Digging into Import Tables in PE Files - What is the IMAGE_IMPORT_DESCRIPTOR Structure?

  Рет қаралды 4,118

Dr Josh Stroschein - The Cyber Yeti

Dr Josh Stroschein - The Cyber Yeti

Күн бұрын

Пікірлер: 22
@comicsmania6782
@comicsmania6782 Жыл бұрын
I don't know why this content isn't so popular, but I want to thank you very much for what you did regarding PE file format, despite of everything. It's very helpful.
@jstrosch
@jstrosch Жыл бұрын
Thank you - I'm really glad to hear you found it useful. I'm aiming to have a good collection of content around PE file format.
@comicsmania6782
@comicsmania6782 Жыл бұрын
@@jstrosch Well! Looking forward to it! Thank you 🙏
@sg6610
@sg6610 Жыл бұрын
This gets deep and most enjoy surface level (GUI, maybe Wireshark) in my experience (command prompt scares many as it is).
@YiannisFertis
@YiannisFertis 11 ай бұрын
I really like these video series, just what I was searching to begin my reverse engineering journey. Thank you !
@jstrosch
@jstrosch 11 ай бұрын
Great to hear!
@mmm-me4kk
@mmm-me4kk 11 ай бұрын
Sir thank you , I have two questions, it would be great if you are willing to answer these: 1. - When I locate the import directory table on disk, via the data directories, it have five fields (RVA to ILT, T/D, FC, RVA to Name and RVA to IAT). - For IAT (FT): When I do your calculation, I retrieve the offset of the IAT entry on disk; when I go to that offset, it contains an RVA value, e.g. 1234. - For ILT (OFT): When I do your calculation, I retrieve the offset of the ILT entry on disk, it also contains an RVA , to the H/N table, e.g. 1234. Now, this RVA value is the same. I know that on disk the IAT and ILT are the same (and in memory IAT is overwritten with the absolute address), but I'm a little surprised that it both refers to the H/N table. I thought that, on disk, the IAT refered to the ILT entry, and that the ILT refered to the H/N. 2. What I find a bit strange.. when I analyse a PE file in memory, the IAT entries of the functions are in fact overwritten with the absolute addresses of the functions (so far so good). But the firstthunk value of the import descriptor (so the one that refers to the IAT entry of that module) is not overwritten with an absolute address to the IAT (it still contains an RVA). Am I confused (or did I make a mistake or..?).
@kissanoita255
@kissanoita255 Жыл бұрын
amazing series~ thank you so much for covering it in depth
@jstrosch
@jstrosch Жыл бұрын
Glad you like them!
@mmm-me4kk
@mmm-me4kk 11 ай бұрын
Thank you! Very useful!
@jstrosch
@jstrosch 11 ай бұрын
Thanks for the feedback, much appreciated!
@x0rZ15t
@x0rZ15t Жыл бұрын
Sweet, another awesome video! You ROCK!
@jstrosch
@jstrosch Жыл бұрын
Thanks!! ☺️
@YiannisFertis
@YiannisFertis 11 ай бұрын
If it is possible I would like to ask you a question. There is the IMPORT DIRECTORY TABLE, the IMPORT LOOKUP TABLE and the IMPORT ADDRESS TABLE. Which of these tables did we watch in this video ? I am omitting my guess in order to not confuse the others..
@jstrosch
@jstrosch 11 ай бұрын
Well, I typically see this structure referred to as the IAT - or import address table. I could see it also referred to as the import directory table, but perhaps that is referring to something more specific that I’ve either forgotten or simply don’t know!
@YiannisFertis
@YiannisFertis 11 ай бұрын
Thanks a lot for your response @@jstrosch!
@nordgaren2358
@nordgaren2358 Жыл бұрын
Ctrl + G is the goto byte shortcut, and you can just type in the offset, there. ex: Ctrl + G and then 18D9C
@jstrosch
@jstrosch Жыл бұрын
Awesome - thanks for the tip!
@adamz8314
@adamz8314 Жыл бұрын
nice
@jstrosch
@jstrosch Жыл бұрын
Thanks
@vvvvvvvvw
@vvvvvvvvw Жыл бұрын
nice
@jstrosch
@jstrosch Жыл бұрын
Thanks
Windows Internals: Walking the Process Environment Block to Discover In-Memory Libraries
19:38
Dr Josh Stroschein - The Cyber Yeti
Рет қаралды 6 М.
Working with UPX - Manual Unpacking with IDA Pro, x32dbg and Scylla
19:57
Dr Josh Stroschein - The Cyber Yeti
Рет қаралды 11 М.
I thought one thing and the truth is something else 😂
00:34
عائلة ابو رعد Abo Raad family
Рет қаралды 6 МЛН
Каха и лужа  #непосредственнокаха
00:15
When u fight over the armrest
00:41
Adam W
Рет қаралды 32 МЛН
What's inside a .EXE File?
8:27
Inkbox
Рет қаралды 435 М.
Writing Custom Malware: Import Address Table Hooking
48:52
John Hammond
Рет қаралды 63 М.
The Basics of Overlays in PE Files
10:52
Dr Josh Stroschein - The Cyber Yeti
Рет қаралды 3,3 М.
04 - Intro to PE File Format
22:30
Dr Josh Stroschein - The Cyber Yeti
Рет қаралды 31 М.
🔴 Getting Started with the Portable Executable File Format
46:49
Dr Josh Stroschein - The Cyber Yeti
Рет қаралды 8 М.
The Basics of Analyzing and Creating Structures in IDA Pro - Part 1
19:09
Dr Josh Stroschein - The Cyber Yeti
Рет қаралды 6 М.
Threat Hunting DLL-injected C2 Beacons using Memory Forensics | Faan Rossouw
56:07
Active Countermeasures
Рет қаралды 1,2 М.
Signals. I spent 2 years to understand this part.
21:24
kimylamp
Рет қаралды 255 М.
Memory Dump Unpacking - Finding Redline Stealer
20:19
Dr Josh Stroschein - The Cyber Yeti
Рет қаралды 4,6 М.