Article 1:Loading Win32/64 DLLs "manually" without LoadLibrary()

The most important steps of DLL loading are:

  1. Mapping or loading the DLL into memory.
  2. Relocating offsets in the DLL using the relocating table of the DLL (if present).
  3. Resolving the dependencies of the DLL, loading other DLLs needed by this DLL and resolving the offset of the needed functions.
  4. Calling its entrypoint (if present) with the DLL_PROCESS_ATTACH parameter.

I wrote the code that performed these steps but then quickly found out something is not OK: This loaded DLL doesn't have a valid HMODULE/HINSTANCE handle and many windows functions expect you to specify one (for example, GetProcAddress(), CreateDialog(), and so on...). Actually the HINSTANCE handle of a module is nothing more than the address of the DOS/PE header of the loaded DLL in memory.I tried to pass this address to the functions but it didn't work because windows checks whether this handle is really a handle and not only the contents of memory! This makes using manually loaded DLLs a bit harder!I had to write my own GetProcAddress() because the windows version didn't work with my DLLs.Later I found out that I want to use dialog resources in the DLL and CreateDialog() also requires a module handle to get the dialog resources from the DLL. For this reason I invented my custom FindResource() function that works with manually loaded DLLs and it can be used to find dialog resources that can be passed to the CreateDialogIndirect() function. You can use other types of resources as well in manually loaded DLLs if you find a function for that resource that cooperates with FindResource(). In this tip you get the code for the manual DLL loader and GetProcAddress(), but I post here the resource related functions in another tip.

Limitations

  1. The loaded DLL doesn't have a HMODULE so it makes life harder especially when its about resources.
  2. The DllMain() doesn't receive DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications. You could simulate this by creating a small DLL that you load with normal LoadLibrary() and from the DllMain() of this normally loaded DLL you could call the entrypoint of your manually loaded DLLs in case of DLL_THREAD_ATTACH/DLL_THREAD_DETACH.(建立一个普通的用LoadLibrary()加载起来的dll,从这个正常加载起来的dll的DLLMain(),你可以调用手动加载的DLL的入口点)
  3. If your DLL imports other DLLs, then the other DLLs are loaded with the WinAPI LoadLibrary(). This is actually not a limitation, just mentioned it for your information. Actually it would be useless to start loading for example kernel32.dll with manual dll loading, most system DLLs would probably disfunction/crash!
  4. DLLs that make use of SEH *may* fail. The fact that the DLL contains SEH related code alone isn't a problem but the __try blocks in the loaded DLL won't be able to catch the exceptions because the ntdll.dll!RtlIsValidHandler() doesn't accept exception handler routines from the memory area of our manually loaded DLL (because this memory area isn't mapped from a PE file). This is a problem only if an exception is raised inside a __try block of the DLL (because windows can't run the exception handler of the DLL and raises another exception that escapes the exception handler of the DLL - the result is usually a crash).
  5. Whether the CRT works with manual DLL loading or not depends on several things. It depends on the actual CRT version you are using and the functions you call from the CRT. If you are using just a few simple functions (like printf) then the CRT may work. I've written my DLLs with /NODEFAULTLIB linker option that means you can't reach CRT functions and it reduces your DLL size considerably (like with 4K intros). But then you have to go with pure WinAPI! This can be quite inconvenient but you can overcome this by writing your own mini CRT. I've provided one such mini CRT in my C++ example without attempting to be comprehensive but it at least allows you to use the most basic C++ features: automatically initialized static variables, new/delete operators. BTW, if you are about to use this code then you should understand most of these problems and you should appreciate that writing C/C++ DLL without CRT is still much more convenient than writing something as an offset independent or relocatable assembly patch.

源码分析:

  • TestDLL

定义一个结构体DLLInterface类型:里边是两个函数类型的指针AddNumbers和MyMessageBox

typedef struct DLLInterface

{

    int (*AddNumbers)(int a, int b);

    void (*MyMessageBox)(const char* message);

} DLLInterface;

对应的cpp文件中定义了两个函数:

int AddNumbers(int a, int b)

{

    printf("DLL: AddNumbers(%d, %d)\n", a, b);

    return a + b;

}

void MyMessageBox(const char* message)

{

    printf("DLL: MyMessageBox(\"%s\")\n", message);

    MessageBoxA(NULL, message, "DLL MessageBox!", MB_OK);

}

然后将这两个函数作为指针传给上面定义的这样的一个结构体:

DLLInterface g_Interface =

{

    AddNumbers,

    MyMessageBox

};

将函数存储在dll文件的导出表中,__declspec(dllexport)表示被包含这个函数的程序之外的程序调用:

__declspec(dllexport) const DLLInterface* GetDLLInterface()

{

    return &g_Interface;

}

DLLMain:

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)

{

    // With manual DLL loading you can not use DLL_THREAD_ATTACH and DLL_THREAD_DETACH.

    switch (fdwReason)

    {

    case DLL_PROCESS_ATTACH:

        printf("DLL: DLL_PROCESS_ATTACH\n");

        // TODO

        break;

    case DLL_PROCESS_DETACH:

        printf("DLL: DLL_PROCESS_DETACH\n");

        // TODO

        break;

    default:

        break;

    }

    return TRUE;

}
  • LoadDLL:

这里是模拟加载DLL(LoadLibrary)

MODULE_HANDLE LoadModule(const char* dll_path)

{

    LOAD_DLL_INFO* p = new LOAD_DLL_INFO;

    DWORD res = LoadDLLFromFileName(dll_path, , p);

    if (res != ELoadDLLResult_OK)

    {

        delete p;

        return NULL;

    }

    return p;

}

LoadDLLFromFileName中调用了:

ELoadDLLResult LoadDLLFromFileNameOffset(const char* filename, size_t dll_offset, size_t dll_size, int flags, LOAD_DLL_INFO* info)

{

    ELoadDLLResult res;

    FILE* f = fopen(filename, "rb");//filename就是testDLL的路径

    if (!f)

        return ELoadDLLResult_DLLFileNotFound;

    res = LoadDLLFromCFile(f, dll_offset, dll_size, flags, info);

    fclose(f);

    return res;

}

再看LoadDLLFromCFile中的内容,这里值得说明

ELoadDLLResult LoadDLLFromCFile(FILE* f, size_t dll_offset, size_t dll_size, int flags, LOAD_DLL_INFO* info)

{

    LOAD_DLL_FROM_FILE_STRUCT ldffs = { f, dll_offset, dll_size };

    return LoadDLL((LOAD_DLL_READPROC)&LoadDLLFromFileCallback, &ldffs, flags, info);

}

LOAD_DLL_READPROC是一个函数指针类型,定义如下:

//LOAD_DLL_READPROC是一个函数指针
typedef BOOL (*LOAD_DLL_READPROC)(void* buff, size_t position, size_t size, void* param);

将LoadDLLFromFileCallback作为参数传递给LoadDLL."LoadDLLFromFileCallback"这个函数起名的用意是显然的,就是为了说明这是一个CALLBACK函数

这个CALLBACK函数的源码如下:

static BOOL LoadDLLFromFileCallback(void* buff, size_t position, size_t size, LOAD_DLL_FROM_FILE_STRUCT* param)

{

    if (!size)

        return TRUE;

    if ((position + size) > param->dll_size)

        return FALSE;

    fseek(param->f, param->dll_offset + position, SEEK_SET);

    return fread(buff, , size, param->f) == size;//用fread的形式把数据读入内存,起到Load的作用

}

说白了,CALLBACK之所以叫回调,是因为他是为了“被(作为参数)调用”而存在的,而不是为了来调用别的函数。这里,LoadDLLFromFileCallback被LoadDLL调用,用和LoadDLLFromFileCallback函数同类型的函数指针作为参数,传入LoadDLL,也就是说传入LoadDLLFromFileCallback函数供LoadDLL使用。其实CALLBACK函数不止这一个,还有如下这个函数:

static BOOL LoadDLLFromMemoryCallback(void* buff, size_t position, size_t size, LOAD_DLL_FROM_MEMORY_STRUCT* param)

{

    if (!size)

        return TRUE;

    if ((position + size) > param->dll_size)

        return FALSE;

    memcpy(buff, (char*)param->dll_data + position, size);//拷贝指定位置开始的指定大小的数据到buff

    return TRUE;

}
LoadDLLFromMemoryCallbackLoadDLLFromFileCallback同为CALLBACK函数,他们的模型是一样的,他们都是用来被其它函数调用的,LoadDLL根据自身想实现的不同功能,选择调用不同的CALLBACK函数而已。
对比一下LoadDLLFromCFileLoadDLLFromMemory其实只是在其内部调用的时候使用了不同的CALLBACK函数作为参数而已:
DWORD LoadDLLFromMemory(const void* dll_data, size_t dll_size, int flags, LOAD_DLL_INFO* info)

{

    LOAD_DLL_FROM_MEMORY_STRUCT ldfms = { dll_data, dll_size };

    return LoadDLL ((LOAD_DLL_READPROC)&LoadDLLFromMemoryCallback, &ldfms, flags, info);

}

LoadDLL函数源码部分:

这里可能是重点部分,需要学习研究的点也很多。

ELoadDLLResult LoadDLL(LOAD_DLL_READPROC read_proc, void* read_proc_param, int flags, LOAD_DLL_INFO* info)

{

    LOAD_DLL_CONTEXT ctx;

    ELoadDLLResult res;

    BOOL finished_successfully = FALSE;

    unsigned i;

    if (!read_proc)

        return ELoadDLLResult_WrongFunctionParameters;

    ctx.sect = NULL;

    ctx.loaded_import_modules_array = NULL;

    ctx.import_modules_array_capacity = ;

    ctx.num_import_modules = ;

    ctx.dll_main = NULL;

    __try

    {

        __try

        {

            res = LoadDLL_LoadHeaders(&ctx, read_proc, read_proc_param);//加载了DOS头、PE头、Section Table

            if (res != ELoadDLLResult_OK)

                return res;

            res = LoadDLL_AllocateMemory(&ctx, flags);//开辟了一块能容纳Sections大小的虚拟空间

            if (res != ELoadDLLResult_OK)

                return res;

            __try

            {

                res = LoadDLL_LoadSections(&ctx, read_proc, read_proc_param, flags);//Load Sections和Sections之前的内容

                if (res != ELoadDLLResult_OK)

                    return res;

                res = LoadDLL_PerformRelocation(&ctx);

                if (res != ELoadDLLResult_OK)

                    return res;

                res = LoadDLL_ResolveImports(&ctx);//填充IAT

                if (res != ELoadDLLResult_OK)

                    return res;

                res = LoadDLL_SetSectionMemoryProtection(&ctx);

                if (res != ELoadDLLResult_OK)

                    return res;

                res = LoadDLL_CallDLLEntryPoint(&ctx, flags);

                if (res != ELoadDLLResult_OK)

                    return res;

                /* We finished!!! :) Filling in the callers info structure... */

                if (info)

                {

                    __try

                    {

                        info->size = sizeof(*info);

                        info->flags = flags;

                        info->image_base = ctx.image_base;

                        info->mem_block = ctx.image;

                        info->dll_main = ctx.dll_main;

                        info->export_dir_rva = ctx.hdr.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;

                        info->loaded_import_modules_array = ctx.loaded_import_modules_array;

                        info->num_import_modules = ctx.num_import_modules;

                    }

                    __except (EXCEPTION_EXECUTE_HANDLER)

                    {

                        return ELoadDLLResult_WrongFunctionParameters;

                    }

                }

                finished_successfully = TRUE;

                return ELoadDLLResult_OK;

            }

            __finally

            {

                if (!finished_successfully)

                    VirtualFree(ctx.image, , MEM_RELEASE);

                if (!finished_successfully || !info)

                {

                    if (ctx.loaded_import_modules_array)

                    {

                        for (i=; i<ctx.num_import_modules; ++i)

                            FreeLibrary(ctx.loaded_import_modules_array[i]);

                        free(ctx.loaded_import_modules_array);

                    }

                }

            }

        }

        __finally

        {

            if (ctx.sect)

                free(ctx.sect);

        }

    }

    __except (EXCEPTION_EXECUTE_HANDLER)

    {

        return ELoadDLLResult_UnknownError;

    }

}

模拟的FreeLibrary

bool UnloadModule(MODULE_HANDLE handle)

{

    bool res = FALSE != UnloadDLL(handle);

    delete handle;

    return res;

}
BOOL UnloadDLL(LOAD_DLL_INFO* info)

{

    unsigned i;

    BOOL res = TRUE;

    __try

    {

        if (!info || info->size!=sizeof(*info) || !info->image_base || !info->mem_block)

            return FALSE;

        if (info->loaded_import_modules_array)//存放的是HMODULE

        {

            for (i=; i<info->num_import_modules; ++i)

                FreeLibrary(info->loaded_import_modules_array[i]);

            free(info->loaded_import_modules_array);

        }

        if (!(info->flags & ELoadDLLFlag_NoEntryCall) && info->dll_main)

        {

            __try

            {

                res = info->dll_main(info->image_base, DLL_PROCESS_DETACH, NULL);//执行DLLmain的detach

            }

            __except (EXCEPTION_EXECUTE_HANDLER)

            {

                res = FALSE;

            }

        }

        VirtualFree(info->mem_block, , MEM_RELEASE);

        return res;

    }

    __except (EXCEPTION_EXECUTE_HANDLER)

    {

        return FALSE;

    }

}

模拟的GetProcAddress:

FARPROC MyGetProcAddress(HMODULE module, const char* func_name)

{

    IMAGE_NT_HEADERS* hdr;

    __try

    {

        if (((IMAGE_DOS_HEADER*)module)->e_magic != IMAGE_DOS_SIGNATURE)

            return NULL;

        hdr = (IMAGE_NT_HEADERS*)((DWORD_PTR)module + ((IMAGE_DOS_HEADER*)module)->e_lfanew);

        if (hdr->Signature != IMAGE_NT_SIGNATURE || hdr->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)

            return NULL;

        return MyGetProcAddress_ExportDir(

            hdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,

            (DWORD_PTR)module,

            func_name

            );

    }

    __except (EXCEPTION_EXECUTE_HANDLER)

    {

        return NULL;

    }

}

里边调用了:MyGetProcAddress_ExportDir,其实就是从export中获得函数的地址

FARPROC MyGetProcAddress_ExportDir(DWORD export_dir_rva, DWORD_PTR image_base, const char* func_name)

{

    IMAGE_EXPORT_DIRECTORY* exp;

    DWORD_PTR ord;

    DWORD i;

    if (!export_dir_rva)

        return NULL;

    exp = (IMAGE_EXPORT_DIRECTORY*)(image_base + export_dir_rva);

    ord = (DWORD_PTR)func_name;

    __try

    {

        if (ord < 0x10000)

        {

            /* Search for ordinal. */

            if (ord < exp->Base)

                return NULL;

            ord -= exp->Base;

        }

        else

        {

            /* Search for name. */

            for (i=; i<exp->NumberOfNames; ++i)

            {

                if ( !strcmp( (char*)(((DWORD*)(exp->AddressOfNames + image_base))[i] + image_base), func_name) )

                {

                    ord = ((WORD*)(exp->AddressOfNameOrdinals + image_base))[i];

                    break;

                }

            }

        }

        if (ord >= exp->NumberOfFunctions)

            return NULL;

        return (FARPROC)(((DWORD*)(exp->AddressOfFunctions + image_base))[ord] + image_base);

    }

    __except (EXCEPTION_EXECUTE_HANDLER)

    {

        return NULL;

    }

}

源码下载、说明:

http://www.codeproject.com/Tips/430684/Loading-Win-DLLs-manually-without-LoadLibrary

下面是一个德国人写的Loading a DLL from memory

This tutorial describes a technique how a dynamic link library (DLL) can be loaded from memory without storing it on the hard-disk first.

To emulate the PE loader, we must first understand, which steps are neccessary to load the file to memory and prepare the structures so they can be called from other programs.

When issuing the API call LoadLibrary, Windows basically performs these tasks:

  1. Open the given file and check the DOS and PE headers.
  2. Try to allocate a memory block of PEHeader.OptionalHeader.SizeOfImage bytes at position PEHeader.OptionalHeader.ImageBase.
  3. Parse section headers and copy sections to their addresses. The destination address for each section, relative to the base of the allocated memory block, is stored in the VirtualAddress attribute of the IMAGE_SECTION_HEADER structure.
  4. If the allocated memory block differs from ImageBase, various references in the code and/or data sections must be adjusted. This is called Base relocation.
  5. The required imports for the library must be resolved by loading the corresponding libraries.
  6. The memory regions of the different sections must be protected depending on the section’s characteristics. Some sections are marked as discardable and therefore can be safely freed at this point. These sections normally contain temporary data that is only needed during the import, like the informations for the base relocation.
  7. Now the library is loaded completely. It must be notified about this by calling the entry point using the flag DLL_PROCESS_ATTACH.

