PE delayed import table - need a description.
R.Wieser
I'm trying to make sense of the "delayed import" table-data of the ws2_32
DLL, but all I see is a table of dwords which meaning escapes me. I've
searched the Web (to which a Google-search returns surprisingly few
results), but not even MS itself seems to bother to explain it.
My question therefore is : Does anyone know of a (good) description of how
to interpret those values, and is willing to share it ?
Regards,
Rudy Wieser
Remy Lebeau
"R.Wieser" <add...@not.available> wrote in message
news:%23aUcufE...@TK2MSFTNGP04.phx.gbl...
> My question therefore is : Does anyone know of a (good) description of how
> to interpret those values, and is willing to share it ?
Have a look at Section 5.8 of the following specification:
Microsoft Portable Execution and Common Object File Format Specification
http://www.scribd.com/doc/8345966/Microsoft-Portable-Execution-and-Common-Object-FIle-Format-Specification
--
Remy Lebeau (TeamB)
R.Wieser
Thanks for that link. Alas, due to abusive JavaScript usage (even a
simple link is AJAX-ified) I'm not able to look at the document itself (My
computer has, for the obvious reasons, JS disabeled).
I fond the same-named document with a date of 2008 on the MS site but that
one had a EULA attached to it. A no-go for a hobbyist like me. I allso
found a same-named document with a date of Feb 1999, but although it names
the delay-import table they claim its the same as the normal import-table
(if it was I would noticed and not have needed to ask my question :-\ ).
To me the delayed-import table looks like an array of DWORDs, which contents
I cannot even translate to normal adresses (not pointing inside any of the
sections). Any ida what these values signify (are they actually DWORds ?)
Regards,
Rudy Wieser
-- Origional message
Remy Lebeau <no....@no.spam.com> schreef in berichtnieuws
O$$lHfJQK...@TK2MSFTNGP06.phx.gbl...
Remy Lebeau
"R.Wieser" <add...@not.available> wrote in message
> I fond the same-named document with a date of 2008 on the MS
> site
That is the same document as the one I pointed you to earlier.
> that one had a EULA attached to it. A no-go for a hobbyist like me.
Whats wrong with the EULA?
> To me the delayed-import table looks like an array of DWORDs,
> which contents I cannot even translate to normal adresses (not
> pointing inside any of the sections). Any ida what these values
> signify (are they actually DWORds ?)
That information is described in detail in Microsoft's document. I strongly
suggest you agree to the EULA and download it. It is free.
--
Remy Lebeau (TeamB)
m
If you look at the PE spec from Microsoft, you will be able to make more
sense of this, but looking at GetProcAddress in MSDN may also help.
Usually this work is done for you by the OS, so I wonder what you are trying
to achieve?
"R.Wieser" <add...@not.available> wrote in message
news:%23aUcufE...@TK2MSFTNGP04.phx.gbl...
Chris Becke
> "R.Wieser" <add...@not.available> wrote in message
> news:et5PxvS...@TK2MSFTNGP02.phx.gbl...
>
>> I fond the same-named document with a date of 2008 on the MS
>> site
>
> That is the same document as the one I pointed you to earlier.
>
>> that one had a EULA attached to it. A no-go for a hobbyist like me.
>
> Whats wrong with the EULA?
Well, Its an EULA. I am weak. And I click through such things. I wish I
was strong. They're full of leagalease, even if I wasn't too lazy to
read them, I am aware enough to know that my legal training means I have
no f***ing idea what I'm agreeing too.
I *Read* the legal documents that desribed my purchase of a house and
still got screwed in interesting ways.
I click through on EULAs hoping that they are unenforcable. But that
doesn't seem to stop modern courts deciding otherwise: Apparently if
enough weak willed people (like me) click on the damend things that
implies some kind of massed assent in principal that they're binding.
Boo. Hoisted by our own petards. Perhaps we need a national holiday in
which no one agrees to an EULA and returns any product having one.
R.Wieser
> Whats wrong with the EULA?
Don't know, did not bother to try to read it. Most of them are either
un-readable or multi-interpretable. The fact that there is one attached to
such a piece of information is enough to give me chills along my spine.
But now you ask, just try to put the below *single* sentence into plain
English and you know what I mean :
=============
Microsoft will grant a royalty-free license, under reasonable and
non-discriminatory terms and conditions, to any Microsoft patent claims (if
any exist) that Microsoft deems necessary for the limited purpose of
implementing and complying with the required portions of this specification
only in the software development tools known as compilers, linkers, and
assemblers targeting Microsoft Windows.
=============
For the record : I can't even make heads-or-tails from it (can't even divide
it up into its sub-sentences), and as a result have *absolutily no clue* to
what they are saying there.
However, I get the strong feeling that its limiting where I may use the
gotten information for. It means that *currently* I can use what I know
about the subject for anything I like, but at the very moment I agree to
that EULA I am limited in ways I do not even know/comprehend.
*That* is what is wrong with this, and with EULAs in general.
> That information is described in detail in Microsoft's document.
As I allready mentioned, no such info is present in the 1999 version ...
> It is free.
You mean : as in free-of-monetary-chrage ? Yes, in that you are right.
But somehow I get the feeling that this gift-with-EULA-strings-attached is
not as free as you might believe it is.
