1
00:00:00,870 --> 00:00:05,580
So in this video, we'll be talking about the impulse, only the theory part.

2
00:00:05,820 --> 00:00:16,320
So we have already seen here the import directory and this address points to the first impulse.

3
00:00:16,410 --> 00:00:23,700
So generally, whenever your application needs something, of course your application do something by

4
00:00:23,700 --> 00:00:31,170
default it will load some errors and they will be functions in those details which this application

5
00:00:31,170 --> 00:00:35,760
uses or in my case, car two dot X to perform some operations.

6
00:00:35,760 --> 00:00:42,890
So there are some core operations that are core operational functions that are in the cabinet that you

7
00:00:42,910 --> 00:00:46,650
got here and some other details and all those functions.

8
00:00:47,430 --> 00:00:57,780
Addresses need to be imported into this structure so that the application can access that function and

9
00:00:57,780 --> 00:00:58,860
runs that code.

10
00:00:58,890 --> 00:01:05,880
So by default, our linker can write these addresses, but.

11
00:01:07,490 --> 00:01:09,140
It's going to be dynamic.

12
00:01:09,140 --> 00:01:16,220
So whenever there is there are any updates to the operating system, these are the changes.

13
00:01:16,760 --> 00:01:24,560
So that's why we need to update these the functions of these addresses of these functions whenever we

14
00:01:24,560 --> 00:01:26,240
are reloading this executable file.

15
00:01:26,330 --> 00:01:35,240
So here we have the import directory and this address points to the first import image sorry, image

16
00:01:35,240 --> 00:01:36,290
import descriptor.

17
00:01:37,070 --> 00:01:41,510
So the contents of this image import descriptor are as follows.

18
00:01:41,750 --> 00:01:49,460
So characteristics are a general first thing in RA in the disk, the characteristics and in the memory.

19
00:01:49,460 --> 00:01:50,310
It's called general.

20
00:01:50,330 --> 00:01:50,980
First, thank.

21
00:01:52,130 --> 00:01:55,250
Next one is Time Stamp and Forever the chain name.

22
00:01:56,240 --> 00:02:01,430
So this is the structure of image import descriptor and the origin of first tongue.

23
00:02:01,430 --> 00:02:04,000
And the first tongue are almost similar.

24
00:02:04,010 --> 00:02:13,430
So this origin of first tongue points to the address of an array of this data structure, image data.

25
00:02:14,030 --> 00:02:18,020
So first let me cover this timestamp for our chain and the name.

26
00:02:18,020 --> 00:02:21,110
So this name contains the name.

27
00:02:21,380 --> 00:02:24,110
So this name contains the actual name.

28
00:02:24,110 --> 00:02:30,740
And this first thing points to this array of these structures.

29
00:02:31,220 --> 00:02:35,360
And these structures we have the address of the function.

30
00:02:35,540 --> 00:02:42,710
So the function, actual name here we have the DNA name and here we have the function name.

31
00:02:42,710 --> 00:02:52,280
So if the if we are importing like 20 functions from this drill and we have this 20 number of image

32
00:02:52,580 --> 00:02:56,030
data structures, so there is no ending for this.

33
00:02:57,170 --> 00:03:03,200
The ending of this image input descriptor structures would be identified by zeros.

34
00:03:03,200 --> 00:03:05,510
So null image, import descriptor.

35
00:03:05,510 --> 00:03:08,960
So a structure with all the fields zero.

36
00:03:08,960 --> 00:03:19,700
So that means if you came to this G or zeros in these fields, that means are the inputs have been completed.

37
00:03:20,750 --> 00:03:22,940
So let's see this diagram here.

38
00:03:22,940 --> 00:03:32,050
You can see this first block is the one and the second block binds to another name and the function

39
00:03:32,150 --> 00:03:35,120
name and the third point to the third.

40
00:03:35,390 --> 00:03:45,320
So here you can see the imported data name points to the candidate and second one points to user 32

41
00:03:45,320 --> 00:03:47,510
and third one to points to at once.

42
00:03:47,510 --> 00:03:48,600
We pay the third here.

43
00:03:48,920 --> 00:03:51,110
So let's see that in the pivot.

44
00:03:51,140 --> 00:03:56,750
So you can see the total size of this image.

45
00:03:56,750 --> 00:03:59,600
Import descriptor is 20 bytes.

46
00:04:00,550 --> 00:04:02,470
So you can see the.

47
00:04:04,910 --> 00:04:05,300
Okay.

48
00:04:05,570 --> 00:04:06,950
These are the 16 bytes.