Allocate memory

All memory required for the library must be reserved / allocated using VirtualAlloc, as Windows provides functions to protect these memory blocks. This is required to restrict access to the memory, like blocking write access to the code or constant data.

The OptionalHeader structure defines the size of the required memory block for the library. It must be reserved at the address specified by ImageBase if possible:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAd4AAABlCAIAAABshhWWAAAKU0lEQVR4nO2d3aGzKhBFbz2py4bsxUIogy5yH+IPMHvQxCTOd7LWy8lBhHEk2wGN898NAACC8d/VBgAAQAvSDAAQDqQZACAcSDMAQDiQZgCAcCDNAADhQJoBAMKBNAMAhANpBgAIB9IMABAOpBkAIBxIMwBAOP6cNI/p/iCN5b95GpbNjw0fZJhyYUFj1mKIW1MXvsKYqs6awtWiqqel83VDz59r5a2fotWl2DS5dpWsecJ4tX/VzVI6V0xj8ek1him/wf+7PZjx8AxvHsli1IX0pxhgH6Aec+9zdH/M1/w5ab6Z4x/T8559ZZ/9JsaUJnFuZGenLRimbFtoCuVI2Xqea2t/DlNehmzxURtfNbl+n6SFcpMxqb7urJsLS8/67w0j4NGM0I+e6z5lyDGazuL58yOtSYpj7wzU51s93JSU5mHK93vO+X6/p3FMddBpIyJZU8SJj0tRnobHpiLSKcOrN1wJq+Mvvrc2GvVNEgGZMVgepem3LhFqeEyaZU9F8DVNVbtHlHlPmpftyp/d658vze2Q12e7tdOaNEtzY4WWknbQ1oXSnWnc9he7q2HjMiYz6KzrxnS/52nc+q/tqYM3Z15lDmlM93tOKR869tZrYf3ZWHNArJRJs7PbSdhWtRqnqf9936aWqXeYc/8HFc6Lmufp0nzRn22rI5VtYmxrlgZUM6+HIx9V0izISblDWdTQOYOlHvsq4ZnkhbytPNxut3Fcz0TjcaGtStN0Z22h9mfh2TY6kyPAFO5J8/rR+tP/Eosjqv6vv1bqJBo7hUntStWyoxkectDKE7e5cyi/tXJ3PWxctsrWO9tXppTk4nQ74/zICNmC8tLVhwdtWH+2kYCQoB2THtfCwTepPPYiMBGu2+zd3O0e5vG42ZfmNG5/Hp234pjn8MXW9EMq5XYrAOd5Qge7JskidRU1IYgrT6a/fWnW/uy5S65EmkJHmsUhGX++S5pVCGHsFCYdjZr1oFVNNh7Ps4/17vI0OjWrCmn0pVme8WPS7HzjdkK/vUF7qT97yElaO0Z3TFoU0zGpnt2Vii5MX1XcVmvdfDhsfkaatfPOS/PipL4yPxU1zx0dWj04Ic2FhuwJbuf2RQhp3tOC1p/vWNB4QprF6RB7CinxBq09cVJKfMF4SkqqQ/XW7svSD0rzE4M2rD8PSPOuScsIcjquijttNnZ123zs+AFp1rG4U7MwzftiluamaXxuqO8yTCn75jadW2ler51milJNhZbG7O2ejlgduU/ZTleVP0t5as740wsau1rQ+vO124DtiH96QWMrytYjam20N2hv1YlrFjDtQkBj5OHx2q42S9cNUy4XX4sDMUOxPQZjjpqhCX3aG7QB/GkW6pWdjjRLk8r1is2xwqQmhGiCoaLNaqkoddv0tsgnWPzbgOuyfJ6Gddd28cmvKeegbuAoRslpzNMI1S0VMZlx7q+105byBsJWLSVTtjaw9FJtXpzV9i8LvUmofgJOHL0tNLOQeZ2vnZt1WhRO2n14rpEo72tabFAmGeOLIVcNS3PmC0l82LiduKqnlKT9y2VanCFJfWu857phStOU6n501cMjxDjkmUEbw59Gmk1VV4KkSdv+5cNSxqTGHeYGrOs6OWyb4mPKHObhuTcuM8PtdjugzZfTMSaUnd/hyQUSOMslkuPMOdTV+3Jp7oRpcI7+T04u5+hPTn6C5pc98Ck2vblifMkx78Qhl0szAAC0IM0AAOFAmgEAwoE0AwCEA2kGAAgH0gwAEA6kGQAgHEgzAEA4kGYAgHAgzQAA4UCaAQDCgTQDAITjm9Jcv2lPvA7wXr9mL4VK5dvr4dTbUn40NXJx7nNKdY6UkwaK09FmavtOYmaAl/ly1Ly9iK9IMmfSHOl3eJ/u8hSkRtYtn2inzGX3FnX0T4djNK+ihbBcJs2rWpAa+TdTIzsZpIRDKueVet4UOcljjqX+Gj6UmBngNa6TZlIjC6eYXf5yamT3wuJeV8rLgu29k0n2UNT8kcTMAK/xdWk28QupkX85NfLSZWWt9lS57CF7Py/N85HNNzzekpgZ4DWui5q3IjmxDZrKt4pqSY2seCGT0n4eW5OVVmaLcFt5XZrPJmYGeI1g0kxq5Nqcv5saWZ52/W/psG2A6MyHZ24DfiQx8+0bjwnBH+Sih+fEnahiS4RUvi2kRj7nTyvNoqZ2SD1GthhWZSxWpyPbJm33H0nMvJWizPAk/OTk7TCz/Sl2H8B716OB8FsgzW+G1Mg/wfHEzO46B0APpBkAIBxIMwBAOJBmAIBwIM0AAOFAmgEAwoE0AwCEA2kGAAgH0gwAEA6kGQAgHEgzAEA4kGYAgHAgzQAA4fiaNFeZm25r5h6RUdup6TZqXsMos3RXG5YUzqqmaLN5ZdGaMitnuzsAwHm+GDUPU8p5fSvw+llk1HZqSqq3muvMcTYX3vaexp2aa5tuSlCxOwDASb4rzdO0JJLIy0eVG9CpKSnEscz1JPINykxXezXXLdW7HRsR5w3NAPBevizNw5iWdKedjNpOTYlKc6zaLIvvZagraso2ZeYmpyMAgFN8W5q3dDxjP2oWNSXbcnG1PN0PZstk9TJqFm3KtKxEzQDwCb4uzbfbOM6SbJdr+zUl6+51gLsTxhapT91VjqbNZa8mrSrxMgC8nwukeUZK86Owk7XeUK0L52Tu+BWJklUKZ1kq25wPob4n6eWFJlUnAJzha9K8LBJUaZ9zkXp6fQDNqamC0/VBtyLP8daA8wRc0ZyqqdvcOvSyQpdPz6HMAHAKfnLyCUiiDACnQJo/AEmUAeAc/4o0m7WDagEBAOBP8a9IMwDAD4E0AwCEA2kGAAgH0gwAEA6kGQAgHEgzAEA4kGYAgHAgzQAA4UCaAQDCgTQDAIQDaQYACMc3pVnmvxZJoeryNI6Tl/36eDfO7qp3sX/1atL1n5RUR/L1o23vuXdEJE0B+Hm+HDVvb5tv06BOdQaqXOS07ma/dro5mmZb9d6YOetxLZePy4XuSHdR5K6SOVbqF/Hz4iaAn+YyaS7FbkxpLP93wsbjifiOp9kWvddmrokKZ1GtlVp2ZNuo29o/ouLSVNW2kwsA+JNcJ83bR5MO1QmJj6evfi7NtknGqiLeRcBTStMgUlU1aQSPSrNzRDJuRpoBfoavS3OzCHsrNKyY5z9KtlXfIrvfsajZ9OLtbnu/SWkepjQNY0rjmPLjg9uRaGPmaNTshM0A8CtcFzVvReamWa1V/ezXTjdH02yrjIFqQeM2TGmalvh5MiaZoPkJaRYgzQC/zeXSXJUs0lXN57U0vyvNtuhdL4mPKedlgbl4vsTJvf2CNNfXA7ugMUyZ9QyAH+Gih+eaJ+f8J9S2ym76arebvTTbTu9j9fBcuVQ96+Iw5ftjjUPn3paRuD2gzhF5yowwA/wI/OQkII4yI8wAPwPSHA9+cgLw8/zT0kyabQD4m/zT0gwA8DdBmgEAwoE0AwCEA2kGAAgH0gwAEA6kGQAgHEgzAEA4kGYAgHAgzQAA4UCaAQDCgTQDAITjf0cWhTVi2xdyAAAAAElFTkSuQmCC" alt="" />

If the reserved memory differs from the address given in ImageBase, base relocation as described below must be done.

Copy sections

Once the memory has been reserved, the file contents can be copied to the system. The section header must get evaluated in order to determine the position in the file and the target area in memory.

Before copying the data, the memory block must get committed:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZwAAABjCAIAAAAgkCEWAAAIyElEQVR4nO2d27XrKgxFbz2pyw3RC4VQBl34fsQPHksEJ9mOzZnz44xsYiNhKytAfKT/HgAAA/Hfrx0AAPgmiBoADAWiBgBDgagBwFAgagAwFIgaAAwFogYAQ4GoAcBQIGoAMBSIGgAMBaIGAEOBqAHAULREbfJxnoM7zReJC/OTpyPrn9FP69t/7uHkY+JB4dbqiHmkbnwHF57GXCjMfgU9og0ZDJeIkB/wx1F3q5jPT7lEhLyYqbnwhkNvndRg8iG9iu90/wWXRBcuBJ/7Zhv72IPJx62HSVj9CsaItjf/YFxvcordcwbnQi0Td4v5hsnzI0SJ2qrSc3C7Q5tMZzdg/04JzyO3c+dK6N8n/Tzv10h9mTzbop+ejpku7V8g2xnFgKowq++NC8Epfem7tdLS5mv03mf9Ztdg8mEdYjp+7Xx1jx7W3VQjksEgGtWVNw0pl3SjSd9HpX/s1ZU3ItmYd1eX3oV5jiFEHUzSz3J+f5OYv16E1KK2T26TqeO68slf74ObfJwT24firYobefDuU35YbWzycblAu3/6K0dMfJzbrnVxi4UqLRFSqlqHqE0+pjG1vJWsK8pv7/SEdIjZO8p5dY/03VQjMoJBNOZuLV0cCBsjlkx6gqx/7MaVN4303M3dZhW0hrcx+2DfI+avGCGVqGXjWC9nKUAx6b1WpL+Ybx5QELU267/BoRqk0UUSc+FFKFSNenHRum75Pkoe5ltv0vn6Hll3sx6REQyWJ+WVOBQ2OpYqijlIexbUO3bryveJmrFUTJrVHdK+p1O2O8T8BSOkV9Re7+GIL/wXHJqpLS50rfU+uMGJdLySqsz9WNypn4hay/mlj6efxt0UI/owZI+FTbuxPujQN2d77KeJWpt8On6LmL9khKjlZzLw5gQ6bZTTyL6FRCeTD1E40XuDK5e2puTHxGwLsfmt1RPVDT+zM7a30otYBHi9/EwWPGV8Jc7LeyTvphyRDAbZKK7DkbCxYsmkQ9T6x25deTOSe+7mMVGrd9Uet4j530dI/QOr+KEgneWFbfDZtH9TOj3NSjZdO76feinGX6xD9qcd5PxJuLQ2Re+KLdR53ePN27YOsi36vZtJuiQbrTl/0lrc62T0z4j01fbuS+flTH6eg3tYI9LBoBqNK98bNmYsWfSJWs/YW1e+Cpvuu7m0BLedYvrrwmx9VK4f8z+PkFrTePj2NvTtNgP8W4gHYhC1+9C1LAP4l1Df9YgaAAwFogYAQ4GoAcBQIGoAMBSIGgAMBaIGAEOBqAHAUCBqADAUiBoADAWiBgBDgagBwFAgagAwFHcXtTMq6yTZXWIIaUKoT6xb+ZmynO15Cpjjtj49H+B+3EXUflfXJ8uOoQ84TpZ6Pcs/KNLCq4SP/WTFMNrO/6oyFMA3OU3U7lvXR6f8kdYzT+tqPUmqQZkqV6bRk0VUqlFOqkBQlVu5zpVfZ5gsJnUvij0CXI6TRO3edX3sT3bhlirlo4ZpntacqaWL3boCUCGUujTGJp+ygJC6yHapIYBrctZM7d51fdLGohSFcitXYzHMY6KmfBTZwJeSjHHJIS0rpYk54StRM0sNAVyT8/fUblnX55UF+1RpsNGLPVPL57D7InyfAwc/ufCsHpvOFKvlp1VAqB7NywpVAJfjHFG7dV2f1gqtlIHEu11Rdb2c4z8U7F3pCkCT9yFEPz2cj+n1Tir7lBWA8h8+6otslhoS5S4ArsFpoib2oG9S10du32vr+VqzXQenfqQj7zOvypOs2YPTFYAS4cnUqeVRdnrTp/xINA2uy10e6YBL8a1HWwC+D6IGx6FcH1wYRA0AhgJRA4ChQNQAYCgQNQAYCkQNAIYCUQOAoUDUAGAoEDUAGApEDQCGAlEDgKFA1ABgKBA1ABiKE0StTI7twjxHP5UpYdfUQPWR7Z6fmXJcli88SZ8j+wzBMCTSDOkMvQBwUU6ZqU0+bFkLk9d59v7g7CN1pzHNBLvnHyuTL8o+m4ZUBuwlwSL5XwEuzlmi5n1YUqnG9eUiaplMGEcaffalyZZ9Ng2p3OGoGcA9OE3UJheCe+z/PPaFXcxFTRwpkG/Jgiayz6YhRA3gvpwnansKaNeeqYkjBQdFreyzaQhRA7gvJ4raVkMyF7WeIxt9thpT/Sr6bBpC1ADuy6mitiBFLdea4khJUXdq2c6XPxTYSicNdYoa1UcALsgJorZunW2q89xH88WjEnNwxpHmBEnWnSoe6ZB9Zmelhl5WjirrW6FpABeDh2/fhopKAFcEUXsXKioBXJLri1r5RH+1DAQA2Lm+qAEAHABRA4ChQNQAYCgQNQAYCkQNAIYCUQOAoUDUAGAoEDUAGApEDQCGAlEDgKFA1ABgKM4RtTzlz/L/Nrf/1Fnkutjag3O+KvHU+n+f0oxxurIuzs8SIG1/hKAM9RejskZEJkqAjzltprYnXszSW7gQfJ7PO6ZpzJbXou6UaSY5fZc14/TSeuFmVPWjnkKrDWkTqhiV4RKpPwA+5QeilsqEC8GlfxtTFVHNwDQT676s00vruZtZiYNK46Shuo+8r9cjSkQ9O7qe0AKA5Beitr/MpzEPcxom6k6ZZuLWVbUArda5dbpvMctapS+E4CeRizwxJPpYqEXNGJGcqyFqAN2cKGrFZtMj+fQnq7Jny767tZXm7J2pVVas02vrDylqWzU9F+JSVs8yJPpY6J2pGVM1AOjlFzO1vanaVs8/5XIH6pWZbRtuTqaG1pLO1tlHtg/m1zmbr1yqJmoHRE2AqAF8xg9FLWtZP/TZ6kuLWm+Jqb0rdbq0rrf+XIhx3UhLfrsVhmwHm6KWK2m9/Jx8ZPUJ0Mnpj3QUz3PYz03sB1cJvS1R205NjOw1qpLTDesuLzaVbMktirKW3dOGjNmfKEZlj8jSNCQNoBMevr0UhqYhaQDdIGpXgodvAT7mpqJGiSkA0NxU1AAANIgaAAwFogYAQ4GoAcBQIGoAMBSIGgAMBaIGAEOBqAHAUCBqADAU/wPYtFTsGSdR2gAAAABJRU5ErkJggg==" alt="" />

Base relocation

All memory addresses in the code / data sections of a library are stored relative to the address defined by ImageBase in the OptionalHeader. If the library can’t be imported to this memory address, the references must get adjusted => relocated. The file format helps for this by storing informations about all these references in the base relocation table, which can be found in the directory entry 5 of the DataDirectory in the OptionalHeader.