Regards,
Rudy Wieser
P.s.
What about you downloading that 2008 version and send it to me ? If you
*really* think its free you should be able to do that without a single
thought, and I do not need to do something I don't like (signing a EULA for
some information). :-)
-- Origional message:
Remy Lebeau <no....@no.spam.com> schreef in berichtnieuws
eRcw88TQ...@TK2MSFTNGP05.phx.gbl...
R.Wieser
> Usually this work is done for you by the OS, so I wonder
> what you are trying to achieve?
At the moment I want to be able to list any-and-all functions a DLL exposes,
including the ones by ordinal. Currently I'm able to parse the import-table
and do just that. But I would like to be able to list the other functions
(delayed-import and relayed functions) too.
By the way : if you happen to know how relayed entries work (functions that
are seemingly exported by a DLL, but are actually in another one, like in
kernel32.dll -> ntdll.dll) I would certainly like to know. Its how-and-why
I came to focus my attention to the delayed-import table. :-)
Regards,
Rudy Wieser
-- Origional message:
m <m@b.c> schreef in berichtnieuws eyQcR8WQ...@TK2MSFTNGP05.phx.gbl...
Random
> But now you ask, just try to put the below *single* sentence into plain
> English and you know what I mean :
> =============
> Microsoft will grant a royalty-free license, under reasonable and
> non-discriminatory terms and conditions, to any Microsoft patent claims (if
> any exist) that Microsoft deems necessary for the limited purpose of
> implementing and complying with the required portions of this specification
> only in the software development tools known as compilers, linkers, and
> assemblers targeting Microsoft Windows.
That sentence is plain English, and very clearly granting you
something you in fact didn't have without the EULA.
> What about you downloading that 2008 version and send it to me ?
So, you're afraid of an EULA for strange unspecified reasons, but you
have no problem with copyright infringement? Brilliant.
Remy Lebeau
"R.Wieser" <add...@not.available> wrote in message
news:OV%23$MsbQKH...@TK2MSFTNGP05.phx.gbl...
> But now you ask, just try to put the below *single*
> sentence into plain English and you know what I mean :
It basically says that Microsoft is granting permission for the reader to
use the information in the document to implement their own Windows-based
compilers, linkers, and assemblers, and if there are any existing patents on
the technology described in the document then the document allows the reader
to not violate any related areas of those patents.
> As I allready mentioned, no such info is present in the 1999 version ...
Because Microsoft was not delay-loading DLLs yet in 1999. Borland had
already implemented delay-loading in its compiler by that time, though,
which is likely where Microsoft got the idea and then write a formal spec
for it later on (some of Borland's compiler gurus went to Microsoft for
awhile - the architect behind much of early .NET was originally from
Borland).
> What about you downloading that 2008 version and send it to me ?
> If you *really* think its free you should be able to do that without a
> single thought, and I do not need to do something I don't like (signing
> a EULA for some information). :-)
Kind of hard to do without an email address.
--
Remy Lebeau (TeamB)
R.Wieser
> It basically says that Microsoft is granting permission for the
> reader to use the information in the document to implement
> their own Windows-based compilers, linkers, and assemblers
Than that EULA would definitily not be for me, as I'm trying to write
something else (I could maybe classify it as a PE inspector). It would
allso mean that I could not write a tool for anything regarding to PE style
files on, for example, Linux. Somehow that does not quite feel like
granting permission, but more like restricting usage.
> > As I allready mentioned, no such info is present in the
> > 1999 version ...
>
> Because Microsoft was not delay-loading DLLs yet in
> 1999.
Really ? Thats funny, as I found a table named "The Delay-Load Directory
Table" (entry 13) in the 1999 spec, and a ntdll.dl with an OS-version of 4.0
(W98se) using that table. Or is that table something else altogether ?
Reference :
http://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-92cdfea
e4b45/pecoff.doc
Its allso quite strange that the above-named table is mentioned in that 1999
document, but not actually explained in there.
I just checked the Kernel32.dll of an XP installation (OS version 5.1), and
it has got a same-formatted "The Delay-Load Directory Table" as the above
w98se ntdll.dll (a list of DWORDs).
I'm confused : With which version of Windoes *did* that delayed-import of
functions come to life, and what was the tables meaning/use before than ?
> Kind of hard to do without an email address.
:-) Yes, that makes it quite impossible, does it ? But would you actually
have done it ?
Regards,
Rudy Wieser
-- Origional message:
Remy Lebeau <no....@no.spam.com> schreef in berichtnieuws
elVMyteQ...@TK2MSFTNGP04.phx.gbl...
R.Wieser
> That sentence is plain English, and very clearly
> granting you something you in fact didn't have
> without the EULA.
Really ? Granting me something I would in fact not have without the EULA ?
Can you explain that to me ? And if you are at it than please allso
explain to me what "under reasonable and non-discriminatory terms and
conditions" is suposed to mean. And I wonder why those "reasonable and
non-discriminatory terms and conditions" are not part of the EULA itself (is
it actually legal to refer to unspecified items that way ?)
