Dependencies icon indicating copy to clipboard operation
Dependencies copied to clipboard

Published 20 hours ago verified publisher icon lucasg

Hints computed wrong

Open MarekKnapek opened this issue 4 years ago • 3 comments

Steps to reproduce:

  • Open latest available nightly version of Dependencies (1.9.321).
  • Analyze Dependency Walker with it (depends.exe).
  • Highlight advapi32.dll.
  • Notice that A_SHAInit function is exported via ordinal 1003 (0x03eb) with hint 1002 (0x000003ea).
  • This is wrong, in reality, this function is exported with hint of 1 (0x0001).

MarekKnapek avatar Mar 15 '20 20:03 MarekKnapek

The actual computation of hints is currently wacky af, thanks for the remainder

lucasg avatar Mar 16 '20 09:03 lucasg

Ok I checked the MS spec, and there is no hint information for exports, only for imports : https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-edata-section-image-only

So ```depends`` is in the wrong here, I don't know how they compute their hints but I guess is has to do to keep the same number of columns between import informations and export information.

lucasg avatar Dec 13 '20 11:12 lucasg

Actually, depends is right and you are wrong. You need a hint on both sides in order to use it on at least one side. Imagine a scenario: app.exe wants to import msgbox function from utils.dll. Because it is importing by name (not by ordinal), it needs to provide a hint. Some compilers provide hint with value 0 for all imported functions. But how does the compiler compute the hint to put into exe's import table? I guess it takes it from the import library (*.lib) which can be generated from *.dll. Then when the dynamic linker (inside ntdll.dll) loads your app.exe and utils.dll and wants to satisfy the msgbox import, it will look at your (app.exe's) hint and try to match against the n-th function from utils.dll. This match almost always succeeds and we are done satisfying msgsbox function. If it by some accident doesn't match, for example when you add new exported function to utils.dll, so that msgbox function gets shifted out of its previous position, a much slower binary search must be performed. You can verify this by examining some old module (such as depends.exe) by Dependency Walker. You will see that depends.exe depends on kernel32.dll with many non-matching hints. But kernel32.dll depends on ntdll.dll with all hints matching. This is because kernell32.dll was changed since depends.exe was built and functions depends.exe is importing from kernell32.dll are in different positions now than they were before. But all functions which kernell32.dll is importing from ntdll.dll have matching hint, because both libraries were built roughly at the same time and ntdll.dll had no time to diverge from its import library.

So, long story short: In order to compute hints for exports, you need to examine the export name pointer table and get each pointer's position in the table, that is your hint. (I'm bit rusty, so this might not be exactly correct.)

MarekKnapek avatar Dec 14 '20 04:12 MarekKnapek