This table consists of a series of this structure

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAR4AAABaCAIAAADhFa5PAAAJCUlEQVR4nO2d7ZmsKhCEbzwTlwmZC4EQhlnM/aFCN12NONrzsafeH+eZZZRulQJkD7X/PQghAfz36QQI+ZtQWoSEQGkREgKlRUgIlBYhIVBahITwMWlNaXk+83xw1JyfG0ua3pJXIPVituuZ0qIubM7rj+XA5qJLeZ7nlKamxmfnfk5pQccdBlpyzhcCmTiyXBTq6kodMitROCedU3MHJdtX5s7jQHMun/czjppdpxn3pTXnw8Z/gePaL8WPSP6GOlUVU8rLsv0sP6/HpbUN7Ycu+3Oe0lJbQ334/eSmWtmURBwTSNY55/OB6pEijnP6pALv11ZuyP5RFJb+Bya/Vb1V29Su03YCiWcw8rA7x/jSgh3dWrhe2f455bUrWdoeCA45Uz2upoWOdHoa5wL3LPN+b1EvXbJfj8+z7HXkpalEl5TS+qBgz3+WVlop5a0TX/aP5TAlh7YRboetwx/8UuHV1QbSMnghkDi9Hu6cflSw3iw/qk0eVysq6wV6TCnvg2KgtJwTZUr7Zzkqls5V91N1yJXNfP0MjzxKHKYkezfn5DoJ20+DnWhNVPTcIaNWmuac50f9Rx4lE4KRRycuumfQY5YOJGsFPd1xoPoI9U1EpxsNNJe5fu/edZg8KrB1w0A63rulJQrLBz3B2NMDs96mWS3tnLu9+4MtWbQa/+ap7JyLnI46rBBp1W4G3domo3qtZax7YdQqPZAN1CRbDxwfteCTHBu1TknLTf6itI4ULU9b7pTW3i3VL/WV7M0FXB2UVudxnW7Jx28E3yitx2OeZ/kdmAyje/xwJm8QVUEdsQ9m3S8EAlMU93QzSz0zIfSTvzQhLA3g8GHLC7QcSWvLWM209Iz0oV6r1SzRxlXNWLyk9gf8PvJ0OLdUySNpiQWiOpdRb12mWN+QMww8YHiIuku4xXdvl57JL34gXOV4IPWutfRPty+AcHWhfRx+8ugnnLW3jFHeLdSiksPro5Z8l2/Gbb00kVMqXYgSD15JWEty1isi6ki9aNDrMVEYnPzBGuy2FlOeJqrUuyEjmPB7AVp50YXL3up0Su1c2lU7qhxGL2s8+i6dDyTuYp7h6aZQLoCae9w8Di95/Ep5ZvG9/Ngfk0rNr0prrMaRGTghf5AbpQVWDMQvMq8kScjv8fKvjMkLmInOW/udt0X/7GX+AJQWISFQWoSEQGkREgKlRUgIlBYhIVBahIRAaRESAqVFSAiUFiEhUFqEhEBpERLCe6UF/H7gtolmq4nYI2X/txouvUDz343bredDew0usl+TDOS5L8lT2sTGbLNICG8fteQ2uEV5VJQj0siWOL0Bsq3zIl0roDHu3o9cipK7g6dvt0DezAel1ezZ1kpzGjd0CwJ1XkXtHpUeIGYwAS5R7cbDWia+lX5kzmhkVQEMjKBDFihEecroeN/h7pDlFm7Ff8Al8nY+Kq3th73BrHaSoqxiN5dr4wXfT+RynmaPtg1gXaK8IQfYCGy2GMA+wlRhDYwchyxQCPPEXlrQIcuxzaK0XL5BWsUxbM7LZh3mSwt3svdLC7RjNwAaKcelVfc9HUjLt3naSqFnBHLUKBU+FWYHvdHlbS+0/wBfMCF8VJ/L+ipxNCFUiwn3TwhLTaC6W6UlruPIOAwYPFyU1vG96rh9kgM+KS1pS7TUUam+G3SdfZTrMRoOLuOY+oxKy3g/IesoaerZH7Uc9yVl8rPHAYUwT2hIBB2yPNssMckkmk8uvgN/2sbXzFl8V25BN/lFO+naFQszcIAZFcpeFEnrqHpYzqasVDBiYFQdslDhkalRvXfQIcuzzVI+eUTCXxmTC9z0y44/CaVFSAiUFiEhUFqEhEBpERICpUVICJQWISFQWoSEQGkREgKlRUgIlBYhIVBahIRAaRESAqVFSAh0dPKonhWrsYAofzlI56+u1+0e3i4Z5MxxMjS3B78ROjp5aUpfmFvqxFe0RmjavLgl7W7FC/4ENHd6K1+wgf8bHZ3wJnU4bqhBxvo0CcMJ54rAFkUlrdbPwnjRmP2NanhMqblN23c6Ve66up1vsJ35Skcn38TMSU1vxrdOSe5pcNSqcsWuTvVAKZG6/RrZAhQ1p0aslFYE3yCt73R0EhXq5o0D6Db8VCyrMdkZackJYWOiCywy9HfeHVhvMWX0Jr5gQvitjk6FYy/d5hUP5tCppSet9sRL0rp3oYd0oaOTk6WQijEt061TpVeSh05JLyxjtHW1E8IM8pTZC9VvE+9moYeWTEHQ0QniLC4AR6dm9td3QLKL77rO1o9Jno2jy/CqN4Cnr9IyiVJYEfBXxv82tGQKg9IiJARKi5AQKC1CQqC0CAmB0iIkBEqLkBAoLUJCoLQICYHSIiQESouQECgtQkKgtAgJgdIiJIS+tEZ3HJg9GO0moLn9Y9WepVGe1+3l7UZdd6+Iv0+lH2j3aXoxkIkjy+2WjrYOx8diTjonvE1EfnX017/lYfrvmvM/vAdzOGqd2FvYboBdlrJXqH5+yL3E+6GL3BJVWoP0l+htw3L9j9pA2KdpPBD0k3JOt/cNboWUG9T05vom+eIZ09uE3Q0kngG9nd5ApLS2XfmPOS/7x3JYx7OoHLZYZ6ejFO2u26YE9NXjgaCflHP6UYGwBXFitcnjakVlvUCPKeV9UDRmIhzDIgiV1mohU/+RRyEjpKa20YmL439kAsla1fAwGgj6STmnm/sGbWfc4QMmjwps3djfRsWjtN5ArLTKtnHp21BniboLrQopY90Lo5bxqXBbo/bbGBu17FvN8Kh1Slpu8heldaRoch8DK4TDTsxwWjLPs/wOvHbr1iK9aAY1Df2PnPd7cNZ4IOgn5ZxuZqlnJoR+8pcmhKUno7TeQPCo1X4HD1FrD7jFd9sC8j/CModVjgeCflLO6fYF8NCjqp88+gln7S1jlCUYtahER6cg7pGW6WX3gq3DBBZF8M8o1Leldq3ZHThR5TD6kiY0GJwPpPyk4Omm0HhCaYPSoeTxK+WZxfenWH9XJlMUVgR3jlrk96CjUxj3/MqYENLwQ//RyUyzuvO3XwhE/jI/JC1CfglKi5AQKC1CQqC0CAmB0iIkBEqLkBD+B8HaSEee9btyAAAAAElFTkSuQmCC" alt="" />

It contains (SizeOfBlock – IMAGE_SIZEOF_BASE_RELOCATION) / 2 entries of 16 bits each. The upper 4 bits define the type of relocation, the lower 12 bits define the offset relative to the VirtualAddress.

The only types that seem to be used in DLLs are

IMAGE_REL_BASED_ABSOLUTE
No operation relocation. Used for padding.
IMAGE_REL_BASED_HIGHLOW
Add the delta between the ImageBase and the allocated memory block to the 32 bits found at the offset.