Allso tell me how a restriction for the information only to be used for
"development tools known as compilers, linkers, and assemblers" (excluding
things like viewers, convertors, extractors and other stuff), and its
restriction to use it only for programs "targeting Microsoft Windows" can be
regarded as "giving" me something (excluding its usage on Linux, Mac and
other operating-systems).
If its that your "plain English, and very clearly granting" than pardon me,
but I think you're a fool.
Currently I can use the PE info I allready have for/in any program on any OS
I please. That is way more than I could do if I would accept that EULA. So
yes, I *do* think its trying to restrict (me) and not, as you seem to think,
grant (me) anything.
> So, you're afraid of an EULA for strange unspecified reasons,
> but you have no problem with copyright infringement? Brilliant.
:-) Too bad you fully pulled that outof context and did not recognise it as
the hood-wink (to Remy) I ment it to be. Notice that I did not leave a
contact-address, nor is my email-address in the headers of this message
valid.
Regards,
Rudy Wieser
-- Origional mesage:
Random <random...@gmail.com> schreef in berichtnieuws
3d3faf9c-4207-458e...@f20g2000prn.googlegroups.com...
Random
> If its that your "plain English, and very clearly granting" than pardon me,
> but I think you're a fool.
I'm not an attorney, but I work with attorneys on a daily basis, and
that didn't look like normal legalize to me, but rather a readable
contract. I'm biased, obviously, though.
> Currently I can use the PE info I allready have for/in any program on any OS
> I please. Â That is way more than I could do if I would accept that EULA.
I haven't read the entire EULA, so you might be right, I was just
trying to point out that the one section you quoted seems designed to
give Windows developers license to use some of Microsoft's patents, if
there are actually any that apply to this document. Non-windows
developers would be uneffected by the paragraph. Feel free to
disagree with me, as I've said, I'm not an attorney. Nor do I really
care one way or the other.
R.Wieser
>I'm not an attorney, but I work with attorneys on
> a daily basis, and that didn't look like normal
> legalize to me, but rather a readable contract.
> I'm biased, obviously, though.
You're right, I allso can read all the words from it. Alas, its *meaning*
escapes me.
Ofcourse, I allways assume that a legally-binding contract (that a EULA
pretends to be) contains/must contain specific information. Phrases like
"under reasonable and non-discriminatory terms and conditions" and "that
Microsoft deems necessary" therefore have no meaning to me (are to be
decided after agreeing to the contract by one party only, which is, as far
as I know, illegal in most countries), making it jibberish.
> I was just trying to point out that the one section
> you quoted seems designed to give Windows
> developers license to use some of Microsoft's
> patents, if there are actually any that apply to
> this document.
See the above. It might *seem* to do, but they (MS) where/are carefull not
to go in any specifics : You're simply not able to check your "rights"
beforehand, and will (most likely) have, in the case of a dispute, a hell of
a time to even get them (MS) to agree which patents are actually applicable.
Funnily enough they seem to be able to be *very* clear in specifying limits
in regard to which types of programs the information *can* be used for. :-\
> Non-windows developers would be uneffected by the paragraph.
I'm sorry ? "Microsoft will grant ... for the limited purpose of ....
targeting Microsoft Windows." That looks clear enough to me : Not for MS
Windows ? No grant (meaning : you can't use the info you get from this
document).
Regards,
Rudy Wieser
-- Origional message:
Random <random...@gmail.com> schreef in berichtnieuws
c39ad075-777e-49c2...@t11g2000prh.googlegroups.com...
Stefan Kuhr
R.Wieser wrote:
> <snip>
>>> As I allready mentioned, no such info is present in the
>>> 1999 version ...
>> Because Microsoft was not delay-loading DLLs yet in
>> 1999.
>
> Really ? Thats funny, as I found a table named "The Delay-Load Directory
> Table" (entry 13) in the 1999 spec, and a ntdll.dl with an OS-version of 4.0
> (W98se) using that table. Or is that table something else altogether ?
>
> Reference :
> http://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-92cdfea
> e4b45/pecoff.doc
>
> Its allso quite strange that the above-named table is mentioned in that 1999
> document, but not actually explained in there.
>
Remy is wrong with his statement, that in 1999 there was no delayload
support in MS's development products (that is how I interpret "Microsoft
was not delay-loading DLLs yet in 1999." and that he contrasts this with
Borland's compilers' ability to create binaries with the delay-loading
feature when he says "Borland had already implemented delay-loading in
its compiler by that time...")
VC6 was the first C/C++ compiler/linker from MS that had the
delay-loading feature. It was mentioned for instance in Matt Pietrek's
"Under The Hood" column of the December 1998 "Microsoft Systems Journal"
issue. The files on my VC6 installation CD date back to the June/July
1998 timeframe. So it should be clear that by autumn 1998 there was
indeed delay-load support in MS compilers/linkers.
> I just checked the Kernel32.dll of an XP installation (OS version 5.1), and
> it has got a same-formatted "The Delay-Load Directory Table" as the above
> w98se ntdll.dll (a list of DWORDs).
>
> I'm confused : With which version of Windoes *did* that delayed-import of
> functions come to life, and what was the tables meaning/use before than ?
>
Delayloading is not an OS feature. It is a linker feature. I have
written applications using VC6 that use delayloading and even run on
NT3.51 which clearly predates the introduction of delayloading as a
linker feature.