49
00:04:06,950 --> 00:04:10,820
And up to this three column, we have 20 bytes.

50
00:04:12,220 --> 00:04:14,710
The name is last but one.

51
00:04:14,710 --> 00:04:16,750
So this one will be the name.

52
00:04:17,260 --> 00:04:22,700
000041588 RB.

53
00:04:23,410 --> 00:04:27,820
So here you can also you can see this everything is password.

54
00:04:30,670 --> 00:04:35,530
Now, if I go and click this out of here for 158.

55
00:04:38,430 --> 00:04:46,290
And I should go to the name of this better candidate so you can go to this address and read the string

56
00:04:46,290 --> 00:04:46,740
from this.

57
00:04:47,010 --> 00:04:47,490
Get this.

58
00:04:47,490 --> 00:04:48,000
Candidate.

59
00:04:48,270 --> 00:04:48,660
Dealer.

60
00:04:53,090 --> 00:04:53,540
All right.

61
00:04:53,570 --> 00:04:57,690
Now you can report these structures.

62
00:04:57,710 --> 00:05:08,960
So this, uh, first read first 620 bytes from this address pointed by optional header dot import directory.

63
00:05:08,990 --> 00:05:16,040
So this at this point is the first descriptor image import descriptor, read 16 bytes from these server

64
00:05:16,040 --> 00:05:21,860
20 bytes and calculate get the string and read next to 20 bytes.

65
00:05:21,860 --> 00:05:24,260
And here you can see the next 20 bytes are zero.

66
00:05:24,260 --> 00:05:32,450
That means there is only we are importing only functions from one dealer that is only Canada dealer.

67
00:05:32,720 --> 00:05:36,620
So you can identify the next 20 bytes are completely zero.

68
00:05:36,620 --> 00:05:39,770
That means there are no more imports.

69
00:05:41,530 --> 00:05:48,250
And after calibrating all the inputs, you can print them to the Screen Canada data.

70
00:05:48,280 --> 00:05:51,130
Now we need to parse the function names.

71
00:05:54,740 --> 00:05:57,770
You can see the original first time.

72
00:05:57,770 --> 00:06:07,520
So before loading the original first tongue and the first tongue contains the same data so the same

73
00:06:07,610 --> 00:06:09,860
of this image tongue data structures.

74
00:06:10,190 --> 00:06:15,740
But whenever we need to fix these function addresses this.

75
00:06:17,940 --> 00:06:18,510
The.

76
00:06:20,320 --> 00:06:25,930
I trust pointing to this first time should be replaced by the data of the function addresses.

77
00:06:25,940 --> 00:06:29,210
So let's see what this original first tank points to.

78
00:06:30,270 --> 00:06:36,960
So Jennifer Stang is the first member and that is 4140.

79
00:06:37,080 --> 00:06:41,070
And here you can see the we were already past this forum for zero.

80
00:06:41,100 --> 00:06:45,930
If I click on this, I will get the starting off.

81
00:06:47,370 --> 00:06:49,830
All of these image data structures.

82
00:06:49,830 --> 00:06:51,540
So let's go and click on this.

83
00:06:51,540 --> 00:06:55,140
And here we can see we got the.

84
00:06:59,280 --> 00:07:01,500
This for one, six, six.

85
00:07:01,830 --> 00:07:03,780
And if I go to four and six, six.

86
00:07:06,590 --> 00:07:08,780
That is the address of the.

87
00:07:09,320 --> 00:07:09,910
My name.

88
00:07:09,930 --> 00:07:11,150
Name of the function.

89
00:07:14,100 --> 00:07:18,630
So you can click on four one, six, six.

90
00:07:19,500 --> 00:07:23,100
You can also click on this because it's been parsed.

91
00:07:27,900 --> 00:07:30,400
And you can see the first one is the hint.

92
00:07:30,420 --> 00:07:35,880
So this first two bytes is the hint.

93
00:07:35,880 --> 00:07:44,250
And the second the name is of dynamic size because we don't know how much length each function.

94
00:07:44,250 --> 00:07:46,230
So each function length is not constant.

95
00:07:46,230 --> 00:07:46,770
So.

96
00:07:47,730 --> 00:07:48,730
We read up to another.

97
00:07:50,310 --> 00:07:51,810
Bladder function.

98
00:07:52,020 --> 00:07:56,970
So this is the what's the function?

99
00:07:58,290 --> 00:08:05,490
Now you can come back and come back to the first tank and again, go to this.

100
00:08:12,070 --> 00:08:19,690
And the next you can see the two debates and then exit process.

101
00:08:19,690 --> 00:08:20,410
So.

