Dereferencing Branches into the IAT

[dedndave]

some time ago, we were playing around with this stuff...
http://www.masm32.com/board/index.php?topic=11541.msg87615#msg87615

i wanted a more robust function for this, so i wrote one
it would be nice to verify that it works under different OS's

Code Select Expand

GetCurrentProcess results: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

0040118A: E8 00000339
004011B5: E9 0000030E
004011E0: 0F84 000002E2
0040120C: FF25 00402004
00401233: FF15 00402004

************************** 14 branches dereferenced **************************

GetCurrentProcess results: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

0040118A: E8 7C40CD06
004011B5: E9 7C40CCDB
004011E0: 0F84 7C40CCAF
0040120C: 90E9 7C40CC83
00401233: 90E8 7C40CC5C

it seems to work fine under XP, and probably will under win98 and win2K
it is vista and win7 that worries me   :P

EDIT: updated the attachment to correct an error 7-24-2011

[Bill Cravener]

Hi Dave, works just fine in Vista Home Premium on a IP D 2.8

GetCurrentProcess results: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

0040118A: E8 00000339
004011B5: E9 0000030E
004011E0: 0F84 000002E2
0040120C: FF25 00402004
00401233: FF15 00402004

************************** 14 branches dereferenced **************************

GetCurrentProcess results: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

0040118A: E8 7546B996
004011B5: E9 7546B96B
004011E0: 0F84 7546B93F
0040120C: 90E9 7546B913
00401233: 90E8 7546B8EC

Press any key to continue ...

[sinsi]

Win7 Pro x64 here

Code Select Expand


GetCurrentProcess results: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

0040118A: E8 00000339
004011B5: E9 0000030E
004011E0: 0F84 000002E2
0040120C: FF25 00402004
00401233: FF15 00402004

************************** 14 branches dereferenced **************************

GetCurrentProcess results: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

0040118A: E8 763E067A
004011B5: E9 763E064F
004011E0: 0F84 763E0623
0040120C: 90E9 763E05F7
00401233: 90E8 763E05D0


[FORTRANS]

Hi Dave,

   Tested on Win 2000 and Win 98 even if you were not
worried.

Cheers,

Steve


Win 2000

GetCurrentProcess results: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

0040118A: E8 00000339
004011B5: E9 0000030E
004011E0: 0F84 000002E2
0040120C: FF25 00402004
00401233: FF15 00402004

************************** 14 branches dereferenced **************************

GetCurrentProcess results: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

0040118A: E8 7C1967C6
004011B5: E9 7C19679B
004011E0: 0F84 7C19676F
0040120C: 90E9 7C196743
00401233: 90E8 7C19671C

Press any key to continue ...

Win 98

GetCurrentProcess results: 7FFFFFFF 7FFFFFFF 7FFFFFFF 7FFFFFFF 7FFFFFFF

0040118A: E8 00000339
004011B5: E9 0000030E
004011E0: 0F84 000002E2
0040120C: FF25 00402004
00401233: FF15 00402004

************************** 14 branches dereferenced **************************

GetCurrentProcess results: 7FFFFFFF 7FFFFFFF 7FFFFFFF 7FFFFFFF 7FFFFFFF

0040118A: E8 BFB951B8
004011B5: E9 BFB9518D
004011E0: 0F84 BFB95161
0040120C: 90E9 BFB95135
00401233: 90E8 BFB9510E

Press any key to continue ...

[dedndave]

thanks guys   :U

excellent response   :bg

interesting, the win98 addresses and return values

[baltoro]

DAVE !!!
Great stuff,...thanks for posting code and reference to original EXE Jump Tables thread.
By the way, the original thread has got to be one of the all-time MASM Forum great topics.
I think you guys should get an award or official recognition for the discussion in the original thread. Something that's the exact opposite of a PORN ALERT.

[dedndave]

thanks - lol - i think
thought i found a bug in it, but i was mistaken   :P

[dedndave]

ok - i DID find a bug
this one has bitten me on the ass before
some people never learn - lol

Code Select Expand

        OPTION  PROLOGUE:None
        OPTION  EPILOGUE:None

DeRef   PROC    lpStart:DWORD,lpStop:DWORD,lpExclusions:DWORD
;
;
;
DeRef   ENDP

        OPTION  PROLOGUE:None  <-------- NOT !!!!
        OPTION  EPILOGUE:None  <-------- NOT !!!!

i have updated the attachment above