Import Lookup Table

Came back to Windows world and played with windbg.

The following code showed f1096 as a function pointer of ‘add’, but the final address was f13c0. Visual Studio compiler creates function address table ILT which makes relative jump to the actual functions.

CppGeneral.cpp:

#include "stdafx.h"

int add(int a, int b);

typedef int (*PTR_ADD)(int, int);

int add(int a, int b){
    return a+b;
}

int _tmain(int argc, _TCHAR* argv[])
{
    PTR_ADD pAdd = add;

    _tprintf(_T("%d\n"), add(3, 4));
    _tprintf(_T("%d, address=%x\n"), pAdd(3, 4), pAdd);

    getchar();
    return 0;
}

Output:

7
7, address = f1096

Debug log:

0:001> uf CppGeneral!wmain
CppGeneral!wmain [c:\users\sokoide\projects\general\cppgeneral\cppgeneral.cpp @ 15]:
   15 000f1a70 55              push    ebp
   15 000f1a71 8bec            mov     ebp,esp
   15 000f1a73 81eccc000000    sub     esp,0CCh
   15 000f1a79 53              push    ebx
   15 000f1a7a 56              push    esi
   15 000f1a7b 57              push    edi
   15 000f1a7c 8dbd34ffffff    lea     edi,[ebp-0CCh]
   15 000f1a82 b933000000      mov     ecx,33h
   15 000f1a87 b8cccccccc      mov     eax,0CCCCCCCCh
   15 000f1a8c f3ab            rep stos dword ptr es:[edi]
   16 000f1a8e c745f896100f00  mov     dword ptr [ebp-8],offset CppGeneral!ILT+145(?addYAHHHZ) (000f1096)
   18 000f1a95 6a04            push    4
   18 000f1a97 6a03            push    3
   18 000f1a99 e8f8f5ffff      call    CppGeneral!ILT+145(?addYAHHHZ) (000f1096)
   18 000f1a9e 83c408          add     esp,8
   18 000f1aa1 8bf4            mov     esi,esp
   18 000f1aa3 50              push    eax
   18 000f1aa4 683c570f00      push    offset CppGeneral!`string' (000f573c)
   18 000f1aa9 ff15d4820f00    call    dword ptr [CppGeneral!_imp__wprintf (000f82d4)]
   18 000f1aaf 83c408          add     esp,8
   18 000f1ab2 3bf4            cmp     esi,esp
   18 000f1ab4 e887f6ffff      call    CppGeneral!ILT+315(__RTC_CheckEsp) (000f1140)
   19 000f1ab9 8bf4            mov     esi,esp
   19 000f1abb 8b45f8          mov     eax,dword ptr [ebp-8]
   19 000f1abe 50              push    eax
   19 000f1abf 8bfc            mov     edi,esp
   19 000f1ac1 6a04            push    4
   19 000f1ac3 6a03            push    3
   19 000f1ac5 ff55f8          call    dword ptr [ebp-8]
   19 000f1ac8 83c408          add     esp,8
   19 000f1acb 3bfc            cmp     edi,esp
   19 000f1acd e86ef6ffff      call    CppGeneral!ILT+315(__RTC_CheckEsp) (000f1140)
   19 000f1ad2 50              push    eax
   19 000f1ad3 68e05a0f00      push    offset CppGeneral!`string' (000f5ae0)
   19 000f1ad8 ff15d4820f00    call    dword ptr [CppGeneral!_imp__wprintf (000f82d4)]
   19 000f1ade 83c40c          add     esp,0Ch
   19 000f1ae1 3bf4            cmp     esi,esp
   19 000f1ae3 e858f6ffff      call    CppGeneral!ILT+315(__RTC_CheckEsp) (000f1140)
   21 000f1ae8 8bf4            mov     esi,esp
   21 000f1aea ff15d8820f00    call    dword ptr [CppGeneral!_imp__getchar (000f82d8)]
   21 000f1af0 3bf4            cmp     esi,esp
   21 000f1af2 e849f6ffff      call    CppGeneral!ILT+315(__RTC_CheckEsp) (000f1140)
   22 000f1af7 33c0            xor     eax,eax
   23 000f1af9 5f              pop     edi
   23 000f1afa 5e              pop     esi
   23 000f1afb 5b              pop     ebx
   23 000f1afc 81c4cc000000    add     esp,0CCh
   23 000f1b02 3bec            cmp     ebp,esp
   23 000f1b04 e837f6ffff      call    CppGeneral!ILT+315(__RTC_CheckEsp) (000f1140)
   23 000f1b09 8be5            mov     esp,ebp
   23 000f1b0b 5d              pop     ebp
   23 000f1b0c c3              ret


0:001> X CppGeneral!a*
000f7144 CppGeneral!argv = 0x003a1480
000f713c CppGeneral!argc = 0n1
000f13c0 CppGeneral!add (int, int)             // <-- add is at f13c0
000f2880 CppGeneral!atexit (<function> *)


0:001> u f1096
CppGeneral!ILT+145(?addYAHHHZ):
000f1096 e925030000      jmp     CppGeneral!add (000f13c0)   // <-- f1096 is calling jmp to f13c0


(It seems ILT is stored here)
0:001> u f1004 f1100
CppGeneral!_enc$textbss$end <PERF> (CppGeneral+0x11004):
000f1004 cc              int     3
CppGeneral!ILT+0(__setdefaultprecision):
000f1005 e936160000      jmp     CppGeneral!_setdefaultprecision (000f2640)
CppGeneral!ILT+5(_wmain):
000f100a e9610a0000      jmp     CppGeneral!wmain (000f1a70)
...
000f1096 e925030000      jmp     CppGeneral!add (000f13c0)
CppGeneral!ILT+150(__exit):
000f109b e938190000      jmp     CppGeneral!exit (000f29d8)
...


(add starts at f13c0)
0:001> uf CppGeneral!add
CppGeneral!add [c:\users\sokoide\projects\general\cppgeneral\cppgeneral.cpp @ 10]:
   10 000f13c0 55              push    ebp
   10 000f13c1 8bec            mov     ebp,esp
   10 000f13c3 81ecc0000000    sub     esp,0C0h
   10 000f13c9 53              push    ebx
   10 000f13ca 56              push    esi
   10 000f13cb 57              push    edi
   10 000f13cc 8dbd40ffffff    lea     edi,[ebp-0C0h]
   10 000f13d2 b930000000      mov     ecx,30h
   10 000f13d7 b8cccccccc      mov     eax,0CCCCCCCCh
   10 000f13dc f3ab            rep stos dword ptr es:[edi]
   11 000f13de 8b4508          mov     eax,dword ptr [ebp+8]
   11 000f13e1 03450c          add     eax,dword ptr [ebp+0Ch]
   12 000f13e4 5f              pop     edi
   12 000f13e5 5e              pop     esi
   12 000f13e6 5b              pop     ebx
   12 000f13e7 8be5            mov     esp,ebp
   12 000f13e9 5d              pop     ebp
   12 000f13ea c3              ret

Leave a Reply

Your email address will not be published. Required fields are marked *