Rudy, just in case that helps you: I have written an article around some
common code of mine a few years ago, which can be found here and which
deals with finding delay-loaded imports:
http://www.codeproject.com/KB/files/pefiles.aspx
It is based on an MSDN magazine article from Matt Pietrek from February
2002 which can be found here:
http://msdn.microsoft.com/en-us/magazine/cc301805.aspx
Cheers,
--
S
R.Wieser
> Delayloading is not an OS feature. It is a linker feature.
I do not quite agree with you there : the linker may create and insert such
a table in the PE image, but without support for that table by the
OS-provided program-loader-and-starter that table would be meaningless.
> Rudy, just in case that helps you: I have written an article
> around some common code of mine a few years ago, which
> can be found here and which deals with finding delay-loaded
> imports:
I see the article. To bad that it does not show any code, and downloads are
only available to members (which I am not, and have no intention of
becoming) ...
> It is based on an MSDN magazine article from Matt Pietrek
> from February 2002 which can be found here:
It allso mises to state the most basic of information : how is a value in
that delayed-import table translated to a pointer inside the program-image
(if that is what actually has to be done). :-\
I just realized that the image-base value is a same kind of big number.
Alas, subtracting it from the values in the table does not result in any
value that is a valid pointer for any of the sections in the image.
Thanks for the (attempted) help though.
Regards,
Rudy Wieser
-- Origional message :
Stefan Kuhr <kust...@gmx.li> schreef in berichtnieuws
#HFfp#nQKHA...@TK2MSFTNGP05.phx.gbl...
Stefan Kuhr
R.Wieser wrote:
> Hello Stefan,
>
>> Delayloading is not an OS feature. It is a linker feature.
>
> I do not quite agree with you there : the linker may create and insert such
> a table in the PE image, but without support for that table by the
> OS-provided program-loader-and-starter that table would be meaningless.
>
Did you take a look into the MSJ article, that I mentioned? It explains
how delayloading atually works. And no, there is no OS support needed
for delayloading.
Maybe another quote helps here, this time from an MSDN magazine article
of February 2000, again from Matt Pietrek and his "Under the hood" column:
"[...] I still find people who don't know anything about DelayLoad or
they think it's some feature that's available only in the latest version
of Windows NT�.
For starters, let me scream from the highest rooftop that
DelayLoad is not an operating system feature. It works on any
Win32�-based system."
>
> [...] and downloads are
> only available to members (which I am not, and have no intention of
> becoming) ...
In that case, I can't help.
--
S
R.Wieser
> Did you take a look into the MSJ article, that I mentioned?
> It explains how delayloading atually works.
Where ?
I found four references to the word "delay" :
1)
======
Optimizations such as delay loading of DLLs, section merging, and binding
were still over the horizon
======
No info there.
2,3&4)
======
Visual C++ 6.0 added the delayload feature, which is a hybrid between
implicit linking and explicit linking. When you delayload against a DLL, the
linker emits something that looks very similar to the data for a regular
imported DLL. However, the operating system ignores this data. Instead, the
first time a call to one of the delayloaded APIs occurs, special stubs added
by the linker cause the DLL to be loaded (if it's not already in memory),
followed by a call to GetProcAddress to locate the called API.
======
Minimal info, nothing explicit. No description of *how* it works anywhere
in sight. Not even a mentioning what that "delayed import table" is
actually used for. :-\
May I mention that I allready found-and-read that article before I posted my
question/request.
Yes, I acknowledge that its possible to create a delayed-loading mechanism
without the aid of the OS. Though in that case the need for such a special
table (why not simply store it in a data-segment somewhere, as its DLL local
code and data) escapes me.
> > [...] and downloads are only available to members
> > (which I am not, and have no intention of becoming) ...
>
> In that case, I can't help.
Your article-code is only available there ? Bummer. (yes, its only
available there. Although a quick Google-search showed 5 pages, all link
back to that one article)
Regards,
Rudy Wieser
-- Origional message :
Stefan Kuhr <kust...@gmx.li> schreef in berichtnieuws
#j$UPeqQK...@TK2MSFTNGP04.phx.gbl...
Stefan Kuhr
R.Wieser wrote:
> Hello Stefan,
>
Ah I see you are talking about the msdn magazine article I referred to.
However, I asked: "Did you take a look into the MSJ article, that I
mentioned?". Look at the **MSJ** article from December 1998, that I
referred to as well. I hope it is still on the web somewhere. If you
have an older MSDN Library, it is under the "Periodicals" section. This
article might help.
>
> Your article-code is only available there ? Bummer. (yes, its only
> available there. Although a quick Google-search showed 5 pages, all link
> back to that one article)
>
Please send an email to the email address used for this newsgroup
posting. I normally do not monitor this email address, but I will do in
this case and send you the article's code. Although I really don't think
that it is too much of an effort to sign up at CodeProject.
--
S
Stefan Kuhr
Stefan Kuhr wrote:
> <snip>
> Ah I see you are talking about the msdn magazine article I referred to.
> However, I asked: "Did you take a look into the MSJ article, that I
> mentioned?". Look at the **MSJ** article from December 1998, that I
> referred to as well. I hope it is still on the web somewhere. If you
> have an older MSDN Library, it is under the "Periodicals" section. This
> article might help.