Resolve imports

The directory entry 1 of the DataDirectory in the OptionalHeader specifies a list of libraries to import symbols from. Each entry in this list is defined as follows:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAnYAAAE3CAIAAACo2pv6AAAgAElEQVR4nO2d3aGrKhBGbyf3PSXcemyIXiiEMujC+6DIAAPiDzHJXuvhnMQgDAp8MOKef14AAABwK//999+///77z9NmAAAA/BpILAAAwBCQWAAAgCEgsQAAAENAYgEAAIaAxAIAAAwBiQUAABgCEgsAADCEZyR2sn6endlJZdy84u30FrsGEiuz1meyPqmYccvXLWFW6e24M8baKctxbl/P7tIn69Ust+PrOXq63KT6fVPPr9YoXhPnXMhTmGSss1PN9KLuleKrxvfVvUlfgweAX6MhscaNHBP2c79U/gjjb8gzyWKyzvv1u/y8pLPWRYGarA8j/mR9GOuNixrWY1xf6THVZJeDk/XzltJHQRQmBZVa0zs7bf/tWxNrp9ZIHDRurbuwY5seqCapdVerqRvfXfcmY/sSAHwqFYlNJ+rrwLIcjEPcPHtr3bKK8PW1g0+UIqSLg46WUlt51IjLO+c2RSiXGZv1S3pn5NpCVi0x1FtrlxFXy/MwuchZuxwwzoePWzKhUBWxWgb6HSU7XLpItWSdFRB+F8qXpeizSFoTzlBrJHW3XULdpJbEpmnTEw/XXQeJBfibHFvFyuFETvOFjOXLCfHZuETuisEqG0v7hqVoklzYVE6O7tE4pisDbTQ0Lpu6DWpSiNxknDOv+I9MJQ1SSw6Ti14/+qHS48es9FQOVzvUFAesMUHs1RoVzvPqBamZ1JTY8rrUTtuve0ddAeDPcNRRLLx3US6LAUp9rJUNZD4ZU5UVa+ewJNaX5ZBdpM3Hfk1iawUPkdg43dAubWZRrOu2+ry0itVKl7fE59MQaVX9UfkViW3XKAjazpxDmXUoEqu7STolttPFEk7r8SYDwM9x+FnsOn+XT7JKx5o6RqoS2xiNDyva/qPJT5TY18sY+SBTc5JXnJeKB/Vy6Uo195ylxULuqqO4Qfsxb92k5ipWK0H91lF3hb6FLgD8IE2JFTso09HQJA5jPxcPptRpeyJnPj7grYw/XYomT1d9zonxmsTGsVK4IZOnssXh9IIcoeGSjAs5JUlylXSJ7bhcHaWrGe1t+clv4mGJbdZIr2V2j5RHpGm7Oimxh+uuwioW4I/Semknf1khIJ9Phm0zha822R8kH8GuR5xLd04lKdPNRa2FjVaMbnxlB1VIt+7Z2oZQLdPaBemhKD4cWBfzyW6q9KDP91spq928+qdK98mbL5mHtPLiirhgzmhm6qjbx/Qa1ba+5feoZtLOSzva/a0c3ql78+4jsQB/kTPvxabjRf+jQIA/ChIL8Dc5JLHK3F/8QYRxRgJ8N/zpCYC/CX9A8V4KX+db5x/Plv4tJgEAvAkkFgAAYAhILAAAwBCQWAAAgCEgsQAAAENAYgEAAIaAxAIAAAwBiQUAABgCEgsAADAEJBYAAGAISCwAAMAQkFgAAIAhfLLEDgllzR9kBwCA9/DJEjsEwooBAMB7eJ/ExuXjEhNviW9t3Dx750Ts8Zi4jMiyhW2RcdaV0xsgsQAA8B7euooV8hYDuU/Wr0o6WZ/KXx773W8iGn3IjdP3bAAAABjIJ0hs+CQ/5umLH8NvjdM1+nQYAADgMn9LYodsoAIAANB4s8Sunl7j4pPTXolNf91+YhULAACfyXt3FIddTN6adfPTuoHJmWSHU/isbG5KD+mnt+BZLAAAvAde2gEAABjCn5NY/vQEAAC8hz8nsQAAAO8BiQUAABgCEgsAADAEJBYAAGAISCwAAMAQkFgAAIAhILEAAABDQGIBAACGgMQCAAAMAYkFAAAYAhILAAAwBCQWAABgCF8usWnUO2deMmDelH2JqddQeMrZ1aM32uqtsc5O3xaQ4GI8+4ung4Ya/rgjJnJv6MfXS4aQ9LvhmJ9kRAN7rNGqN+jIXXt9bI97y7j3QXX/col9yeh0k/WrrmaR3W1Q2y2M+/ZxixKfDExlnlcRRYqA9G+MrPe2oogW+D5i6907mKVY22LeU/TEd9/PD2whH2jS61Ux68NsPWPOx1ThHYb8ksSGIWMdOFLFzUaTcJYYj0SKMs+LVDIxztlknb0eLVYNy/zV22n5TYp1ub4Qy2Vr5Vo+X5gr6xO9oMr0eTvfOZd4ECp+gez0wk41T3H4s1dRb+fsEla07p3GHRtIcvXLZldpn6rN55viZP08e+/neXZGtgilgRk3z965js7V32hreUZfmWmt0LTT45Juq25yxkmJLYzXL90y2TfhAuT9bfcW1+5m06bZmVgF3UWiDgLlcNE7WOnVrBp/oXlr/JbErl+Mc+Y1Weecs5M8FgljS5RY6VpQ8rzRSHl43tYTYg1ttvYn293SS5JlupZS1MO42WuzhjL3pCSlIC2L+KNcotcvV/aDamclTyRWQZXHo+vS/cadp5B+ncQdV2s2uzkeaYpriWuL2Wmfvrtz9TZaLc94EaJ7qoJqUmPGc3EVm6ZUL5302m539tAt7jQn5iOK1O+7OghUhrXOwUqtpmr89ead85MSO1lnJ+OcMc4vHxoSq8+i3iWxWu8Sa4dUYos7q6SsWVscT1YoSVG1JqQMtsr8tXO0qiTT84SS88PvJYmteIPKX7pzPNQU13NN8Jp0TQH3O1e/xBZ5ZmPFjsQqJr1PYpVLlzo9mg4/xb5+c5JUodDafVcGgWopfYOVVk012xuad85vSezWbpy1QVhtPNZyFCczljc6ios7KAxJz1KGGyVlt8TW69UrsfIXORu9IrF6npBzegn7OjpuvEFiDzTFixJb61x/WGLLIeZtErvfYsTwfFFi9ZEUie1Blynv4yp1c800tzt1+m7Om5k4N4LAa7arDpH6cJOlzAqKq1vx9Gdt4JWndscnhqrDJ3P15s1Zs7OWp/DSwOtVGcq7JyUmPvm2u2eUvouKNB2Q2PNN8bLE6p2rt9HqecrV1xmJjbP8u57Failrq1j5yHGx6dAtrl66qi26B39DHwQqw1r/YFVWUzX+evPO+XKJrTyylg/3xH2vvrSz6e08O3PoGf4BhFskjCvBluQJfbTSufAEQd93oqVUCtIrn1+9IPptx008rJxcKUg9XbWzlufu2PW3OLvPaUPfJqeVs3PfxEYGJeFuvgebYuwxqxqtj9i0Brae7cx+51JNOpBntDS4zJpXvThd2S213+Oal7lMWb90ztrtQgtpK4qp3mLlbu7Y5JxrjCK1QaAcLo4MVmo1VeMvN++ML5dY+AtMN7059SNcW8LCQO7Yt/FW7nLSfThPVhOJBQC4QFw4fdk0Jy6/v2ticJBnq4nEAgAADAGJBQAAGAISCwAAMAQkFgAAYAhILAAAwBCQWAAAgCEgsQAAAENAYgEAAIaAxAIAAAwBiQUAABgCEgsAADAEJBYAAGAIXy6xaeSiJFyVDH+VR07Kg9klfyNaP3qjrT1/KzyJEH9TyppBaiS6MnTT+YIUkvBQswjpd6WIyxl8HcfD2imtO/sr6eGrj+G/Pu2v2z/VOy5RhoO9l93Wr4Vk08Iaan1znzRsbjmAFqXnMaDD9alFWhTNdAlznNvZClar1Gg1M8YWdEa0/SnrBn4LP579ngcmLfhyiX3J+FExsHcauWi5IXsh2dNIwHmeV9FL/wSK+Fu3xCHuLGQLDF2EzL6roJ/mXFg7pc1n91leRePaUVC1c36HW2s1PKRaj7VKmuwWV/pmk2xalwyg1RD3k3Xeb6Ni/FyaJMdhETxaNvVW3Ss1SmKzRzvKkOyJcWrSxrT2lyQ2VHq7klJxK4OIuEnaBX/d1C/00pe5zzYjyuKSp7dMiduspTQuRJuuzEyL4beiflPWwAuTdOPlZNO5xEptrlnMhpyzieNBzM23AhvVTK9sFkX809ZiVzkbmV1r88lpmcKa3T5QvcWdsd/VlJ/ZO9Sqd7bPybps9aMXf6zNbxffmXMSW7nFRwa+vNWJQtJscom11q2eFB8+aiZVbFlacrehecIjEmtNsQwQC4PWEvq3JHb9Em6Qc85O8lgkXJ443EiXkpLnjUa+0sbjN8dFtS0K40p3U5F3WCQn63KzzcEK/0shsd3DTWl8rESyWK9dw1Ji59J4tb/q1YxTJ1vk+2sSq44sPcPNTpvXrmdHtmrrkHOcRi+qpvy83qHQ3T6la3Srsl737jzjKZ2PSXYcSpEDElv4+oyrdP1CYifjnHnFf3STKrehOlTVzMwlVswM9yQ2CEkuscbtFP+TErvdOuP8eg/rEjvP5W16q8TqDbluQj4MdOUtnkbsS2yxiq2k1BKJZttxDZVVbDmyVIYb9RIud/3n5FRBvaRdbVVv8+pQq0/u++xpOJ8z6ik/r3e0jWm3z3Stt+Nd68szk6xdD0ZZo+otPiCxxQSqekFLiY1Tg+03bZ24TS3k4PLOVew2zZNz0XlxLDRHm9+SWHEpbBBWqz5SKBzFSSt5k6O4lf2tg4ioXFFe81nszg/Na9PzoGSAxJZexF/k9BL2VWvz6+nZECPcv7tPeL9VYg/1jrYx3yex9Vt8TWJ7xpCtEiaps2JSaou4c4em0lclNszgC3dPs5X8lMTKS+/jKjVOgMT0Y7s48tlP5qhI8rxGdbtT1yDySrfrnRhEYs06V7G7JqnGp3vGpMSKx0xKJ1OKkBIrtj/6+nCzZVD4rfLNi1/PuX1OZbpi0JdbTvTxcDfX7Rbr62GNasrP6x2qMZ3tM7EunKXXvTvPpMf07KPcc9xWvjVpOYobpevTCzVJ0lB1id2/VT0Sq8pAMsuRO7Tym6nx5RJb2WcRu0rS7Kov7Wztep6daW3PucXWdBNOPoPMihePzVZ7rOyxeco1mdt2oqdbP9b9EumxdLqo+HnVlPvGpyukvPIyaeIF2jb05z+IzSx6NYPLKd/oUg68383ZfU5rsuTuJFs10hmSSBfvQP0qlre44YDNUVJ+YO/YqXm7fS5iqbwIpV6l3jaf9FjXfERSXNDqLS775g6ZAurPinpKT05MWl1pU/4qzs7T/jxZcT2LNiZmOfFrWLGn29aMq5b/5RL7F7nj2fCfophjfzmXlrC/Dr3jEToneH8RJPZLiNMwhlKAFHrH4zDHq4DEAgDAD1D4jvt93cNKR2IBAACGgMQCAAAMAYkFAAAYAhILAAAwBCQWAABgCEgsAADAEJBYAACAISCxAAAAQ0BiAQAAhoDEAgAADAGJBQAAGMKbJfbXwooBAADUeP8q9qYY5wAAAJ/NZ0iscYShAgCAHwOJBQAAGMJnSCwAAMDP8cSOYuPeFiQXAADgKT5iFTtZj58YAAB+jE+QWN7kAQCAH+QDJHayHoEFAICfgz89AQAAMAT+gCIAAMAQkFgAAIAhILEAAABDQGIBAACGgMQCAAAMAYkFAAAYAhILAAAwBCQWAABgCEgsAADAEJBYAACAISCxAAAAQ0BiAQAAhvBGiZ2snyPOiEPeTtmXmHqNGqCcXT16DePmBBm24Gw0+RF2JrZ654owvPDzTNaXjUk9WCTpbolqm4+d5J1RPYwbW95k/Z29E+Ddq1jjhDauupoqg7FBbdeU4qNxoXvJQaTM8x4jV8uUCPKXsn112BmT7mW55WPcLD4zSvwNRAPYOZilWLvU6cZ9fxPrzPG27njRDoBOnpLY0Fk2IZOKm/WjcJYYO0SKMs97yPMqJv6T9fPsvZ/n2RnjxIReneKrdsZVaKyZXO/OYiZR5qkMprunS6dAYfyySjAhj2SwSWoIH8DZJaxoiTsdRl3sJl6eRoMwbp69c75IVzT6WqNVLXJ2ChmIhGr7Fp6y5XDNpCm2eCQW7uU5iV2/GOfMa7JucXSKY5EwDkRFkb4rJc9b0EeftIDVjnUJuZ4hhS9ZZyp2GmOKhFotKnkqEq2erhakGi9dZelqG4n9MNQG2jPJlO2jp8Moafr6WfRAReGXjarajdtZChndHiopeaozCc2keAqOYridxyV2nZY6Y5xfPjQkVps7PyuxzsT/ljNqj3J1iXVFOq0WrcfDW4rmaKUUpBmfLYKGu+XgNGpT72r/b5TYrfmEjxUH1RGJLdpn1emlSmxhUlJyhxMA4AhPO4pfk3XWBmG16vPPwlGcbMB4l6O4LE1XqZoNip2iHslZxXDTUa+K6zwcUQqqSKwsCYn9VE4vYV9HHMVF+sahtpFILPxRHpNY8TjS+7hK3Zw4ze1OsiccHTB6OSuxtV6q2CkHmHQVK54ohQdK2spUX/mWp6sF1YyXz4XjJZAeOniak/ucQkK7zcZsxxl3Smx1Llk22kqWXu7r86Vub3nKGbl47FualPRMWTh+Y7jOYy/tzOWgn7Tv6ks78QHK7MyBjRInLY2rv6Qkb6f1iF+2X4QDi/PbZzZV7IyVdM7nO6lSj3CZZ33fSXl6UVDN+MWpUF7PZGiDZzm7z2lDfYSvllM+nkgP7mx3WtpQumtKfziitXk1Sx/bp7InQesy6wY+Z2omiSo559IhB4WFa/CnJ0BScQTc9D4U3MG1JSz0krqWAE6BxEJkWwwwd4e/Do9l4Q6QWAAAgCEgsQAAAENAYgEAAIaAxAIAAAwBiQUAABgCEgsAADAEJBYAAGAISCwAAMAQkFgAAIAhILEAAABDQGIBAACGgMQCAAAMAYkF+Fouh7VLT+sPAGGckjKGlKtFqJGhW0fwtvhzowtK4/+92aSjUZvUxgArSCzAt3JjWLtlmOwLtV7NouPkSrTE+7hUhQ8r6GgRe+l786tM0t52aVWeLf08SCzAd3LnEnalZxhTF1giJnp7nTpZZ6eQWmSRR4mPa7KlvOWwcfPsnfN5MVtQdWfOjMRliPqrBW1GL1mHlOo6vyw9/tI1aVFMKvMUceeTS6+7Hop5WuX0ojFM1s+z9361R2S77+MQpYdinBNtoGG8bDVF6YvvxMTrtHtN7wSJBfhK1PXgxUVivz4pKfsFIQ6Iy6ftw0t6HUV+sVqT9evvcTIRTznpLDVmU6ZEkq4VFKu6mi91S3zWSg8HdutSMUnPs8yvYpLekKrmpD+sJq0R7dt119BudqV0pZpq6fLayMb2DpBYgG9EHe96VC5ZcGZLirdIrEi