idx2 = first_thunk - adj;
/* indicates that first_thunk points to an
data reference in the text segment (auto-import) */
if (idx2 < 0)
{
fprintf (file,
_("\tThe Import Address Table isn't identical (auto-import
descriptor)\n"));
differ = 1;
}
else for (j = 0; j < datasize; j += 4)
Regards
Ralf
- Raw text -