>
http://www.microsoft.com/msj/1298/hood/hood1298.aspx
--
S
Remy Lebeau
"R.Wieser" <add...@not.available> wrote in message
> I do not quite agree with you there : the linker may create and insert
> such a table in the PE image, but without support for that table by
> the OS-provided program-loader-and-starter that table would be
> meaningless.
The OS loader is not involved with the delay-load table. Delay-loading is
handled by the app's own RTL code, in conjunction with the compiler and
linker. When the app is being compiled, a delay-loaded function call emits
machine code that jumps to the DLL function using the delay-load table
instead of the import table. The OS loader is only concerned with filling
in the import table. When the app is started, the delay-load table is
already filled in with pointers to RTL-implemented thunks. The
compiler/linker handle that initialization at compile-time. When a
delay-loaded DLL function is then called for the first time at runtime,
executable jumps to the coresponding thunk, which calls LoadLibrary() and
GetProcAddress() and replaces the thunk with the result so subsequent calls
jump into the DLL directly.
--
Remy Lebeau (TeamB)
R.Wieser
> However, I asked: "Did you take a look into the MSJ article, that I
> mentioned?". Look at the **MSJ** article from December 1998, that I
> referred to as well. I hope it is still on the web somewhere.
My apologies. Yes, I did look at that page (well before posting my question
here). What I saw was a description of the used method, but no specifics
about the usage of the table. So I disregarded it.
Due to your specific mentioning of it I just have downloaded the executable
(dec98hood.exe) mentioned at the top of the page and taken a peek in it.
Alas, the "DelayLoadDemo" files again do not reveal (that I can find)
anything about the actual delay-load table itself. :-\
> Please send an email to the email address used
> for this newsgroup posting.
Thank you for the offer. I've just send the email.
> Although I really don't think that it is too much
> of an effort to sign up at CodeProject.
Its not the effort. I simply do not want to leave my contact-address with
anyone asking for it, *especially not* when I see no reason for them to ask
for it in the first place.
-- Disregard if you dislike rants or just like Spam ---
I've just looked at their "Logon" page. Seeing them having pre-checked the
opt-in for the "Code Project newsletters" (which effectivily makes it an
opt-out checkmark) does not ease my feelings (of them being
data-aggregator/spammers) about them either. Its allso something that gets
"thrown in" that I do not want or need. I just want to get access to a
code-sample, nothing more.
I continued to take a look at their "privacy" page, and found this *very*
funny part (though in a very negative way) :
=========
When Information May be Disclosed to Outside Parties:
...
iv. To offer you related products and services that might benefit you;
...
=========
In other words : Selling-off of the aggregated personal data for the sole
purpose of spaming.
Other parts in that privacy-page are not as clear as they could be either,
like the "vi. Otherwise as permitted ... by law" which seems to make a
mockery of any-and-all restrictions they looked to have set above-and-beyond
what the Law demands of them ...
The whole is exactly what I expected of such a subscription, and why I not
even bother anymore to scrutinise such "offers" anymore.
Regards,
Rudy Wieser
-- Origional message:
Stefan Kuhr <kust...@gmx.li> schreef in berichtnieuws
eK10s8qQ...@TK2MSFTNGP05.phx.gbl...
R.Wieser
> > I do not quite agree with you there : the linker may create and
> > insert such a table in the PE image, but without support for
> > that table by the OS-provided program-loader-and-starter
> > that table would be meaningless.
>
> The OS loader is not involved with the delay-load table.
> Delay-loading is handled by the app's own RTL code, in
> conjunction with the compiler and linker.
[snip]
Thank you. Yes, I was a bit too quick in assuming that that table needed to
be OS supported (maybe because I seemed to have read that it would be
somethething the same as the import-table). I allso understand how such a
mechanism could work. Heck, I've code written for a wedging-DLL that is
just one step short of it : it loads all the origional function-adresses at
the loading of the wedging DLL.
Regards,
Rudy Wieser
-- Origional message:
Remy Lebeau <no....@no.spam.com> schreef in berichtnieuws
ebygtSsQ...@TK2MSFTNGP04.phx.gbl...
Ben Voigt [C++ MVP]
> If its that your "plain English, and very clearly granting" than pardon
> me,
> but I think you're a fool.
>
> Currently I can use the PE info I allready have for/in any program on any
> OS
> I please. That is way more than I could do if I would accept that EULA.
> So
> yes, I *do* think its trying to restrict (me) and not, as you seem to
> think,
> grant (me) anything.
You're thinking of trade secret rules, where your rights depend on how you
acquire the information (and the burden of proving you got it through an
unencumbered source if you were privy to the same information through a
restricted source).
The paragraph in question refers to patents. You cannot use a patented idea
without a license, EVEN IF YOU DEVELOPED IT INDEPENDENTLY. Go see a lawyer
for a proper explanation. Of course that puts more money into the hands of
lawyers and encourages them to keep writing long complicated license
agreements :(
Ben Voigt [C++ MVP]
> By the way : if you happen to know how relayed entries work (functions
> that
> are seemingly exported by a DLL, but are actually in another one, like in
> kernel32.dll -> ntdll.dll) I would certainly like to know. Its
> how-and-why
> I came to focus my attention to the delayed-import table. :-)
>
Maybe this will help:
http://blogs.msdn.com/oldnewthing/archive/2006/07/19/671238.aspx
I doubt delay-load is used for entry-point forwarding.