1jIDZcB7yqUisiyLo1qVtkuOJVby4JD7P/XxBuUplF15Z3uXru/0rWjNJz7PIr2aSXni3xDoT/1uuQqugArFmTfwcraf/4mqWpaut7l0gsQDfx4gl7OuPSqzYraPkfr6g/Hbot0cvPfx2TmJreRb5NVtMvzn7EnuyaaZr31LylWpWJFYWj8QCQJMb9zllWbzDUSycwsFRrOnAVh+5D1kTwUSLhWux02+cPMFsrWLrBVWqmo3kqirrpee/dRgvTKrluV3RLWlzopD/WJ6u2tmxjmwhU6ru5a10tZq10tU7+w6QWIAvY8A+p8yTt7uRJ/PPpQfrSr+IpS3396iOzZDrulXFmZDMmXSfjfQsOpdufjmyYWjZ4LQ+yjtQ0M7lLGskL7JSun6Rd+9HNEnLMy2raZKoRlJ0cXpp53pk3egVDjizU5BeoTRdaXxRzVrpk3Wx1b15vxMSC/BdjFrC/hzlshAOcnHi9im8eeGagMQCwC/yI/IAV4nvAD3RHJBYAACAISCxAAAAQ0BiAQAAhoDEAgAADAGJBQAAGAISCwAAMAQkFgAAYAhILAAAwBCQWAAAgCEgsQAAAENAYgEAAIaAxAIAAAwBiQX4WkaEtTuPCJF9/Mw0dNtk/ZxGOl2+mjIOXpqBM8baKQ/O1/oL8GlANhGqNI8mpyesFiRirxnrpO15FfIoba2CtpjrjTppJhm35R9+XkO+5SZdLD2Lb5dGjE+qqdixBjos7Kzco/3at9pSLdMjtyMtSQWJBfhWfiysXRLZe7LO+y2kavy8pLMyOtlkvQxguo3gMhxtc1iOP4ustBNjnmIeoxUkg5bH6UEaJdxtoXZF5Ng8HL0sSIsSX6uQZpK4iJXA5S6/dKdKT1L64oLEj0k+LTtfrXtUuQI9bSnJdIvU23U7KpeuBIkF+E4+aQmbBC5fMC6Eym7N8SX5sGhtEAIfPm7J9gf8ZVjsihQqC05PqEqsSKcU1Co1/S1LGcpTC9oO795kre6TdetyuqhXbu7F0pV7o1ezJrGanfV7VLkCPW1JpFryPHY7ukxBYgG+ErVzPxl7uhAkuVzpEf5iWJyMc+YV/5GppMSpeQs/46GC61/kUCuc4kpBrVVzU8PDj2pBqwXO7V5Mre7T6q2Wy1fVpMulS8/qtgzUqlmVWMXO1m1Rr8CBthQ/Hr0dSCzAj6KOMvtDz1AqA9SrU/rLYXEZrZOxb/sw5SudOLJv65UTq9gdiVUevSkF3SCx1Wd8Pfe4toqdMgVTTbpceuoonuvS1ZDYws7LEqu0JflANTz/PXg7kFiAX+QDl7CvERL7ehkjH32Vm1mqntcDz6SPO4rlYkYp6D5HcbmFrF9iK+Ua50znKvZc6YrP/KCjWLHzqqNYaUtKbQ7fDiQW4Af50H1OIyQ2/U1NkrihdYltK0PxSK5Wo+SZXChULUgeTN3kxcO89v6awsl+WGILPct2j+08iz1eusyuvY0o2TSWeydqO5O6GlNHW1Jrc/R2ILEAP8cn7XPaCi9eYFjXm85oe6EyirVpOLANz5LkYPE+jbLabRZeecuk8dLONu7OszPVgsQP4ZDykDI5nL8lkhSUnt+aTWkmpU9n42KsNOli6erNUqupHtTtrL8JtFP7altK3wTKZoZ9t6NyN3OQWIDv4kOXsABQgsQCAAAMAYkFgL9A4T/ddzp+OM/W6C+XfgAkFgAAYAhILAAAwBCQWAAAgCEgsQAAAENAYgEAAIaAxAIAAAwBiQUAABgCEgsAADAEJBYAAGAISCwAAMAQkFgAAIAhILEAX8vJsHZqWLFKmiSO28loPpP19//52K7ofWVM8Z8k/sHe6h1K48GJuGzFX/dVD9ZKHRnfaUizUUniVCm9ox2OsW0nEgvwrZwKa6cHnVYTZoG67YXhdC+Ud0+o7+wEWc3Dp9/Ks6V3lx+TTdaLGONKUPGeqOf9yc5ze7PRkJO1Vu9oFNb4CYkF+E7OLWGzUbExNqwpw3B8YjgVwaxjOdsiSQzyesDtxtosHxWV04uVx2T9PHvv5y2Sesi2YxEY2JI655rRwvNq6qUvC0GTBf3eLz3aWYaOb5wt46OHu3lZYpOQ543Ki8u1BVyfvXOFg0RtNlrhlTjtylVqV0K2pUbvyI3psxOJBfhKTg6N2WDQOsE4Z16Tdc45O51ZZ8r1wDYEGrNprRgCy9zlz/nKvLC6alw+SM7OvF7Gzd5OIZdWQRlSmLyU07J0pZpq6fLayMWlVnj8NXWAH17Fyi/XJNZLGV0+6XaKwrWrGHWu0mw6qhROqlyleh3k/W/0DrUt7dqJxAJ8I+qw2jHWHpDYdY3ijHF++XDaQLFSEMuulsTm8UDbbuFuiXUm/rfUvVVQgVg57UicUk2t9Mzt0LgdjQXWkxJbGF+xsyKxW9rwsdZsOqqkGN7VIebqlWxIbLedSCzA93F+XDwwBk3WWeuWhZezR/3E+hgkBrTEkr2xcueXCxJ78nliuvYtJV+pZkViZfFvk9imzFUOajb9mMT2O4qRWIDf5dQ+p5X6hg7jsseBxnkfBr7yWdv+g0NlE0nyTDZZxYrHduGpnVpCu+75HpV9ie3bmhyqIZzDint5K12tZq10+VS6Iff1KclxidUl9IzEzsItGxzFmp3bNZL7kLVi1GZTr1LZbFoTN70O2XNgvXc0BLdpJxIL8GWcfFUnSas5RRWJnXXl6pLYxKvqXPb+z7rRJRmmMpuS/Sxx3FPLLU7PNsN4O61H/LJBJxxwRi9op0JputL4opq10hdXQUfh4bK3qtnxElZSUO4k37ZgFQdr5vhovLoFq7yb6+4uZ0IyZ7bfwtxqs9K5Xs/9TukN8ibVuJnJ8U47kViA7+LKEvbb+b1qDn/vBfY4Mjs9DhILAPAM8R2gcWM87DJy5obEAgAADAGJBQAAGAISCwAAMAQkFgAAYAhILAAAwBCQWAAAgCEgsQAAAENAYgEAAIaAxAIAAAwBiQUAABgCEgsAADAEJBYAAGAISCwAAMAQkFgAAIAhILEAAABDQGIBAACGgMQCAAAMAYkFAAAYAhILAAAwBCQWAABgCEgsAADAEJBYAACAISCxAAAAQ0BiAQAAhoDEAgAADAGJBQAAGAISCwAAMAQkFgAAYAhILAAAwBCQWAAAgCEgsQAAAENAYgEAAIaAxAIAAAwBiQUAABjCGyV2sn6OOCMOeTtlX2Lq5at2dvXorYZGE97NZP2pOolLZ6yz0/F8jLvrWsJQJuvLG6Ue7Mqrvw+pLcS4N/WYtxVU5WzfhD/He1exxgltXHXVJZ3E2KC2a0rx0bjQoeQgUuZ5q6Glie9E2tGHuF4v48IYdDwf+AJij9g72JHV7My1dvK2RvYZrfkzrIBP5ymJDcq16lequJmohbPE2CFSDFHDJdPCjnzqvEz8vZ2Wn5yJR+QpzqhnK6eLw/M8OxMrp0zctdMrV8A4ZxMnQaVCsXAxfBg3z9654vSQw1Mrib/OnUvYlR7ZUFqIbJ7tBlFtS1pbrGWgFPQNfTNJ6hwK/Td4TmLXL8Y585qsc87ZSR6LBNmIEivdVEqedxiqdDnZOaWs+83TrcwPtq/GbB1SjiL56SJz4YyS5yTn56dXLoBxIafEAaCb9FLugFdOfyGxT6LOpi5OMvv7j5Ky72StLVU7V1/ZX9I35d2Rzib4aR6X2Mk6OxnnjHF++dCQWG2aPEhis1VsZWFd/rJNGvw6cw6/iul32o0zT7msQRiEkql7pvyN0/fsrZhUZlO/EPAU6p3uaf9ZY/KVdn28+F6JLdpSvXN1lf0tffOVbPNAYP8ITzuKX5N11gZhtfFYy1GczFQHOooFB7qxmDREb5IwOT2hqxvX65X/UncUF/ZWTcqtQGI/jxFL2NfvS+yjfTOrA86fv8FjEitGeu/jKnVzITW3O0l/ZatH3WGolndb1idrnfN2ehnr/Wa7eJACZTsAAAmYSURBVHDTmimn9an4Zytmrecn3u0wimgXvmJSWf+axEZXGLyVG/c5ZVk8IbH1ztVX9rf0zXSXJv3mb/DYSztz2ayT5xPVl3a2fjHPzlTyvM3Q4rlj6gyq770IG3mz/Q9z2OxR+pjKlPPs3LYnOKnpNvtW/X3i+DrP9iFFslVFMym7oH59ArWek+10maxHYB9gwD6nzN/ZyElrIdnBne1OWluqP7NolZ5tXUqOfWDfVNLBz8OfnoCz3PiSFBxg1BIWAG4HiQUAABgCEgsAADAEJBYAAGAISCwAAMAQkFgAAIAhILEAAABDQGIBAACGgMQCAAAMAYkFAAAYAhILAAAwBCQWAABgCEgsAADAEJBYAACAITwWzC4JneaXQOziSz2YXRIJSj96CeO2QkNEKmKYAADAcZ4KyR4CoeVhi40NatsKyZ7GNs7zvMpkndcivgMAABzgKYkN4rpKbKq4me6Gs5Igyi5GY87zvMpknTUhp5j9FmVZrqu99/M8OyPWvjIecyr5SSIAAPhxnpPY9Ytxzrwm65xzdpLHIkE4o8QaNyur2PzLWZby1qyExJpNazM7jJt9nBnI4NhpoGwkFgDgL/G4xE7W2ck4Z4zzy4eGxGqLw1ESmyptUrxYrkoZDifMCUgqAMAf5WlH8WuyztogrFaKW3HWtiSUi9hBjuLNSRwLF3usXENi77EBAAC+nsckVuiY93GVuvy+t91J7nfS8rxGzEZsfEpWs61VbLIXK8vXs6gFAPg7PPbSzlwqllDTxks7m97OszOVPK+QvqkTF6/RIOe8KNvbybh59naarF9MSKxKaoTAAgD8HfjTE+/irleKAADgS0BiAQAAhoDEAgAADAGJBQAAGAISCwAAMAQkFgAAYAhILAAAwBCQWAAAgCEgsQAAAENAYgEAAIaAxAIAAAwBiQUAABgCEgsAADAEJBYAAGAIjwWzWyOs+hg4LvlSD2aXRIjTj95q6CxjvCbB4K8SwubJYraAeGe5nAF8EWps4mrA4vXHvMds7TBERg7N0TrRMoeSdAUfAkmXpWtdpif3NJ3ai2PWtUzXmJUHq9bPia7bPOX8YHX77fj2USn0mjNVeCokewjtlkdRNzaobSskuxxEyjxvNfS2QO9JnvLAFsl9i1F/sS1ezgC+hFw76gf1BFs/ytq4bEHGOdvTA25odUoWWemVLtOkOeNola1ldc9QcNoK/QoN6u333o6nR6Ux7bODpyQ23JDt7kjFrXR4MXaIFCPUcM00yU6byCzH1qDs4qe4LnChEdZDxxezDOdssqAXc8CtwLWQJTx8Nn80SZk+Xqh3rEfgbRxfwi5o/Sg5LVNYs9uvqs1bW/q0DMtNr5R+pJ+nF0RdjmiLtkpeLvT1JIu8msc67Hb1nGkN4pWLXA4XtWoq41KTe2+HamelgXTbqZ8uPKB2W7Lll06/R9U89QvSY9JzErt+CXfNOWcneSwS7mAcGqQLRMnzDkO7r/Jk/ebpdquPO7Q4sQSv21ZKbOgaYnQQJ2vZqyPk4hFI64TE/gzqwNYz2u30I60tdWSr9gw5bp0Y02ulH5BY1bV1djEY+7rIWK9md4eNp3R4U1XDleFCTV0Zl/oLu3Q7dDuN2QY4Zf20a6d2umhqxknlbN1zuWZT8qxm0WHS4xK7TgydMc4vHxoSq800B0lssYqtFaAkEpOmDtuUVWx54ys91pXNckk7+rkRPI3anI7Ns/OlQzmACt3dG0WLohvO584sqqUfkNjKc9fTEpusiJsut74Om5S764Lo1gk1tT4udRd27XZU9Cw6EMo1+L6dyum1G9kvsZpJzazbJj3tKH5N1lkbhNWqTv3CUZx0m4GO4q4fmmXKidAbJba3E8G3cnoJ+6r1o/X0TGGFe233Ce/dElsvHYlVD+1JrPylY/597+3Q7BQ3R8+jbad6+kWJbZnU1YSL0x+TWFEn7+MqdXMlNLc77bpQbzR07wfFbSL3YkmJFU9qip6qFiEbjtjY5+s9dsugcJBJJxd8Oef2OZXpCs3w8ns2/Lc7V9m89fVwMwuZplH6k45i4XkMjmKtmt0dNunue/5bZQzpltjauNQo7M7boY/9iku330719OQccffVS1feIz1P5RJ0m/TYSzuKvzxpYdWXdrYmPM/OtLYR3WGoXCAnJcUNDMXELkmZtfFsCiiTxsnFLN7fyX+YvTXrI5u18EVOt5ThgU6+4SEZHeCrObvPaU2m9CMlj2RXT/pC3U7OyTtu6rKnoOhI1dLLLrNf4Z1enB6sG7oMxMqbTE1v516HTYYbt/d8J7vIleFiv5p7Sn7z7agNa7E6zvnyeuzZqZ2emp+6CPbvUYdJvb0gnM6fnvgb3PhCEzzMpSXs36Nz7gEwBCQWAH4aph/wHEgsAADAEJBYAACAISCxAAAAQ0BiAQAAhoDEAgAADAGJBQAAGAISCwAAMAQkFgAAYAhILAAAwBCQWAAAgCEgsQAAAENAYgEAAIbQkNje8GdF5KM8MmmIxmfKMFBpBs4Ya6csx52IRt2lpwGJlPhWedS8JF1uUv3CqOdXaxSviXMiluRmklnCZOuma7H0tLRV4/vqDgAAp2ivYg+EPs4j9m6xnbM4z8Y5K3MVUdaEpqehzA8Gc66WHlOFAFd7sd+3QFjrqesF2bkuSTmtGomDW9hcGTU3hgpWTFLrrlZTN7677gAAcIphEmvtcsA4Hz5uyUS2lRKWgb6/+L7SRaol66yA8LtQvixFn0XSmnCGWiMlylbzgqgpGhKbpk1PPFp345qLdwAAyBknsZNxzrziPzJVzLeyRA2uzd4h/VDp8WNWeiqHqx1qigPWmCD2ao0K53n1gtRMakpseV1qp+3WHYkFADjIQIldnuwlSrZ92DIOR+JTwG31eWkVq5Uun0kG92tFZmqPXK9IbLtGQdB25hyKyikSqz8y7pTYakEAAHCIvR3FxZqpnlBZLxkjH2Rq23MqzkvFg3q5dEWM9pylRe2vOoobtB/z1k1qrmK1EtRvHXUHAIBjjFzF5r+pSZJNNbrEdux36ihdzWhvy0++5+ewxDZrpNdSHhXbrWomnZXYg3XPN2oDAMAeN0hssTYNB7Y9u5LkoF/WbT79tXjJpLWc6ivdJ2++ZB7Syosr4n0bZzQza9csqXCrRtpLN1nq9BpmJu28tJPMOlTje+ve/wYXAABs3LaKhV9GvFoFAACd3PCnJwAAAKDkW/6AYuFp3XXY/kWTAADgg/gWiQUAAPgykFgAAIAhILEAAABDQGIBAACGgMQCAAAMYZHY/wG7mr92fPbIOgAAAABJRU5ErkJggg==" alt="" />

