> -----Original Message----- > > From: Ralf Habacker [mailto:[EMAIL PROTECTED]] > > Sent: Friday, April 26, 2002 12:09 AM > > > > Any comments ? > > Looks reasonable to me (on first glances). I'll try and have a closer > look this weekend if no-one else does.
Perhaps it helps, if I tell some details of this topic. At first the basics are described in http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/PE2.asp. See the chapter "The import sections" Normally the image_import_descriptor and the Image Adress Table (IAT) identifed by "first_thunk" are located behind the text segment and idx2 is positive. On a auto-import image descriptor the main difference is, that the first_thunk does not point to the import address table (IAT), instead it points to an adress in the text segment where the opcode reads or write the (auto-imported) data values. This let idx2 be negative, which I have used for decision. pe_print_idata (abfd, vfile) <snip> adj = section->vma - extra->ImageBase; 0x00400000 <snip> hint_addr = bfd_get_32 (abfd, data + i + dataoff); time_stamp = bfd_get_32 (abfd, data + i + 4 + dataoff); forward_chain = bfd_get_32 (abfd, data + i + 8 + dataoff); dll_name = bfd_get_32 (abfd, data + i + 12 + dataoff); first_thunk = bfd_get_32 (abfd, data + i + 16 + dataoff); <snip> if (hint_addr != first_thunk && time_stamp == 0) { int differ = 0; int idx2; idx2 = first_thunk - adj; /* indicates that first_thunk points to an data reference in the text segment (auto-import) */ if (idx2 < 0) { fprintf (file, _("\tThe Import Address Table isn't identical (auto-import descriptor)\n")); differ = 1; } else for (j = 0; j < datasize; j += 4) Regards Ralf