Stefan Kuhr
Hi Ben,
Ben Voigt [C++ MVP] wrote:
>
> <snip>
> I doubt delay-load is used for entry-point forwarding.
Exactly, forwarding has nothing to do with delay-loading. Delayloading
is done with the help of a library, delayimp.lib. Without it,
delayloading doesn't work. Forwarding is usually done by specifying it
in your def file (at least this is how I did it in the past) and does
not at all involve delayimp.lib.
--
S
R.Wieser
Hello Ben,
> You're thinking of trade secret rules, where
> your rights depend on how you acquire the
> information (and the burden of proving you
> got it through an unencumbered source if
> you were privy to the same information through
> a restricted source).
Not quite (about trade-secrets), but the description is what I was/am
thinking about, yes.
> The paragraph in question refers to patents.
> You cannot use a patented idea without a
> license, EVEN IF YOU DEVELOPED IT
> INDEPENDENTLY.
I know. That much I *do* understand from patent-law. As its at the very
basis of patent-law I'm allso quit surprised that you think that is the
translation of part of that EULA (its superfluous, like stating that water
is wet)
> Go see a lawyer for a proper explanation.
Thank you for the suggestion, but no thank you.
I'm a hobbyist, and have no intention to get even anywhere near the
possibility of such a dispute. I allso have problems with the very notion
of something *I* need to agree to can only really be read-and-understood by
another person, who ofcourse expects to be handsomely be payed for doing so.
Regards,
Rudy Wieser
-- Origional message:
Ben Voigt [C++ MVP] <bvo...@newsgroup.nospam> schreef in berichtnieuws
6ECB73FA-3D7A-468C...@microsoft.com...
R.Wieser
Hello Ben,
> Maybe this will help:
[snip link]
No, not really. I allready found that page (again, before posting here),
and its quite devoid of actual information. At the end of it (including
reading the responses and following links in them) I had/knew nothing more
than I started with. :-\
At some point I got (still am) a bit frustrated. You see, none of the
information (webpages and other) found offered anything *specific*, like how
I can, when looking at the raw PE structure, recognise a forwarded function.
Just a vague 'its there and <this> program wil show it'. Not really funny
after having read thru the first 30-or-so promising hits (including quite a
number of pages from MS own servers)
Regards,
Rudy Wieser
P.s.
My search for how delayed-loading functions work is actually a spin-off of
my searching for how forwarded functions work. At some point I got the
feeling that they might be the same, or at least that knowing how
delayed-loading works could help me find answers to the other (currently I
think I'm probably wrong in that, just as in my (past) feeling that they
might even be the same thing ...).
-- Origional message:
Ben Voigt [C++ MVP] <bvo...@newsgroup.nospam> schreef in berichtnieuws
4A22068E-BC8C-4C07...@microsoft.com...
Liviu
>
> By the way : if you happen to know how relayed entries work (functions
> that are seemingly exported by a DLL, but are actually in another one,
> like in kernel32.dll -> ntdll.dll) I would certainly like to know. Its
> how-and-why I came to focus my attention to the delayed-import table.
AFAICT forwarding is independent from delay-loading and, for a
difference, it does indeed require OS support from the loader.
http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
|| How can you tell if a function is forwarded rather than exported
|| normally? It's somewhat tricky. Normally, the EAT contains the RVA
|| of the exported symbol. However, if the function's RVA is inside the
|| exports section (as given by the VirtualAddress and Size fields in
|| the DataDirectory), the symbol is forwarded.
|| When a symbol is forwarded, its RVA obviously can't be a code or
|| data address in the current module. Instead, the RVA points to an
|| ASCII string of the DLL and symbol name to which it is forwarded.
Liviu
R.Wieser
> AFAICT forwarding is independent from
> delay-loading and, for a difference, it does indeed
> require OS support from the loader.
>
> http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
Thank you, thank you, thank you. :-)
All this time I've been looking at the wrong spot for the forwarding-table.
Its there, in the *import*-section of the DLL. To add insult to injury, I
even have, in my own PE-viewer, the name of that field in the import records
correctly named "forward" (which I at the time I wrote it did not understand
the fields function and as its contents where allways -1 I simply ignored
it).
I can now allso see that the W98se system-DLLs do not seem to be using
forwarding, though some of them do have delayed-import tables.
> || How can you tell if a function is forwarded
> || rather than exported normally?
That now seems to be pretty-much trivial : all the functions in the
export-section are not, and those in the "forward" chain all are (as in
meaning: its not a secret bit added to an exported name or ordinal). :-)
Regards,
Rudy Wieser
-- Origional message:
Liviu <lab...@gmail.c0m> schreef in berichtnieuws
ea6uZHER...@TK2MSFTNGP05.phx.gbl...
Liviu
"R.Wieser" <add...@not.available> wrote...
>
> Thank you
Glad to hear that it helped. FWIW the same info (and more, for example
the syntax for forwarding to a "by ordinal" export) can be found on
pages 60-61 of the pdf referenced by Remy in his very first reply above.