The Name entry describes the offset to the NULL-terminated string of the library name (e.g. KERNEL32.DLL). The OriginalFirstThunk entry points to a list of references to the function names to import from the external library. FirstThunk points to a list of addresses that gets filled with pointers to the imported symbols.

When we resolve the imports, we walk both lists in parallel, import the function defined by the name in the first list and store the pointer to the symbol in the second list:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAkkAAAEICAIAAADEDvc3AAAfRElEQVR4nO2dUYKsKAxFZz2uyw2xFxfCMtyF86FCAglid1W1xTvnY6afpRAwcAlalf8mAACAsfjvrw0AAAB4MWgbAACMBtoGAACjgbYBAMBovF3b5mXdMjFcXxHiefa6zK80JcSjQMOm89C6zMU/8tn+1T9p57xE3bzqgGl8iC/vl0n0uV30vKx1m8yDDyPEP7HwvtO/zYIeX+nvpZ/352mQvFx3kzL2pTcuzyi5ml97r1NAexTDB/lE3JY0ZZqX9dKdQnzPXKDrzrXMy3oImnbKsJwyd5wp/rRbVJfpEEJI9YWQjGr0jvzobaMnxLi4ZZu35V336oq/qtfBMqfbGX5btaFettM+gaqn5IFXObZXyVF+qubXXmQW0DPHwSfQ2hbitq0xruWKr1zWz8u6beu6btsWQ4jiZCvoykog3dc+01zEvYLC5eoxlTxfSl0x3M6rvBZ1jlO5XpWtdGdBZfy8xGU+eyoftkOvdDTGZJ0TGIcYQ2F3MjQGNVeXB/dD62lWuyLLJPugS8+sVAUKttPucXDIbartFPe6bmYRexgLHTWbdneICLyWpTkSQtzKcMhyWvseWeGU3LgIKToxzuydLipbygPKYj/Cqxys7jrvdhj9sq/llPFz0VqxVWI0U/fsJpa7xihWsyR8gjJuy+s8FZGENFsJEYshrRvPICRailZdNHln7v/qmdu2gqtrSodTtez/OOf2GOMyy2OylHh4e90is8y2QWupf86aTxu/z9FpMCZL6nskRnO+r17P68WtbpvYfzEParOazmCZZB9s0L/i1meaTivbkfpTdrnaH6ua6ZhjOlh3h4gqzcisRPqE57SO8W4vTdYGeFV253RhX55H8rUKGsY7buN5R61tW218kMuLung1QtNSVy8+zFGMtn2cWtvEQDBirHIAqRnR2tdWV69GgfWi7x0hfbl/b0w9RzwUQ4jr/kdD2+z1d7e2pUl2LUeF5f7aeD10jJhAGCWWsWK6sno+2Wtv2ZyVmgf1ddlos6LaJO9gTeMBjUM5a9dOa/anE68bzawrMY6FGMOdDnE2gC+afgZwLW2zdxN8zy09tKts0xXthhlxm3OmdZLtNv3aZtxVR9vMLtwni6qRb92Ehm56tE1MrZUPqGnCGTppfMg1v7tl9564raVtYh9+ORVtKfbm9VVGi+wyb/JzbTPvkS7jDEice1RNm7/UtuseqFb17sH6pJ/Gbaa26W3Y12tbc3Soa5Jb3V7fCde5Z3xV32+1reWKzedtFx80+8/Ygah4g7aZUw/a9gz6tM3YH+lYAp+oTbLViO2Ls98RtzX2JEU7z11CtVvRfJfkcjvjrpVW4+s9SREAl0Ik7pF+0SVvY15EGTk6Fe3JW5rGQXlVuzGXJv2Fton+rLe7ikJsbRPPa5KLVM7Q3yGqF66nyvKJm/suSZe2TXK/dL3ak+ycLuzLf6dtnttYt8MqwNE2sdtkrBbKuM24PdZ9VpvG8BHqd0n2YaIe6Obn2jGu2xZDfnp6eEB6ZqF2jdQBsSemC80f6i2n971L4jxwzkNRDQrxVH9W/1Ytaj3E/omN3gd7hy/Oew7iHpXtNDcAjz0scUZ+jWBWWz4xpocd9UHnHaCrW5yX96adPh3aVtyP00cNp93j9ap6cx/ebGbDRYoyeztE19Vqq/cYp7TIMb7uJX1ufnHWOrN3uvAqutqezmdeGy87qW68PFX1u3RzfUPyezR2M88pT189+dKGsn2Yf+e7236k+BQaFj7f+O+FbyQ1eNi3Lb4AR9pQto/z72hb53bX39H33W14LTlEYQ5P5DAHp7sJK6XH8C9pGwAA/BugbQAAMBpoGwAAjAbaBgAAo4G2AQDAaKBtAAAwGmgbAACMBtoGAACjgbYBAMBooG0AADAaaBsAAIwG2gYAAKPxSm0zUtD6VKkhiuQWfalOyrQXL0JlgCpskklg9D8uUp2YGV162mkkrur5VeVbt6ObUGXXKWxd6zaZBx9Gmbz2Q9x3+jdWr+7qSzvEyjn+a69wCuDXimGaplfHbbfdqkihobIiXrr9u/Jv6LpzLWemiirH4XLKXCuLqc6kWJbpEEJI9YUglwE92XDeNspzYnL7Qys/7d9o28NytLQzdL81FUqdKLQ26VUO46UgLTOd//rumAWQEAqmydK2nPQjRhGoyMhkzzm4ruu2bTGI9IjzEvfMj8Ui1F3su9omh5kVnrlpIn9PMTTqsZ/zNQupK6aF8yqvRZ3ziVxXF8kw3bipKLq+HfbdqO77ZPf8ab62WyRsVXN1eTA50150uyLLJPugS8/saWWXNNx7j4NDkZnW7lCrmV7CUtMZbnSI2C1YluZIKPNzi+rV3az3VNwb500XdTNV83Ldi9r5ELGYnHZCPCedqkNknWIZaYwOL40rDEqpbdn7VBySXfL8+9iyOFaDebqXXpr0UCb/LcTM0bZ8opkt3rrYpNwMud4FKQeGqmX/xzm3xxiXWR6TpZzdVLfILLNt0Frqn7M21cabt0MEgKbw5vvu9bxehOu2iX0i86A264xIzYouXFHlRnfpjwz0mb575zZduHfVTMcc08G6O0RU6UVmCukT51X16sW2tW6Rczu8Xq+1TWS7zs0wNh5y8crz0xJSi7o5OtC2f4wqbjPzvGd/K/8oNxukTzUDGutf1mrV2qm3L34RTfkVi9wQYwhx3f9oaJu9/u7WtjTJruXotYapNt66HcomYVR9372eT/baW0tnpeZBfV022qzIdEXbPysaD5IcTMf8jXtbAXmftt3oEGcD+KLpMoAz4javaOOki+liKs+u4ra6txxtS1fKQvZBWDWRPNfQfN6mptPjH9nv3qRta5p+jZixMvAdcVtL28TzguVUtKV4hqCvMlpkl3mTn2ubOMWu+jTZMczYDf6ltl33gJl0vCsT+c/jNtO99Tbs67XNLNM0NrnV7fVd4TpuCV3aZpjUKPMN2mYOabQNKm3TLzysxUgOxYppqgf/KiMuY46sxMzZk8yW+E+G3xO3NfYkRaBy7hKqXZXmuySX2y53rezbk6xuh1yeyIigvu/Ozo4RCqr25C1N46C8qt2YS5P+QttEf9bbckUhtraJ50rlVogss7dDVC9cT+nGE7ffaJt3O6xmWgU42paXg8JB3bjNaLbVf9VmLAxOrW1uhKOnwmPVfviffJ5dv6lgbIIVe0bpnWBRb5INwyh9+fveJXEejOeuUINX9MKs/q1a1HrY/hMbvQ/2W1PfjmxljKvfxVXzxWaZukbdu22LMaaHMvVB5x2gq1ucI03fP006tK12Rdu9Y9jj9ap6w73dV51cFynK7O0QXVerrebjpqtt32yp2SL3dpTN1Keq9kj30Q09XtzJfrfrWDrzfPxZvfriSRvK9k9x4zsAD3ud+n34keJTaFj4fOO/F7459RU40oay/WP0aFvn4/uB6Nru+jv6vrsNryW/7f5vDIJvhRUITNPEb24BAMB4oG0AADAaaBsAAIwG2gYAAKOBtgEAwGigbQAAMBpoGwAAjAbaBgAAo4G2AQDAaKBtAAAwGmgbAACMBtoGAACjYWqbnSz6Bfz8Z3zf/gOoOrFHX/qUN/XSfb7aeBMjmbJPleTksx3Cj/MCPA9L296VzOaH6VdCyDnvQ3jjb7Bn5e2x9GEpf15ivHn4jxp6WzHcPLdv7xDyCgE8jlLbnKSKwclweaRv7Foa1zOAmS7Ruq60KMQzs6YuoDRzz7W7rtu2xaBqs5bpKkd2mljtM81e6mvRY41/vbbltDDxTGC9pkqPv2O0mzkv8XQuOxVn2c2tHO5v7hCygwE8jZ64TY7cEMudnyPF8uUi2xj/fdp2XrzKKnK+a5XX/gzr8sR2GHxkyj7Dv2iJQnXR5J25/8uc9nrV+oHGv1rbslOI7OTSU86/zWZm5xK+47pibedHO4TIDeBhdGhboVvi01vbRuVUdIM0963VtDg5q3IR48SQ/7efqxbqOhosFu/OmUU/3OVxxuvHU8ep5sGb7bSS2qa6yz9UMwu52A/6rli36aMdQuAG8DC+QtsMLHkQNeSPrXnTsTtpZy6o0cIXa9sjjH/b8zYVJB3/yOW+Sds+2CFoG8DD6NuTjPYC95a21cNf7jrdxZaHPFk2Qx9nC0k9oVnrTcPy7PqDzhY903jvsPl4qeMJq9pvVRuA8xKXIHzHa6aMuMRDOMew1vO2N3cIe5IAT6PQNr3tYm3m1O8z9O5WleNfTV73OCqPQb/+nazfX1CI4ThwvPGyLnOalVVD1YG0T1YWmj90eqmzRQ81fr+u87XAnpeHjLplH4i3GI1m7oeW+r0RwxWLvUK1ffiRDkHaAB7HJ7+7Xe4yjbaNM16LbIQw/byIkbQAaQN4HJ/9XZKff3cbHsOvZnL79ZLvhu9uAzwPfnMLAABGA20DAIDRQNsAAGA00DYAABgNtA0AAEYDbQMAgNFA2wAAYDTQNgAAGA20DQAARgNtAwCA0UDbAABgNNA2AAAYDVvbOrOYAAAAPBBb28ZKQQIAAP8WaBsAAIwG2gYAAKNhaht5hAEA4IsxtC1EXiMBAIAvhrgNAABGg+dtAAAwGmgbAACMBt/dBgCA0eA3twAAYDTQNgAAGA20DQAARgNtAwCA0UDbAABgNNA2AAAYDbQNAABGA20DAIDRQNsAAGA00DYAABgNtA0AAEYDbQMAgNH4gLbNy7plzl9gDlEcXJd5P21d5vOyEPd/phPFZ6qAGMKyzEWJW/u3nrtrt40XjTqu6Whk3QSvj87r98v3f8i/7ebshZ9V2l3nNPNO1znG/+aXta0CvI5/CCGevYh7f617z0v0LJ7kLf4J7UFhd8gjaHfKSyq4O7Lz/Uvu2GPjZ+K2nDOnSHuqkunMS1zPT+Xf+3mLbM+8rHJuOf6W3tiTpqev9tr4eVm3dOaah6ow6Ryxx/lxma/uiPg0d5I6eHG1ZfFUdZ3TzDtdZ3z+66RIVgGq49vzzIeTMrlejHt7PNK9G0mYX5CfuX2PzA55H10OE0KyK4Q3WmT4UvPs6pSuHvu0thU+XA6/ZdkPhLief6bTrgfC3mX9C4++2ivjiwrOz8X4Kc7osshp3lHq1c2cl7iE8zLZLqvrjGb2dp2z4AwxLscncqWfpkq57F5jVGdmM1Px58kykEhtMxfrxkLQi4h+T3kzcO9vdW930VQaJALZZTmvsDwsnRhDEH1ch7Z2h9hOm4P42CyzQY+2yZG05uFmDdjSzj1iXtej4eJky07bl+wzxdDW3Ww0W1X8eW3TfVwNvznEGKb8H3lW7gbnRskNi5tmXdee/yxqP83KNyzEzTyjiXSsYuZcY7xapuxVhHNUl92dLXCaeafrzLjtNFpMCuaUnyMBNX0kOxY5fvT6fD8hpNJX59TzmHmm0Zqt4GoSqMYV7v217u2IanGLRYtDPAqRp6TP84liT1IHjdZethgHhtNag8cus0Hvzsa8rOsq76c9YA07j7YfHXSGf6adli/5LTJNN2/c32ibpb2TNfyyU6TP0h9zuXLL/pFWar9a2Fq118a7g99bSN1f2K5q/Hf4pdoXMiauVLrTzDtd196TNKfoYvKpWjyFuC/3XJ8uZ6lyGek4+j016KOc23Hv73VvJ3DTt9gy0Ixuix5fj9uml071MyO182u4kpDB+rQLBy92NS7GQtKn7vhSBmhy5XHeKrNyw5caLfK07WpUfzxua3yQRlEI8jMjLNWOJeaEe5NYT+2G8VebNtXcd3fwN7e2Lq7eRcIaArrrqk7u77r3aJsYuUY9aRlovwhQm+SdabRmK7jqbEPbcO8rYx7q3h/QNqd7rA65dNqzHf0LnFYburAGrGmnpW3N3XVVUKNFI2mb/sw8RUWk9uDvuJkdtZsFXT1sLwPm24O/9UrC1dWzfIJet+/6acplfelcuUViapvctL+O2+qdoKpQFW4oi0uTvDNfQGtPUoN7myc9yL179yRVELVWNeV6hMuam+9Gk2SIZzit2goUfn5Pq16sbYadlrY5dlq+5Leoe0+yeE32s98BUGuhYs11Hjh6RkfS6uD59LlYaFcL8MbN7Kt9XWbbeFG9fJYqzjofQLmPGdw+0qeKDxoTtH6csC+G7vTncqPr6saLF0DOT5K7HqeFY5PoMGrXsXTmuYVUHasNylXHuFr9VL9iUpz5Agrpwb2v7Hmse7sTav26UH2xtX8oOzTGYoTk670OsZy2utjo02vv/qG22QO2tjPPAcdCNm0L+20vfMlqke4n/S6JKW3Si/juNsBdbq+a4ZE07iO3+Mk40qbXR2gbwH1+98VeeARXD2K5xQ+l73Hj2NpWvyfQF8A/16QHtgj+igc6A+4NT2FsbQMAgH8RtA0AAEYDbQMAgNFA2wAAYDTQNgAAGA20DQAARgNtAwCA0UDbAABgNNA2AAAYDbQNAABGA20DAIDR+Ji23c+m51MmaL6oeC1+lE4nTuj5sTo/5/AvUXnHCpvMnCdFzgz/6kY7vbSH6cSw3Gzl/R69Jtljd3nKoXF58C3kJJEvq1EWVTvtK1GJ9eqb5vtN8rogkvSdtynGM7+mQqY+Mqr68azw6563CniHI3cT4iby+Lxuunnl1PtNfELbQgipg498uL/l9u0q0hfl3/juyWXx47x+F+i6cy1m+sNpmnbNuUodqXMZlmXW9RafllmQaszuUDW9rLtCjIt7qy/seCOqiS+ssfLSd7SlJ7NofTeFq4m1pfit/DNLZZmbskqsWma/62xjO9v7z7AKsIdM9+X9VRujTCRefeXd/0fz9XxC2+RiSKW/PZdHMabhoyOTPfPduq57OBHFx3HPglcsr9zFvqttcmxb4ZmRt/6F/SKN0umARUZ2LXXXmYVVi8xwrRy13lKh7hAnZaiVJDvdzr2UOqWjNEHEBMsiOj+GwjiR2VDNQuVBp3Y7Aq9c0T14VqfXJIuKqp1Whng69FamWaxbVPZpw/iblBPdhbbZXpfP8yyp1mWmfzoCMhf96Xhd3fM5FpOTidfzWYfXTZxsDJn6bnoD4WK7QXfeVsSG8xJzSKySW29VK41Z0fUQW6XVlQPyqT3JeVnXVc9RUThuikNknvUo0uye6xw5b+Y7nfRQTiStaSKPtHyiHKd6zPasoOrsHFfXlA6natn/cc7t+3aPOCZLObupbpFZ5lm3J6vyqN0hV/GSridtqiqd1oYKk+V6VocA+kSxo2QeNGu3W3ThijJiOQ+Uwpj0NHdCSA1S82F5pmt81dG+f96hmuautM30OnmmPZf72lYMTSOouDJJ1l31fL3ImuyeF+fKTXhzyFh30wn7zDNd5ER2GnwUK7StLtOcFX0PMSM3tO0VpDthLVeLwCuNef1HudUh71UzoLH+Za1vrOcE9sUvoim/+z+O8DSGENf9j4a2WSu2hrZZp+V7EoPfIY62WT1XzlL2PXL6Nx2e66XslH3APGjW7rXIdEXbP49iHNcy9wDKqUv96RtfftjwzzuUXucJSVHP9RCoJMvr+0oEjZiibwPS7HlH26qeP88tH97b2mZ6t72lWZ1Z3DmrtYeTqY1cI26TZdazYsNDLrdXR+QJ70kWayG5az+9Tdvy03QjZqwMfEfc1tI24eTLqWhL8QRDX2W0yC7z+HvVyzojpHY75MZzrt9om7Eb/Ettu35Kay62y4Md2iZOsafV+9r2ojcCWtpmCkR37aYTiXot/5ysaTfEbY1xjUF99B5tqweqMWTsu2mZ5J3ZQD8IF4s4oat1mdas2KgRbfsg+oWHcp4Nyv9sbZNxhHgIN+nL3H/WL1b4T1zf9kzf25OUT+DXHJfl4EpsY6Xw1npVxI4p6raakuB1iHq506hJlVsMN/seSQ84u8Wc2IvtznPwGwed2o0Wma7o+6cb9E7qvok1dytu842fyj51/fPWG4OtPcmGtlX36BiUbhTTfN6mF6ZFs44D5TtNhtc52pZFVETmbtzWcTvtu2mZ5J3pUD5xU2J8vlViltmx4pdYn+jt0AH5Q21zIxxxC/NT3sNT5TsH9U6/EbwXz3z33elV1ZtkwzBKX/6+d0ncp+WboSOT6IVZ/Vu1yH3vw3J1ebJtldQMXb08T8aMZs952zuqHvWakHyzQNYUz8nLOujUfnWL8wrZ90/ZfeI1hPMS7Ur7OwyiTftsapwpjDec1jfqlrSVqr1pqu7UUltWbndy7UruiLNn3aPYdV0Lp5UVeT0v3CUcPWP3/Nlv1bGGN+S7aZnUOLPCeNilX/wvHsTKMu1ZsbJfDVhT2kZWtmfsSZa8J0x6IP46a8x6h+FRHdgVIQgeZfyjjBkVR9rGVraHaZv/+H5Ufv6+2y/4V7/L+Ur+5MaZ/EAdnmQ8rvh2/tVOfpS2AQAAvAC0DQAARgNtAwCA0UDbAABgNNA2AAAYDbQNAABGA20DAIDRQNsAAGA00DYAABgNtA0AAEYDbQMAgNFA2wAAYDQ+pm1VTsTjYJkgo12Gm3rqx2U20Skven6S9pW1dxj2+tyVAAAD8Kdx271kNuoHz0MIOS1uEKW8OkFO1tOeH1z/THqetE5o5hsFAPhn+YS2GUGGm7myWYqVqFBeXZeZ8zbuF6S0f0eev6Jumfl0SZmvjYy9Vnh2u0U/pZFM+ym5SwAA/pTPxW1mmvpb6YLLiXte1nUtN+KqMk0lyFmshWSKbdOc7zFrW/5Y7o3qfdKeFlXJjkVq4K4dUFmJqpDIDQBgmqYv0rbqed1xoHwG16ttsYrGbGuMCK3UIWHAR/YkW9pG4AYA8M3a1lvNr7UtBXCnAY23Nj4dt2lT0DYAgGmavkjbeudtQ9uyOG1rQ9tUCJiqU8/b1mof8xct+jlhSSHkIvuEPUkAgGmaPqJt+kX6Q170wfvvklxXJCXpOBCON0uOICmG8jUXET2JF1D05/qD/OH9Fv2cZOeKtAEA1HzRd7eZutvQPwAAB1+kbfV7IyDgu9sAACdfpW0AAAAdoG0AADAaaBsAAIwG2gYAAKOBtgEAwGigbQAAMBpoGwAAjAbaBgAAo4G2AQDAaKBtAAAwGmgbAACMBtoGAACj8Tltm48EMwAAAO/lT3OTAgAAvAG0DQAARgNtAwCA0fiYtpEVGgAAPsSHtC1EXiMBAIAPQdwGAACjwfM2AAAYDbQNAABGg+9uAwDAaPCbWwAAMBpoGwAAjAbaBgAAo4G2AQDAaKBtAAAwGmgbAACMBtoGAACjgbYBAMBooG0AADAaaBsAAIwG2gYAAKOBtgEAwGh8pba98GeXZVHzsm7b1lNyiFtmXeZXWNKLqrvL2pdUmls5L/GzLQYAuMtXatv00ow5RVH9JX8ka49RiRSaj9hQ5JUlzSwAPJ0v1rblCLNE3JRimnQsxG1bY6zOPGO0LYYLbctxUhmgiTPnZd22dV2PAo+TQ9y2dQm5qrrQVOZu0LrM+0cxSCP19bu26fDJutw+2F27LLs6YASrqdkAAH/N92qbmMDzpB3U9D8dn1dnhqj2IRvapmMkPXOXZ24xTFOIm1CeYstzv15KQ7bkNGbdrzuFy4zbbK21Lq8P3qpd2a1qqiM3tA0AHsP3apuImaKM0uqQJJZ/Kr0o52n1YflwS03dpbbFkP+XhURVFauAy2mJU8lxqI7bvMurg/dqP/qgNMEO3AAAnsJI2iYmYUPQpp9oW/O9iS5t0xHQC7WtBm0DANgZS9vyE6lm3FY+KWvsSbbem+iL22pLlIjIQmxtO67PhiptuxKn6uCt2o+Ke/Yk85YmAMBf85Xadrxjse/Miff207sX+9sjx+Ov42P7zG2LMeqiiu1HdTg/r9MnZov290fm40HbvMRlicXV5t6p+7WC3KgUnWoOSTUud8q8U/thwcXLJVOh4gAAf8tXatv3MMZ3wTq+A8AuJQA8CbTtjaRo6Ou/DsZ3twHgq0DbAABgNNA2AAAYDbQNAABGA20DAIDRQNsAAGA00DYAABgNtA0AAEYDbQMAgNFA2wAAYDTQNgAAGA20DQAARgNtAwCA0UDbAABgNP4FbTNSVwMAwMB8qbbtCTuPVKA5h0xOsWlmFpWJSUWKUpHYuiwzxDPRaZWzM0QjjScAADyAL9W2aTq0aF3mlFFMJhnTf1dxmzik0pFVZU7zsh7SWaTkRNsAAJ7KV2tbrAMpQdKdW9pW5t0UR0jKCQDwHQykba70oG0AAP8WA2lbuWmYSPuTeX8xHQpRbSz2a1vevQQAgIfxpdqm9h+zwqg3R7LOpcP1mesSzjdLrDKPYzGkC45S52VF2QAAHsqXattfMy8rygYA8FTQNgAAGA20DQAARgNtAwCA0UDbAABgNNA2AAAYDbQNAABGA20DAIDRQNsAAGA00DYAABgNtA0AAEYDbQMAgNFA2wAAYDTQNgAAGI3PaBsZYQAA4HN8LG4jaTUAAHwItA0AAEYDbQMAgNFA2wAAYDQ++J5kiFsMn6sOAAD+VYjbAABgNNA2AAAYDbQNAABGg+9uAwDAaPCbWwAAMBpoGwAAjAbaBgAAo4G2AQDAaKBtAAAwGmgbAACMBtoGAACjgbYBAMBooG0AADAaaBsAAIwG2gYAAKOBtgEAwGjU2sbvGgMAwHdjxm3kowEAgC8GbQMAgNFA2wAAYDTQNgAAGA3nPckQtxg+awkAAMBrIG4DAIDRQNsAAGA00DYAABgNvrsNAACjwW9uAQDAaKBtAAAwGmgbAACMBtoGAACjgbYBAMBooG0AADAaaBsAAIzG/7116/F2mvqlAAAAAElFTkSuQmCC" alt="" />

Protect memory

Every section specifies permission flags in it’s Characteristics entry. These flags can be one or a combination of

IMAGE_SCN_MEM_EXECUTE
The section contains data that can be executed.
IMAGE_SCN_MEM_READ
The section contains data that is readable.
IMAGE_SCN_MEM_WRITE
The section contains data that is writeable.

These flags must get mapped to the protection flags

  • PAGE_NOACCESS
  • PAGE_WRITECOPY
  • PAGE_READONLY
  • PAGE_READWRITE
  • PAGE_EXECUTE
  • PAGE_EXECUTE_WRITECOPY
  • PAGE_EXECUTE_READ
  • PAGE_EXECUTE_READWRITE

Now, the function VirtualProtect can be used to limit access to the memory. If the program tries to access it in a unauthorized way, an exception gets raised by Windows.

In addition the section flags above, the following can be added:

IMAGE_SCN_MEM_DISCARDABLE
The data in this section can be freed after the import. Usually this is specified for relocation data.
IMAGE_SCN_MEM_NOT_CACHED
The data in this section must not get cached by Windows. Add the bit flag PAGE_NOCACHE to the protection flags above.

Notify library

The last thing to do is to call the DLL entry point (defined by AddressOfEntryPoint) and so notifying the library about being attached to a process.

The function at the entry point is defined as

typedef BOOL (WINAPI *DllEntryProc)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved);

DllEntryProc entry = (DllEntryProc)(baseAddress + PEHeader->OptionalHeader.AddressOfEntryPoint);

(*entry)((HINSTANCE)baseAddress, DLL_PROCESS_ATTACH, 0);

Afterwards we can use the exported functions as with any normal library.

LoadLibrary执行的任务就到此结束了。

Exported functions

If you want to access the functions that are exported by the library, you need to find the entry point to a symbol, i.e. the name of the function to call.

