LIEF
LIEF copied to clipboard
lief-project
Original IAT Relocation is needed for rebuild dll's import table
This topic is related to #79 before that commit, it's something like(I just copy the comments in the code):
/*
Original IAT New IAT
+------------------+ +------------------+
|Trampoline 1 addr |------+ | new address 1 |-+
+------------------+ | +------------------+ |
|Trampoline 2 addr | | | new address 1 | |
+------------------+ | +------------------+ |
|Trampoline 3 addr | | | new address 1 | |
+------------------+ | +------------------+ |
| |
| Trampoline 1 +--+
| +-----------------v-----+ Kernel32.dll
+----->| mov rax, [new addr1] | +--------------+
| jmp rax |---------->| GetLocalTime |
+-----------------------+ +--------------+
+--->| LocalSize |
Trampoline 2 | +--------------+
+-----------------------+ | | WriteFile |
| mov rax, [new addr2] | | +--------------+
| jmp rax |------+
+-----------------------+
*/
8af656b497f67fe23fc46e030b0ad42c3c312ca5 make trampoline position indepandent.
but it is still needed to add relocation items for Original IAT:
- before patch, original IAT is space for OS to place some symbols' address, so there will be no relocation item about them...
- but after patch, because of ASLR, the address of
Trampoline 1will be different, so the value ofTrampoline 1 addrneed to be modifed according to base address
I think add some relocation items for patched IAT is a good way?
