28 May
2024
28 May
'24
8:51 p.m.
On Wed Apr 24 15:30:39 2024 +0000, eric pouech wrote:
hmmm... this is not what I see from kernel32 64bit in Win10
winedump dump -x kernel32.dll <snip> EXPORT rva: 0x9a370 size: 0xdf0c IMPORT rva: 0xa827c size: 0x794 RESOURCE rva: 0xbd000 size: 0x520 EXCEPTION rva: 0xb6000 size: 0x5634 SECURITY rva: 0xb8c00 size: 0x4088 BASERELOC rva: 0xbe000 size: 0x314 DEBUG rva: 0x87b90 size: 0x70 ARCHITECTURE rva: 0x0 size: 0x0 GLOBALPTR rva: 0x0 size: 0x0 TLS rva: 0x0 size: 0x0 LOAD_CONFIG rva: 0x807f0 size: 0x118 Bound IAT rva: 0x0 size: 0x0 IAT rva: 0x817c0 size: 0x2a70 Delay IAT rva: 0x9a128 size: 0x60 CLR Header rva: 0x0 size: 0x0 rva: 0x0 size: 0x0 <snip> objdump kernel32.dll <snip> The Data Directory Entry 0 000000000009a370 0000df0c Export Directory [.edata (or where ever we found it)] Entry 1 00000000000a827c 00000794 Import Directory [parts of .idata] Entry 2 00000000000bd000 00000520 Resource Directory [.rsrc] Entry 3 00000000000b6000 00005634 Exception Directory [.pdata] Entry 4 00000000000b8c00 00004088 Security Directory Entry 5 00000000000be000 00000314 Base Relocation Directory [.reloc] Entry 6 0000000000087b90 00000070 Debug Directory Entry 7 0000000000000000 00000000 Description Directory Entry 8 0000000000000000 00000000 Special Directory Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls] Entry a 00000000000807f0 00000118 Load Configuration Directory Entry b 0000000000000000 00000000 Bound Import Directory Entry c 00000000000817c0 00002a70 Import Address Table Directory Entry d 000000000009a128 00000060 Delay Import Directory Entry e 0000000000000000 00000000 CLR Runtime Header Entry f 0000000000000000 00000000 Reserved <snip>
Interesting. This patch produces the same hash for Windows 10 kernel32.dll as native however. osslsigncode also makes this assumption.