The directory entry 0 of the DataDirectory in the OptionalHeader contains informations about the exported functions. It’s defined as follows:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAbAAAAEdCAIAAADirqVNAAAW9klEQVR4nO3d3bmjOgyF4amHutIQvVCIy6CLzAUCS7ZkTP42JN97cZ49CcGGEMVAjte/AQAwDMMw/PvrDgDAWVAQAUBQEAFAUBABQHyoIN6m+X5P485SY7qLebp9pF9vlDdGtuc2zWbDxrT8c1uw2Ojt8TSO03Qr1nhv7U9vyeWxpY3l7zQO8s44q9wel175y5UNxe9b0E61lzob2lag+jlOSe/OsktHtmj5l/471nds4xp0QRzTO9/W/bU/1f47Ov+CdZpV3KY0z/Jv/fey3DSlXE5u07x+km/TvH6Gx5QrTrtz3pK3aWvwptvKa1qXuE3zfevn9mde57Ymeamszqy1tS/U1nnb4jQUbpGpZMv3i9el7i0yW7GzQW7ncWlrQbRfl/d8vK1fqOvfU1q+jOdySOEO7255uXzceEvWI4VYHjqltH1+6y/7rff5iz5/metNMx2dp2mqByoPjwDKgjhNywNjmtc/t8X2P4nLB7jnY+ovKYVoTGZ7VB+XFxQvW59XJalYoqtwmH1hXxEWRLWcs0WtZu1zx7ZIHlZFsnezcHU7I0R9mOgvW1V01pOwuTyeBvXBU69xl4zad+Qu6fFB8OJ8mrq+rPr0244OY8pl8g0jxOk2pjQO+T96Kd0ht+X1q2D/ikK45DqQ8vu4/Fm0nnfdXO8vs8Ren9SL4n8EDTlb1Hp/mhV3d4vGNKfUVQ4piN9l95R5e3D7w35x3uILN0UxmGVoFFzi6T6y1Ngt/kyZ3rnbo56MGn5LQcxfDt6uLXqUt3UbVz4zQlyemItPunpL5vJLQ/cqvsT78oLoHh3VFr2gIIYnJd3vfec4Etewfw1RvkX1BaD6ZMT9RLgFsfHZOVx/9i+pnbEgDsM46gtw3uWC4ITPjqjb7XpLyoC++AxXm7l3glkOEN92yqwbcrbodafM1Rb1vvf1C3FptiCq+2/22B3NqfOsb91t59H1gWGKz5wvTAaHUNcxqF/unn2bznsFMX8G7vmEyVxNrB62O+QItyDa59xFzF7yC2Jzd3lLmhsHc+u7ZO8WRPkmHi6IQYGqO58bcre9eOPifX10ixgh/ijzs5vyhwkrfV1tvTVQnbWauxDmvsbySEr2/oxZ0t7CaA2DvGb8zgf3adbl5M7Q9tHwVhrtkB5V8+sD6qZOsSW5a8VdHWckWW5+3LYsKY/p6xZpjC5A1Juubo9tTRSvb35nBDepGj+7MQ2F2+68cUGXerdIv77nfeca4jfp+h2ifcv7hgPAb6AgfpN2QXSGD+rnwh/oHnB2/DD7m/C/7j2pOpf76LfF37Z+lS4BvSiIACAoiAAgKIgAICiIACAoiAAgKIgAICiIACAoiAAgKIgAICiIACAoiAAg3lkQnVgzd4KrYlKwZihaFBL3sr5KeNvV/o/9JycqZZ5TYBjePkKsg9bKycPGLdKpNX+nnRbWneb0CV5420endfpYU0xVBbR8rCAWYQO2Ph4KRYtnon9QGHGXJjOGlUeruUOdeL9gycEMRdvxfk7eh9/QuoJqDvx1jc1swujlVT/ddaqHvyBKG/hgQRxUpNttSikt6VQmbmnRDkVrxRM930n9sJrPO7c+bvVOl4A63s9dsjveL8wmdBryVnEom7B+wu1nsE4KIr7H5wvilsU5pllCOY+Fon2uIHoRIFVEXbVEfn21ZHeaVZxNGI2Jy1UcySasnggWi+IGgG/x8VPmIae1jylN+bHuULQPnjJXBVF1pBnrFizZXRDj7eotiPqZvWzC6ondr5n++D/gSj5XEHV03JxHgDlkqjcULQ5ve6KbTnhbO7DUBm95BdE/N+6M9wuz3PoK4rFswurlbj+jdaqzeODiPvezG/eilEkM7QlFi25BPKsMb5N2JMW4evx+n1Naf5jjx/t5SzoN+Rtf7j0ndk/dgK9PrvuzCd2Xu/2M1mliaYFL44fZeM6rfvsEnAAFEQAEBREABAURAAQFEQAEBREABAURAAQFEQAEBREABAURAAQFEQAEBREABAURAAQFEQAEqXut6akfj6N7VzpgDmpZIhgAvBCpe9sKb+7s3U+vdujoZ28Qgk1naUSyAHgEqXubcl1VHN0yM/Q83+/3NJpgJTf8xe1nHcV3IHXPm7l/9+V6wF11fgldHYu5eNUamOoQP4XUvarVxhas/ZDhmbwiSMhz++mH9vWn7rnZpt5OcBpyO3+bZj0ndhm4SkHETyF1r2q1sQXrv8xJdnQJ0i+IbmjfgdQ9tUQzXDTO/CuvEOjwlleOuIHrIXVv82hB7Il92saSfmjfgdQ9bxFvgBln/rUumVIQ8dtI3ds8WhCjhDynn1FoX2fqXnSaXb/cbSjqvL6emXcBWXr4QaTulT31f+Bzn6dbTuJb7kXctutvdSBd0M8giu+Z1D3/5VVDUeeXAXu9P8nSwy/ih9k/Lhhkk6WHn0RB/GnbmJMfMgIDBREANhREABAURAAQFEQAEBREABAURAAQFEQAEBREABAURAAQFEQAEBREABAURAAQ7yuIpwzYi/pZzJy/N9FLMANiUzGPwvrPF80p82g6IADlvfMhni5gL+rnPG9dyn+/oyFvYnAAJ/GBgnjCgL26n9M6m/S8/ukGOukpWovwKXeGVpmPVU0M7kUhONkx7sv1oikl9bXijKGrLo1pnS62GpiSJwUMw/Dma4inDdizttirIf9nGKKEvPU1ubTp0as5dc1n4yo/IZexOijBtlS/PH8pmMnGzYobXcovKs75KYjAMAxvLoinDdhzupnzOMdqhOgUC1VR4hNhb1BrE01sK0VTzsvVddVqQBiH563PqYdJkwIcby+IpwzYq7t5G7YR4ZbF5CfkrQ89WBCXB7tKU3OLy1ErBRF43nt/dnPWgD3LLx9RQl7VyThR1O9zed8mvGVdvdzeb2oUxKBLUUEkYA9YvLsgni5gz+tjXr/+eVCUkLdugjmbr854w4Q8pwL2Buw5y3npgEGX5JE0lrdhCNgDBD/MfswXnXISsAesKIiHjE6CMYBvQUEEAEFBBABBQQQAQUEEAEFBBABBQQQAQUEEAEFBBABBQQQAQUEEAEFBBABBQQQAQepeO3XvdWl2pO4Bp0fqHql7AASpe2HqnpNmFwbXkboHfANS9+LUPa9VL7iO1D3gS5C6F6fuea06sSSk7gHfgtS9KHXP6cLwgoJI6h5wXqTu7dzr2C+IpO4B34LUvSh1z0uzi4LrSN0DvgI/zP55pO4BKwoiAAgKIgAICiIACAoiAAgKIgAICiIACAoiAAgKIgAICiIACAoiAAgKIgAICiIACAoiAIj3ZqpUsXlnjOJT8+e/OAoPwLW8eYRYx+adMYrPTNlKFh7wsz5WEIvUvVNF8d2mNI1VDFSVW7dMLD3P9/s9jSaXyU+EIbwJuJgPFkQdu3euKL6lvXFNIt0K4rhVxqIfMhO49DOMzaMgAtfy+YJ4wii+bdSq6qJpXg0FddFcX3A3KIDAVX38lPmMUXwmNTk3ru7kpEZBJMAO+BafK4iq6pwtik/nv2+3V8xIsTVCbMXmkWYHXMnnfnZzr+vLOaL47G9t8sAwdyilWbU9T7cx5WC+5TKAE4dHmh1wNfww+21IswOuhoIIAIKCCACCgggAgoIIAIKCCACCgggAgoIIAIKCCACCgggAgoIIAIKCCACCgggAgoIIAILUvWiWMgA/h9S9ZUXJmYkWwI8hda9YjWnIS0nZHk3JSV8hdQ+4MFL3lgZn55TZSd0zaQPrSJbUPeBLkLqnGxyKM/Z73b6qnfViziARwHWQuletZktbdlL37Latd4NI3QO+A6l75XrWltzUPXtzJ98PJ3UP+Aak7pXdrH/hs6bulcvqgSqpe8AX4IfZb0PqHnA1FEQAEBREABAURAAQFEQAEBREABAURAAQFEQAEBREABAURAAQFEQAEBREABAURAAQFEQAEKTu6Xn+18mvj8xSM6bn5zwst910rd5hH5qc20zLC/wCUveGYbhNafbmn+1/+TO98Lc96Mobpgt/UQwD8AVI3ZO1jHlC7yX5xc4JO083mQB7nu/3exrVuFJSYspBq5MIs61reU7WH2y7OxJUuTR5jUU/ZdSa0lwNI9VQdJqcQWc5EC8qZZVDGDbkZRMOZjQOnBCpe1t7sqptjX78wX3pr1TItBWVfKI/F30vovjy0qbZctuDjXNO6t1IhTzWNOELzrTljX1on9Dj8bwmtyGvH7n7FEScFql7ub2iQPkFURfNXBBVJ9a1RFf7qmsGBwuiHSEG/XSTpqN91VcQg5GsH2ldZxMCV0Dq3lCUjNcUxLhj5TPBtpd/dz10moKol2NAiOsgdW8o6sh2e0WX4/vcLoj6/HO7aR5F8RV9fvimyvZQ3U+/TunipE6AdXygGdCVp8zesNRryM0mXBvgjBknRupecVnOxDGvNwvGab7f07T8W+6JzNNN36Iobze4UXzBnRLnZzd2O+tfIhUX90w/x7WdNJZ3R1QHzOCvaL7Yy/oWin3IbyjIJrTfHMAJ8cNsfAoxhDg9CiIACAoiAAgKIgAICiIACAoiAAgKIgAICiIACAoiAAgKIgAICiIACAoiAAgKIgAICiIACFL3LpO692Q/AewidW+4Turek/0EsIPUveE6qXtOP82iemzt9DMOqVkH3CTk4ceRure1d/7UPb+fwzhulbHYX7affpdIyAM2pO7l9k6fuuf305nZ3+1n1CUS8oAVqXtDUe9OnLrn9tOEwKRGQdzfVyTk4deRumdWc+7UPbefZqTYGiH6XSIhD8hI3btM6l7Uz/zilGa1j4p+BnF4JOQBGT/MhoeEPPwkCiIACAoiAAgKIgAICiIACAoiAAgKIgAICiIACAoiAAgKIgAICiIACAoiAAgKIgAICiIACFL3hjqUxNuOsin3wZfqiuKrJll79xyGZq7e77E7V6T3ivJIzOE0ZrI3d3K4Jn+q+Bd6RVTka3rRt5mfO+pI3VNdncL5Zt2kgnfm3vXPGls89KI5c38s1M+dK3x3AnHn+GzPfx4fYMV637/vX3WcPOGUhxipe7pNuzo1Ra0pwuWDXpbecCjirnrwQBTf9rRNiyojA2VUkNJcdUnPc7t9PTVG58VhXI2vw4bOGu93fHi48I5P87IqD6InxqF+i4MDrNzzcdqiu83tqMjZHn/1G3dgFOusNJoq2etocdR1hEp6R/c6zXPxQSrbJnXPrMfUXTMldRlgUpwyl1l6RyLunAcPJE8N5Vza5VJemyaRwZnLvLFj7RN6kG53TtXQaeP93CrV81W7c3x6tbHrG9zb99UB5u55N23R5UZFDl6Co/vGhaGSXkPOERJtZsQuG2xmHD85FEEgcedJ3bOrKeOk1g7NdZ0yx3udpXc3mhF39YNHC6IdIdqlTBJLdZBHO7CvIAYjWa+hYNv/3uOXQ4Jxhlf76gPsYI/6ssncLB2Xl4xmNskPw1DVxTu8vXa6M9RayoLobmbd+aJWzEVZcTpP6p6sv9w/TxbEByPuckTVkcOo/dBpCmK9mSfw8PBwiI5PeXlRD3vPEJel/6ggugmO3hb3f+4+VxC9zrsFsdl5UveG4DNumslnCs6Dbk/6I+6iBx+7qVKuSN9PdOuULk763MnpidPY7jDIvbh2nni/x+6m1MtV9WWeo/es57tyvyD6e/5QQayjIt0Ex92Dti06cXlDQXQ6b+573Ts6T+qeubCsfwmkTxRS2i7g1A8GX/+9EXet3Du7SieKLzwRra8lSzfTuD1Xn/+0mi92fXUlW52neA2dMd7v0bspspjZlvztPpRFJDjAmmt1dmh5gJV7Pk5brCwL1L8GqhIcyy6513l2PofOabi7mR07RGVd1pvpdV61ru/xx53nh9n4U38Z7/fU8BBX0zUipSAC+F55MNj1RUdBBABBQQQAQUEEAEFBBABBQQQAQUEEAEFBBABBQQQAQUEEAEFBBABBQQQAQUEEAEHq3qBmCLpe6p6aft8JEkAvUvf+AKl79eTYpO75+ieINZORnjLI7AJI3fsDpzxYSd3TbV4xde82pWmsp0wvR70dWWWXSMh7B1L3VC+9MRupe69C6t5gtuMNqXvLc3ZS9WFoJJDZrLID/ZR1fF1BJHWP1L0NqXt2NddL3VPZXbfBGSHqL1C9EesLDvTzO5G6Zw57Z9xG6t7LkLrXaLNx2erAYWRKuDq3zuf4qVEQH+zn9yB1T62N1D1S94o16uGpuWqxFhrnQbcnH0vdMymj6+2VIIHMOYz6+7n25avOmEnd0xtC6h6pe9uXt+zbi6Xu2d/aFJc47/ecQBZHsvX2cyg+RV+A1L3oCCN1D9jzlwl570Dq3k8hdQ/AjyN1DwAeQ0EEAEFBBABBQQQAQUEEAEFBBABBQQQAQUEEAEFBBABBQQQAQUEEAEFBBABB6t6gZggidW+39fYL7KR1j+6fKkbj/Ujd+wOk7tWTY5O65/vb1L249abX7pBPhrKRuvcHSN0jdU+PIs6buue3Hmymt5ecId6Y1ok77Q6JR+fV5+VtQYCk7qleem8HqXuvQureYLbjGql7cevOZgY7xFvNusVmvO/EvAUvf1cQIKl7pO5tSN2zqyF179Zqvd7MaIc0N8J+7wRf1vWGvicIkNQ9c9g7bwepey9D6l6jzcZlq79N3Ytbf3VBbMW8xZ+XV87yT+qeWhupe6TuFWvUw1Nz1WItNM6Dbk+unrrnt96qWtXtl66C6PTTfbm7l9ZmHz9jJnVPb4j7duwetG2k7m2ChDxS92zfWxF3dpVOVtl7Uvfc1v3N9HZInZS2vTrlcDSzw8OYt+pXWc5eergcPno3xWy4OT6ddZC6R+oe8BlP/fKK1L2f0jUipSAC+F55MNj1RUdBBABBQQQAQUEEAEFBBABBQQQAQUEEAEFBBABBQQQAQUEEAEFBBABBQQQAQUEEAKELYu9MStVsROWUdGM5L1Y109028c6SMVXOYRvPSuEtuTymZ8N1ZpFy5i0q5xkzyx2ZE9htp56zqa8hbwKuMZ7d+ugWbRPINndzrJhjr2ObOEJ+6wi5tmKEeGDG1XLSy21GzGJ2zDJsTE3YpCqwjTlovQ/ekmr6uWA+ynWJvZlotzWV06g294tpx5tOvu68mfHW3SJznC7Vw+tS9xb5U7QeMI5jno1z1G9wsZO9becI+YEj5Au8riBKLsAwpnn9c1tsfz8vb09/sk89o/osI47gI/lAvF+ju1Wfokmlw8NdLedsUXuuYxsNeGSL5OH++Y5tw3M99mjMYM4R4rZzySPk+WjDi3hhQVwCo/J/9FJVsEe9tr3zjt0lnfDtsfjYla3nuIA85fjdXWKvT+pFrWnS3YacLWoNgZqfp90tGtOc0iPlcF3/vAZAOD1wJ3pXHeMI2fnHaY8QCuIuJydim7J8e277o0rRyMONbdTwzPf/8sRcvI/V5OXhwRFdCHr54e4OsaotesHhHm3Rzvlm0xb/OJseeOPGsiGOkJ84Qi6vustcfgGG/GSmUV9e0YdbzsZwh/P9E7f7S8oJUesqlmnPPh/Fp73vhMgG+VZb9LoTovr9fPXhHq6PI8Rv5+eOkCt56QixfM5d5Oamd5q3vPmGeEuay8LqmnW9or0LzOUH5vDhHhx+dedzQ+626werSDd7DevYFgU75fEbiscKon2OI+RCR8gvnDE/VBCrb3U3V2xlHqx+XOCME/LDe23LkjnQbdB/6zw4e87QE+/nddNXbHB53cfZbtNQuO3qCfVZ9rrUu0X69erofqYe+juZIyTaSXrRax0hP1EOnxkh4lvUkciA8lS04cU88sNsfJXHfoMDfKPT/q971XnC7onJL3bpl53w7Thhl3DMaQsiAHwaBREABAURAAQFEQAEBREAxH/l9OVSXlL8lAAAAABJRU5ErkJggg==" alt="" />

First thing to do, is to map the name of the function to the ordinal number of the exported symbol. Therefore, just walk the arrays defined by AddressOfNames and AddressOfNameOrdinals parallel until you found the required name.

