EXE Jump Tables

[BlackVortex]

BlackVortex,

There is a trick to it, read the documentation for the macro, look at how its written and if you don't like it, improve it.

Touche   

But I don't really need it, using procs is enough for me. The last thing I need is more red tape.

[Vortex]

Hi BlackVortex,

This document from MS can help you :

MASM Programmer's Guide - Chapter Nine: Using Macros

[dedndave]

the Relat routine fixes INVOKE CALLs to always be relative
it has been adapted to work with the "Vortex" method, as well

        INCLUDE   \masm32\include\masm32rt.inc

        EXTERNDEF _imp__GetCurrentProcess@0:PTR pr0

        .CODE

;-----------------------------------------------------------------------------

_main   PROC

;modify the addresses

        mov     esi,offset LabelA
        call    Relat

        mov     esi,offset LabelB
        call    Relat

;test the functions after modification

        call    Test1

        exit

_main   ENDP

;-----------------------------------------------------------------------------

Test1   PROC

        INVOKE  GetCurrentProcess
LabelA  label   dword

        print   uhex$(eax),13,10

        INVOKE  _imp__GetCurrentProcess@0
LabelB  label   dword

        print   uhex$(eax),13,10
        ret

Test1   ENDP

;-----------------------------------------------------------------------------

Relat   PROC

;Adjust the CALL address of an INVOKE to eliminate the IAT JMP

;Call With: ESI = address of code just after the INVOKE

;  Returns: modifies the address of the INVOKE

        sub     esi,6
        push    esi
        sub     esp,4
        INVOKE  VirtualProtect,
                esi,
                6,
                PAGE_EXECUTE_READWRITE,
                esp
        pop     edx
        pop     esi
        or      eax,eax
        jz      Relat3

        cld
        lodsw
        cmp     ah,0E8h
        jz      Relat0

        cmp     ax,15FFh
        lodsd
        jnz     Relat2

        mov word ptr [esi-6],0E890h
        jmp short Relat1

Relat0: lodsd
        add     eax,esi
        push    esi
        xchg    eax,esi
        lodsw
        cmp     ax,25FFh
        lodsd
        pop     esi
        jnz     Relat2

Relat1: mov     eax,[eax]
        sub     eax,esi
        mov     [esi-4],eax

Relat2: sub     esi,6
        sub     esp,4
        INVOKE  VirtualProtect,
                esi,
                6,
                edx,
                esp
        add     esp,4

Relat3: ret

Relat   ENDP

;-----------------------------------------------------------------------------

        END     _main

[dedndave]

Before modification:
      INVOKE GetCurrentProcess
Address: 00401419 Code: E8 000001FA     CALL           00401618
Address: 00401618 Code: FF 25 00402000  JMP  DWord Ptr [00402000]
Address: 00402000 Data: 7C80E00D

      INVOKE _imp__GetCurrentProcess@0
Address: 00401447 Code: FF 15 00402000  CALL DWord Ptr [00402000]
Address: 00402000 Data: 7C80E00D


 After modification:
      INVOKE GetCurrentProcess
Address: 00401419 Code: E8 7C40CBEF     CALL           7C80E00D

      INVOKE _imp__GetCurrentProcess@0
Address: 00401447 Code: 90              NOP
Address: 00401448 Code: E8 7C40CBC0     CALL           7C80E00D


Function Test Results:
        GetCurrentProcess: FFFFFFFF
_imp__GetCurrentProcess@0: FFFFFFFF

i must be the only one that thinks this is cool as hell - lol

[attachment deleted by admin]