IMHO and don't take it the wrong way, but your insistence on rejecting
all things scripting-registration-eula-related offhand not only
complicates your life (or hobby, rather) unnecessarily, but also makes
it quite difficult for other people willing to help.
> All this time I've been looking at the wrong spot for the
> forwarding-table. Its there, in the *import*-section of the DLL.
Don't know about that, since the docs place the forwards firmly in
the EAT (not IAT). But maybe your terminology is different, or you are
looking at it from the perspective of client code at the other end.
Liviu
R.Wieser
> > All this time I've been looking at the wrong spot for the
> > forwarding-table. Its there, in the *import*-section of the DLL.
>
> Don't know about that, since the docs place the forwards firmly in
> the EAT (not IAT). But maybe your terminology is different, or you are
> looking at it from the perspective of client code at the other end.
I'm going to re-check that document you referred me to, as I, as far as I
know, have got every field in the export-table nailed down (with nothing
found in regard to forwarding). And yes, I expected the forwarding either
there, or in its own table (hence my trying to make sense of that
delayed-loading table).
Alas, I have not found any DLL on my system (did a few quick probes) that
has the "forward" pointer in the records of the IAT (the second table) set
to anything else than -1 , so I can't verify its purpose.
> IMHO and don't take it the wrong way, but your
> insistence on rejecting all things scripting-registration-
> eula-related offhand not only complicates your life
> (or hobby, rather) unnecessarily, but also makes
> it quite difficult for other people willing to help.
Not quite off-hand. I've thought long-and-hard over it, and dicided it
would be a wasps-nest I would not like to get caught in.
Allso, and please do not take this the wrong way, people here seem to have
adopted the position that "just press the "accept" button, and than simply
forget you've ever done so (cause they will never come to your doorstep)"
attitude. Its like promoting stealing 'cause you won't ever get caught
(which is quite funny when putting "Random"-s response to my suggestion Remy
could download and send it to me next to it (no offence ment) ).
Yes, I do make my life harder because of my rejection. But if I ever want
to publish any of the stuff I make I *must* make sure that the
bully-of-the-block (with its 1000-pound legal goons) has no reason to lean
on me. Not a funny realisation, but with the current state of
(software-)patents a fact of life.
Regards,
Rudy Wieser
-- Origional message:
Liviu <lab...@gmail.c0m> schreef in berichtnieuws
#s89gYIR...@TK2MSFTNGP02.phx.gbl...
Jonathan Wilson
up some info on how forwarding (and delay loading) work (none of which
requires agreeing to any EULAs).
For example this link:
http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
Shows both delay loading and forwarding and has no EULA required to access
the information.
Plus, since its hosted on an MSDN page, its clearly approved by Microsoft.
Liviu
"R.Wieser" <add...@not.available> wrote...
>
> Allso, and please do not take this the wrong way, people here seem to
> have adopted the position that "just press the "accept" button, and
> than simply forget you've ever done so (cause they will never come
> to your doorstep)" attitude. Its like promoting stealing 'cause you
> won't ever get caught
Sorry, but you sound overly presumptuous here.
> Yes, I do make my life harder because of my rejection.
My main point was that you had the right and full answer from Remy
within a few hours of posting, but because you didn't "like" scribd.com
it took you almost a week to find it elsewhere. A secondary point is
that, like it or not, but Microsoft's document is the authoritative
reference in this matter and up-to-date, while usenet talk or even that
MSJ '02 article are neither.
That said, to each his own and, again, I am glad that it all worked out
for you in the end.
Liviu
R.Wieser
> Sorry, but you sound overly presumptuous here.
I don't mind, as long as my message comes across. But do you want to say
that that is *not* what they ment ? If so, what *did* they mean ?
And if they did actually mean it that way, why than is my statement
presumptious ? Because I should not say that aloud ? I'm sorry, I guess
I'm not *that* social.
> My main point was that you had the right and full
> answer from Remy within a few hours of posting,
> but because you didn't "like" scribd.com it took
> you almost a week to find it elsewhere.
I did not get answer, I was told to look behind a closed door. And as I
can't access that document I can confirm nor deny your claim that it
actually contains the answer I was looking for. Can you ?
> A secondary point is that, like it or not, but Microsoft's
> document is the authoritative reference in this matter
> and up-to-date, while usenet talk or even that MSJ
> '02 article are neither.
:-) The info I was looking for must be more than 9 years old.
> That said, to each his own and, again, I am glad
> that it all worked out for you in the end.
Actually, I did put it aside for the weekend. I've yet to see if it
actually does hold the answer.
Regards,
Rudy Wieser
-- Origional message:
Liviu <lab...@gmail.c0m> schreef in berichtnieuws
#M9bWdQR...@TK2MSFTNGP05.phx.gbl...
R.Wieser
> A google search for "pe file format forwarding"
> (without the quotes) turns up some info on how
> forwarding (and delay loading) work (none of
> which requires agreeing to any EULAs).
What do you want me to say ? That I actually did not allready do that ?
Sorry, can't do. I've searched for quite some time (and continued doing so
even after posting my question).. Ofcourse, I had the handicap that I had
no idea what to look for, so a lot of things *could* have escaped my
attention.