Now you can use the ordinal number to read the address by evaluating the n-th element of the AddressOfFunctions array.

Freeing the library

To free the custom loaded library, perform the steps

DllEntryProc entry = (DllEntryProc)(baseAddress + PEHeader->OptionalHeader.AddressOfEntryPoint);
(*entry)((HINSTANCE)baseAddress, DLL_PROCESS_ATTACH, 0);
  • Free external libraries used to resolve imports.
  • Free allocated memory.

MemoryModule

MemoryModule is a C-library that can be used to load a DLL from memory.

The interface is very similar to the standard methods for loading of libraries:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZwAAABuCAIAAACcDjLIAAAM1klEQVR4nO2d25XlKgxEbzyOywmRC4EQBln4frQBCZUw7vMcuvbHLB83IJ5lwB7030YIIQvx36czQAghz4SiRghZCooaIWQpKGqEkKWgqBFCluJ9orbHfBwpXIQK6TjJcX+S5ZAcu3NZ2mMSWdljPo7jSKFd7TGr7IZ0HDnurSg/lCg2pEjX/i5xa4Ty67yO82nCREs2RY515lsFgRIR8nV0ohbSKzvqdeqvtX/bYAihiloIZ0AhciX2HlPOZ0LiOqQmNmdQHHKP+ag362WLvscSR1ovl3fSFAXeY84lvtTEWiFazbssfaCtCJlCiJp+jB9luOb6pC/XMR1HjqEER09yMXPYW7g2DFBINQ9w52kluRz39kPPOURkHWCYpZExlSgWtRh/rkPK5fKUAKUNMGSnHiEZTZQhzttN6O6kqaToDHNb1OAfRo1GyBu5nqnJHtzmBm3dVh/4+il+Xreln4gDQ3r2ATJU05Wcm9ZoFdOpwiz57DHnDBagWvpT3ENKYWv/bGpl1yKDkF2pSy23qukKFFJOKWvxmUxT3w9W/65EzXnmUNTI1zCz/LRPebEc2krn7zdccty79EosGHJg31KHm71A6YCB3GXJ5ZQTKb3OTG1vGqmnWmamZkK6oubOW7tCzKf5sKg5MzVCvoapPbVzSMvtGD11SV5PhwoyGBOz+zRnUl6Onidq0LYjanXfDawf+8gq5NXy077pAKI2l+Yvl5928kjIt2JETbw4070/qGVotntMUCDUGMlto86RkvnN55BStFMgnIwrcbqUkwxErbOgJGCkNVcvCkyNQVGbSROKlkgdaJ68BCWqFrj6JN9B/0mH+QrgJKR+ZyjWxZHu2t1dcS+lpN85dPtS8j3F9QAxyihWtfgTBvC1hMjSJKeVVD/pyLUmqpbo26KcAYdUNdJnsipcF62t8KfTxO+CNhSy3yI4MthhqAmohxwhn2X2OzU92eGmChHIlzSEfJpLUZPTmv57jNsrN0IIeTH8b1KEkKWgqBFCloKiRghZCooaIWQpKGqEkKWgqBFCloKiRghZCooaIWQpKGqEkKWgqBFCloKiRghZCooaIWQpKGqEkKWgqBFCloKiRghZCooaIWQpKGqEkKWgqBFCloKiRghZCooaIWQpKGqEkKWgqBFCloKiRghZCooaIWQpKGqEkKWgqBFCloKiRghZCooaIWQpKGqEkKWgqBFCloKiRghZCooaIWQpKGqEkKWgqBFClkKI2h7zcRxHCu1qj/k4ctxLkJCOI8c9pENRotiQIl37u8StEcqv8zrOpwkTLdkUOdaZL7ZbUPsXzaCYbwFm/lfsMZ9pjNIMqaukdxa2WH2/zWegqk7San7EHpMutrlBPNRMTdRbSD/VvseU89kC4lr2tDMoDrnHfNSb9bJF32OJI62Xyztp1ixv2x5zLvGlANWeBDoIKBHEqZA38rTePa6Ql5qeRvSPVzFq7Y+YDCHUqg6hBnxDVSzChKjFmM4nei6XpwSoPg5DdqMgJKOJMsR5u7XenTRVTznD3Ba161HrVIiY7xQ9zceRcz6OI4WQxKSyBRWVkOU0skq3SqzNUkEebZr4XpvSpjCukBJQDqQ9pjbVFY8Qk3ls/VYxSww1kMUMPUa3PkM6jpxSNoWvIVNKwvr17LeEK/0TrAdMOfvkcM0PjIGmA5NW3bfIZkRNNHETtT2kFLb2z6ZWdi0yCNm1Xhk7TdS6SXpIOaWsx9pkmvp+sPp3JWq2FyFwheh5Xi4ZOn7yewi9lD1TFb6tbMU8VYwTM42VeYJp1qc8qm69CHLFXFe2XH2rIWYzj6zfKqaxocuWmhCCsrcZPFwKyAn+9ExNhmvPfKc1TbpezTvsMecM2tnGo6gZZmZqe2sHPdUyMzUT0hU19CRShm+n+bCozc/UQJYORT5LeQpeWZ5bAxcrwNEsFNSAidQ/8LvKzUPjxnA/qoZCC6zfK+aZhmlTjVN2nDXx0L5IFlJTshcoJdAfa0IXC8n6ONTDA0/VSM+cqNXnLlg/9pFVyKvlp91NBaI2l+Yvl5928jhmJkva4AOiVnIFK+UiTVG1WPcdUdOp/VbUkPV7xexSMXmByY1FzRh0k8WcxZebt68RNd8+RW2CWVHb9G0lASOtuXpRYBrYG7+XaUKBEKk7kx0oaoN+7mYJLQysqLk66wjjHlMM/ZqszzxMs6Vdl2pdHWW4/LwQNbk1KJefRtSA9VvFPO3p5ada8Ga/PlF5ZBvB7QJVI5iQUrTLE1Nm8NOr+TugXta/jydK1M71QqqfdOQY5Z5w2yyN3WqrbIXbkLv4ZT7HEKskFa0EvZGmjKtXFyZkv1Q8ctztTafT+Vnq9yNrHe7nlxBixWrWZcp87uXhkAMQZH6DaYqSp5TbHmlbgSX8gQ4oT6sk0fjjzCPr08Ws2EeebSG0yu5a4fh56podY6eLDDC6AmoeVB2u+StjV7a37jFDfuDHt9/OB744+AROMfkdQ8XRNEqagaL2teBt7eW4Kua/+vHts3n/N4L/LBQ1QshSUNQIIUtBUSOELAVFjRCyFBQ1QshSUNQIIUtBUSOELAVFjRCyFBQ1QshSUNQIIUtBUSOELAVFjRCyFFLUuiNTukN57BHs3f9CBredkJtz3Iu4CQ7XEmE+6M+p2DxLFOJN236VPCE/uCLg+dFzPo2ekzt9+E6iu7IFjih4Zf+5Otv5im6m5pxa2J+NJ45OUAeiKIdO/XGS0p8KOOVRn/c4UKoP+3MSp71cH2YFD9QBtfQETBvdyMcLUUXEp5DSXdnHeCgjryjFUzxpQVHrmySkFPr2c9xBmWYFIeHhsfNi/Fl/Tl4+rdsF99xKW0vIOs6nTFd6VAJtJE/jVOOxv+lYx44kjEMm92Yxh08ylkcr013ZDLDd3+BJy7Ue0s9c9zDT3e6e171HZmynB9MHx+mMETWbXnce9XnL+ifaVLPa7lVDQs8pd06K/6Q/J5xPaN0W1a0lZB3nE3lU2lAbQfdFrk8jYx2XqKWvZjPQS9N5A+px69u4NVFHhCFdzz6wf27b97src/i0Jy3Q6+qR1erRNe1FzGV/1JPWxEwNHfzuuIManlTdD8CW3V+IWhuUb/bnpKc35+DE1m1R3VoC1j13KrCabBtBTx+++w87Occlgkc6+uc8dpLiOsHoWtOdqf0Bd2WYh53O4DaaHHXekxyV94YXMcfWw560BntqzYjt2447KBjdhHzC8nPftg/5c4K+kdzM39jLekTUQBs9KGrXzQFPpO1vzoraRndlYx4WNRnu9ubevKjd8yJ2g6eKGuwDm9qzkE56fFETIa82d53JZp8JZdOZnlpRczuiU++9oyOoBV5+oaeiOVFz8ok8KuFxqle2ep7Z5QhaByXakUMmeLPLobUChqC8/XfclU2+RvysJy1k3RG1Vh2/m6k5eF5n0HLe+aSj9g3xs/y5bkN27qDABFfsSsuQ8i9wL3PQyp/256TryfmgBazMhus3xzqeyXe15FaItFTdF6GbjnW4AQYK6ZS8/lGMJtM0dFc2/2nEZz1p9dbb6FKGRIJzXsQm8TQNpsaPb695xavrP8Mzv1pZEewakGgcTXNqjqI2wN8AJ/PQHdQAav4MN9euFDVCyFJQ1AghS0FRI4QsBUWNELIUFDVCyFJQ1AghS0FRI4QsBUWNELIUFDVCyFJQ1AghS0FRI4QsBUWNELIUj4iaPYDvZHicSn8I0tvdQXWHyDzD+ujMpO688/f7vupOzVLn0tCf08MHfZGv41UztdFxPftn3UFtM0dD3mcynfePIe+EW3FM45/258SDMlajiho8b1E/DsEBgro3iNP5LkTtg+6gfqL3R6mi6CBL/k00ilAtna4++tnC2Hpf8ZPFLDHwUa/059RqCJ5MfnxiVk0eR83UZJ8RDkaAxxobXv714jRP7EDoXe6gzlhGlEB0J0vg5gZHEaoluYhTo8lmft4xj1NMY8M5zvav+3NyjoKnqP2j6OWnONO8v/ihlzHTx2pCgym948JHb3moY9Cf6Q6qXV85G4FZch1HzYsanjgNRuH1nBAX80zDTBR1FNgc7kxtRX9Od5x6kO+n21M7h5zcu3iVqG0fcgdli9Hny/vt3+z+oMP8VtTuOeZBxexS6eLSn1NLiqK2EuZFQUgp2qdz++No+Sn3Xq+Wnybe29xB2XJ40S89KjmxL0RNbg0Olq83HfOAYp726M9p7M8JNqnnqYh8P/btp2lhsAjqvoqwL/Kb+yLDx91B3fHnNOk+CToQQrX0U5DYvwDA1u865sE+POjP6cKfk6tplLR/lD/x8e0fcQflFJOfLIy556mIfD9ri9ofcQd1VUz6cxrAj2+XY21RI4T8OShqhJCloKgRQpaCokYIWQqKGiFkKShqhJCl+B/5OGWoZxbTlQAAAABJRU5ErkJggg==" alt="" />

原文参考:

http://www.joachim-bauch.de/tutorials/loading-a-dll-from-memory/

源码参考:

https://github.com/fancycode/MemoryModule

Load PE from memory(反取证)(未完)的更多相关文章

  1. Go web编程学习笔记——未完待续

    1. 1).GOPATH设置 先设置自己的GOPATH,可以在本机中运行$PATH进行查看: userdeMacBook-Pro:~ user$ $GOPATH -bash: /Users/user/ ...

  2. [教程] [承風雅傳HSU]用ES4封裝Win7---ES4 Win7封裝教程(未完待續)

    [教程] [承風雅傳HSU]用ES4封裝Win7---ES4 Win7封裝教程(未完待續) a10036it 发表于 2015-7-27 21:11:19 https://www.itsk.com/t ...

  3. 《MySQL 基础课程》笔记整理(进阶篇)(未完)

    一.MySQL服务安装及命令使用 安装过程就不写了,毕竟百度经验一大把 MySQL 官方文档 MySQL 参考手册中文版 1.MySQL简介 ​ RDBMS(Relational Database M ...

  4. ExtJs之Ext.grid.GridPanel(部分未完)

    今天在家休息,年假不用就作费啊. 看了几部香港老电影,陪爸爸看了勇士占奇才, 然后,测试了一下EXTJS未完的内容, 在京东上订了七本历史普及书,近两百块..:) 搞定. <!DOCTYPE h ...

  5. Apple放大绝进行反取证

    取证说穿了其实就是攻防,这本是正义与邪恶的对决,亦即执法单位与嫌疑犯两者之间的事,但现实生活中要比这复杂多了. 怎么说呢?举个例子大家便理解了.取证人员费尽心思,用尽各种手法,努力地想要自手机上提取重 ...

  6. javascript有用小功能总结(未完待续)

    1)javascript让页面标题滚动效果 代码如下: <title>您好,欢迎访问我的博客</title> <script type="text/javasc ...

  7. ASP.NET MVC 系列随笔汇总[未完待续……]

    ASP.NET MVC 系列随笔汇总[未完待续……] 为了方便大家浏览所以整理一下,有的系列篇幅中不是很全面以后会慢慢的补全的. 学前篇之: ASP.NET MVC学前篇之扩展方法.链式编程 ASP. ...

  8. 关于DOM的一些总结(未完待续......)

    DOM 实例1:购物车实例(数量,小计和总计的变化) 这里主要是如何获取页面元素的节点: document.getElementById("...") cocument.query ...

  9. 我的SQL总结---未完待续

    我的SQL总结---未完待续 版权声明:本文为博主原创文章,未经博主允许不得转载. 总结: 主要的SQL 语句: 数据操作(select, insert, delete, update) 访问控制(g ...

随机推荐

  1. nginx配置限制同一个ip的访问频率

    1.在nginx.conf里的http{}里加上如下代码: limit_conn_zone $binary_remote_addr zone=perip:10m; limit_conn_zone $s ...

  2. 如何在IIS6,7中部署ASP.NET网站(转载)

    查看web.config文件 web.config通常会放在网站的根目录,这个文件中包含了一最重要的网站运行参数.比如: connectionStrings,httpHandlers,httpModu ...

  3. SQL语句优化技术分析 整理他人的

    一.操作符优化 1.IN 操作符 用IN写出来的SQL的优点是比较容易写及清晰易懂,这比较适合现代软件开发的风格.但是用IN的SQL性能总是比较低的,从Oracle执行的步骤来分析用IN的SQL与不用 ...

  4. bayboy下载安装

    badboy是jmeter工具的好搭档. 好处体现在那里呢? JMeter是纯Java编写的软件功能和性.能测试工具,其录制脚本过于笨拙和复杂. 而Badboy是用C++开发的动态应用测试工具,其拥有 ...

  5. A*寻路算法 (cocos2d-js详细代码)

    看了几天的A*算法,感觉要成为一个游戏开发者,有必要把这个著名的算法拿到手. 网上有此算法的代码片段,但主要还是些模板类的伪代码,所以想分享一段完整的A*算法代码供大家更好的理解!(这里使用的是js语 ...

  6. ionic 进入多级目录以后隐藏底部导航栏(tabs)(完美解决方案)

    公司开始使用ionic开发项目,在此记录下把遇到的问题,网上有大牛已经把解决方法整出来了,不过记录在自己这里方便查阅. 这篇记录在有tabs的项目里,进入子层级时,底部导航还一直存在,本人是要让他只在 ...

  7. CSS3之动画Animation特效

    CSS3的出现 让我们通过css样式也能写出炫酷的特效 通过 Animation 这个属性 无需插件和jquery也可以轻松的完成简单的动画效果 DEMO: <!DOCTYPE html> ...

  8. Spring 上传文件

    最近碰到一个上传文件的需求,其实之前也做过但是都是search->copy 没有细究过,这次纯手工. 先看一下需要依赖的包: <dependency> <groupId> ...

  9. android中RelativeLayout无法填充ScrollView布局的问题

    ScrollView是解决布局过长的情况下使用,一遍其下面会有个顶部布局,我项目里面是RelativeLayout,但是RelativeLayout无论设置 android:layout_height ...

  10. hdu 3666 THE MATRIX PROBLEM

    差分约束系统. 根据题意,可以写出不等式 L <= (Xij * Ai) / Bj <= U 即 Ai/Bj<=U/Xij和Ai/Bj>=L/Xij 由于差分约束系统是减法.. ...