Hi,
Introduction:
******************************
I am trying to extend an existing section of a PE, in addition to updating
the ‘DataDirectory’ies and section RVAs I have to update the resources RVAs
and the import and IAT/INT tables RVAs, as for what was just mentioned
everything works fine. Still, it is not enough for an unmanaged program to
work ( managed assemblies are satisfied with the changes just described ).
The Problem:
******************************
Several assembler opcodes refer directly to the IAT: when executing an
imported API ( of an external DLL such as Kernel32 ) the CALL opcode ( 0xFF15
) refers ( by an RVA ) directly to the IAT, e.g. FF15[four bytes resembling
the RVA to the IAT], this call will not execute properly if a section was
enlarged causing the IAT RVA to change. To fix this all of the RVAs
associated with CALL opcodes should updated as-well, this require doing some
dis-assembling:
1. How can I find the starting points of any unmanaged functions in the
‘.text’ section?
2. How can I distinguish existing assembly code with some other metadata?
3. Is it possible to get from the CPU the assembly opcodes it supports ( and
the size of each )? If so how? Is there a specification or is there some
other way of extracting the supported opcodes directly from the CPU?
Any ideas, suggestions or pointers would be appreciated ( please don’t
direct me to the PE structure documentation found in
http://msdn.microsoft.com/... As I am deeply familiar with them.
--
Nadav
http://www.ddevel.com