pampersrocker
Potential issue of accessing random memory address
As there are 2 ways to import functions, either by ordinal or by name, we should ensure that the function is imported by name before comparing the name, since treating the Hint as RVA could potentially leads to some random memory address when trying to compare the name.
I changed this line: https://github.com/pampersrocker/DInput8HookingExample/blob/b9b7e790fe0deb96c2c7884dcf5b3aac5a88c879/MinimalDInput8Hook/Hook.cpp#L44-L45
With this line, using an existing macro to check the MSB:
// The import name table is a null terminated array, so iterate until we either found it or reach the null termination
// Note: If the MSB is set the function is imported by using Ordinal/Hint instead of Name (the Hint value is the lowest WORD), otherwise it's an RVA to a IMAGE_IMPORT_BY_NAME structure
while ((ImportNameTable->u1.AddressOfData != 0) && (!IMAGE_SNAP_BY_ORDINAL(ImportNameTable->u1.Ordinal)))
PS: u1.AddressOfData and u1.Ordinal is the same thing as they're a union, but i'm using Ordinal just because the argument name on the macro is also called Ordinal.
Question is, are the imports from a DLL mutually exclusive by name or by ordinal? Or in other words, should the iteration continue after one import by ordinal has been found from a DLL? It probably should be more like this?:
// The import name table is a null terminated array, so iterate until we either found it or reach the null termination
// Note: If the MSB is set the function is imported by using Ordinal/Hint instead of Name (the Hint value is the lowest WORD), otherwise it's an RVA to a IMAGE_IMPORT_BY_NAME structure
while (ImportNameTable->u1.AddressOfData != 0) {
if( (!IMAGE_SNAP_BY_ORDINAL(ImportNameTable->u1.Ordinal))
{
// ...
}
++ImportNameTable;
}
You're right, since each array element in ImportNameTable can be either ordinal or RVA it should continue.