And actually, as I've stated before, most all documents I found are very
good in either saying much about nothing, or hiding the important info
somewhere (as I did not find it)
> For example this link:
> http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
> Shows both delay loading and forwarding and
> has no EULA required to access the information.
Yes, I've been offered that one quite recently. I did not find it myself.
And I have to thank you.
As I re-read the document for info I could show you as proof the
delayed-import information is actually quite worthless I stumbled over a
small, 13 line chapter named "Export Forwarding" and now it *did* catch my
eye (probably because I am not that focussed on finding the delayed-import
info anymore). It does contain the answer to my question in a few simple
words : "How can you tell if a function is forwarded rather than exported
normally? .... if the function's RVA is inside the exports section, the
symbol is forwarded".
Thats all I was looking for.
As for that delay-load table ? What I found (in the above linkedt-to
document) is this :
=======
The delayload data is pointed to by the IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT
entry in the DataDirectory. This is an RVA to an array of ImgDelayDescr
structures
=======
I'm sorry, but that is not what the DLLs (w98se as well as XP) I looked at
show. All I see, when following that RVA, is an array of DWORDS (not a set
of records). In other words : that document does not match what I see.
Any idea why ?
FYI, the first entry of such a table (in s98se, wsock32) is BFF76E30. The
image-base of the DLL is 75E30000. The distance between them is just too
big (much more than the total size of the sections in it). It does not make
sense.
Regards,
Rudy Wieser
-- Origional message:
Jonathan Wilson <jfw...@tpgi.com.au> schreef in berichtnieuws
#zOYudPR...@TK2MSFTNGP02.phx.gbl...
R.Wieser
I've looked at your files (As best as I could, I'm not a C++ user), and am
still stuck on the same spot.
In the "common\useimprt.cpp" file you have a function named
"PeFileUsesImportDelayedT". As far as I can tell its used to check if a
certain function is delay-loaded or not.
The "GetImgDirEntryRVA" call returns a pointer to the
DelayedImportTable-entry. A few lines the "GetImgDirEntryRVA" converts the
contained pointer to a raw file pointer.
Than I get lost : the "while ( pDelayDesc->rvaDLLName )" seems to want to
get data at the pointer+4, as if the pointer points to a record.
Alas, as I've now mentioned a number of times, the table I have is a simple
table containing DWORDS, not records. And I *still* have no idea how to
convert the table-provided value in anything meaningfull (read: to point
somewhere in the program).
For the "mswsock.dll" (w98se) the first table-value I have is BFF76E30, and
the image-base address is 75E30000. Even when I subtract the latter from
the former the resulting value is just too big, and does not point to any
section in the program.
Allso, there are *three* entries in that table with the value Zero (with one
at the very end), where your code seems to stop scanning. If that is so it
checks only part of that table ...
I've been "at it", in this message-group, for a month now (and some time
before it), and I'm getting tired of it (no offence ment or implied, you
where quite willing to help). I think its clear that I fail to understand
how it works.
What I find suprising is that *noone* seems to have done the little bit of
effort to look at what the DLT looks like (maybe confirming my "Its a table
of DWORDS, not records" ?) and state the step I must do that I cannot seem
to grasp.
Thanks for your help, but I think I have to drop the whole thing if I do not
want to get mad (in both its meanings).
Regards,
Rudy Wieser
-- Origional message:
Stefan Kuhr <kust...@gmx.li> schreef in berichtnieuws
eK10s8qQ...@TK2MSFTNGP05.phx.gbl...
Ben Voigt [C++ MVP]
>> The paragraph in question refers to patents.
>> You cannot use a patented idea without a
>> license, EVEN IF YOU DEVELOPED IT
>> INDEPENDENTLY.
>
> I know. That much I *do* understand from patent-law. As its at the very
> basis of patent-law I'm allso quit surprised that you think that is the
> translation of part of that EULA (its superfluous, like stating that water
> is wet)
Then you understand that this statement you made is false:
"Currently I can use the PE info I allready have for/in any program on any
OS I please."
If the information is covered by patent, you cannot use it.
Unless you agree to the EULA, it is a Microsoft patent, and your use is as
described (compiler tools on Windows). Then you are granted a license to
use the patented idea.
If it's a non-Microsoft patent, or you want to use it in some other way, you
have to go negotiate with the patent owner for a license that permits your
desired application.
You are still not restricted from using your information in ways that don't
infringe patents.
>
>> Go see a lawyer for a proper explanation.
>
> Thank you for the suggestion, but no thank you.
>
> I'm a hobbyist, and have no intention to get even anywhere near the
> possibility of such a dispute. I allso have problems with the very notion
> of something *I* need to agree to can only really be read-and-understood
> by
> another person, who ofcourse expects to be handsomely be payed for doing
> so.
I think I understand it, and I think you probably understand it too, but I
am not licensed to give legal advice. So I put in that disclaimer. If you
read the following sentence you'd realize quickly that it was only a
disclaimer and not really my attitude.
And I must unfortunately and to your great and everlasting amusement, tell
you once again:
I am not a lawyer. For a dependable interpretation of everything we are
discussing you would need to consult one.