hh86
Virus Writing Bulletin [1]
January 2011
I had this idea one year ago. I was thinking of how you can supply code for applications. For that, Windows uses DLLs. Obviously, you know what they are, and you know that they supply of code by export of functions. A DLL is loaded into the application memory and Windows resolves the imports, so that the application can use the code in the DLL by calling the function.
The are two ways in which an application can import functions using the import table, one would be to import the functions by name, the second would be using the ordinals. When Windows successfully finds the name or ordinal in the DLL, it gets the function address from the export address table, the address is copied into the import address table in the application and so it continues. Here is where I had the strange idea. Windows doesn't check that the address in the export address table are actually valid. :) I mean, the address could be FFFFFFFF and Windows would anyway add to it the base address of the DLL and so it will be copied to the import address table.