102
00:08:24,740 --> 00:08:27,590
So you can also click here 4176.

103
00:08:29,220 --> 00:08:30,870
So 4176.

104
00:08:32,340 --> 00:08:33,630
So these are not in words.

105
00:08:33,630 --> 00:08:34,740
This is a hint.

106
00:08:34,740 --> 00:08:39,010
And the next after two bytes is the string.

107
00:08:39,030 --> 00:08:44,130
So an alternative string, we can drill up to this and find the function name.

108
00:08:45,030 --> 00:08:48,810
So we found the function name exit process.

109
00:08:52,370 --> 00:08:55,250
And we also found another function that is virtual.

110
00:08:55,580 --> 00:08:58,610
So you can see these are like a continuous,

111
00:09:01,790 --> 00:09:04,620
continuous manner until you reach zero.

112
00:09:04,640 --> 00:09:07,230
You need to read these functions.

113
00:09:07,250 --> 00:09:16,130
So after reading the function you need to use, we are going to use the load library to log the data

114
00:09:16,130 --> 00:09:23,930
and get proc address for this function name and we need to get the address and all write in this first

115
00:09:23,930 --> 00:09:24,230
time.

116
00:09:24,230 --> 00:09:29,030
So you can see the first one is pointer to this data here.

117
00:09:29,030 --> 00:09:34,490
You can see and if you click on this original first time, it will also be pointed to same data.

118
00:09:35,600 --> 00:09:37,040
So but there are some bytes.

119
00:09:37,040 --> 00:09:39,050
So you can click on this.

120
00:09:39,710 --> 00:09:45,140
This data should be replaced by the addresses of the function.

121
00:09:45,140 --> 00:09:50,390
So I have pass, we have passed these function names and the other name.

122
00:09:50,540 --> 00:09:55,940
So after that we are going to use load library to roll this viral and get properties to get that to

123
00:09:55,940 --> 00:09:56,780
serve the function.

124
00:09:56,780 --> 00:10:06,080
After getting that for each function address for the first one, we need to write this first.

125
00:10:08,630 --> 00:10:13,910
So we are doing the if we are doing 64 bit V two or over this eight bites.

126
00:10:14,930 --> 00:10:17,570
So that's how you need to operate.

127
00:10:17,960 --> 00:10:23,870
Write the function addresses into this first tank pointer.

128
00:10:23,870 --> 00:10:24,380
So.

129
00:10:26,760 --> 00:10:28,930
That's all about the inputs.

130
00:10:28,950 --> 00:10:30,420
We can also see.

131
00:10:33,060 --> 00:10:35,490
Another image you can see.

132
00:10:37,530 --> 00:10:43,350
Well, you know, FIRSTBANK points to the, uh, this area.

133
00:10:45,010 --> 00:10:48,610
And the first thing also points to this same error.

134
00:10:49,030 --> 00:10:59,350
But after Van loaded into memory, we need to write the addresses of the function to this error.

135
00:11:00,250 --> 00:11:04,450
After that, we can continue execution.

136
00:11:06,040 --> 00:11:11,110
So let's see another example you can see optional header for her DXY.

137
00:11:11,170 --> 00:11:18,310
If you go to this 8000, this is the starting of the first image import descriptor structure.

138
00:11:18,340 --> 00:11:21,850
If you go to fetch 20 bytes, that is up to these three.

139
00:11:22,690 --> 00:11:28,840
First one is original 478078.

140
00:11:28,960 --> 00:11:30,910
So a078.

141
00:11:33,940 --> 00:11:44,190
So 078 So if you click on this, you will be taken to this tank data structure and at this address you

142
00:11:44,200 --> 00:11:46,710
have a two for it.

143
00:11:46,990 --> 00:11:51,730
So if you go to this, a two for it, you will have the import by name structure.

144
00:11:51,730 --> 00:11:54,150
That is the hint and the function name.

145
00:11:56,200 --> 00:11:57,080
In case you can.

146
00:11:57,410 --> 00:12:03,300
From this point onwards, you can try to loop until you get the of it.

147
00:12:03,320 --> 00:12:05,270
So you can see there are a lot of functions.

148
00:12:05,270 --> 00:12:11,090
So you can just simply loop over until you reach the null weights.

149
00:12:16,610 --> 00:12:24,890
So after finding that, you can update the values or the functional addresses in this first term.

150
00:12:25,910 --> 00:12:29,450
So the terms the tree about this imports.

151
00:12:29,450 --> 00:12:36,680
So don't worry after we'll be parsing the P file and then writing the content, you will get much more

152
00:12:37,130 --> 00:12:38,330
clear understanding.