Re: NQAR2 ?? Attention MIC
>000000: 67 64 69 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 gdi32.dll.......
>000010: 03 00 00 00 01 00 00 00 2D 00 00 00 3C 00 00 00 ........-...<...
>000020: 4A 00 00 00 00 00 00 00 00 00 04 34 04 47 65 74 J..........4.Get
>000030: 53 74 6F 63 6B 4F 62 6A 65 63 74 00 53 74 72 65 StockObject.Stre
>000040: 74 63 68 44 49 42 69 74 73 00 53 77 61 70 42 75 tchDIBits.SwapBu
>000050: 66 66 65 72 73 00 00 00 00 00 00 00 00 00 00 00 ffers...........
>000060:
Offset 2A is 2 rows down, 10 (A) steps to the right.
padded dll name: 16 bytes
number of entries: 1 dword (4 bytes)
static dword (set to #00000001): 1 dword (4 bytes)
entry name offset table: 3 (in this case, since gdi32.lib has 3 entries)
dwords (12 bytes)
padding: 3 words (one word per entry) (6 bytes)
Total = 16+4+4+12+6 = 42 = 2A bytes
So at offset 2A (or 42 in decimal) you'll find the argument size table (one
byte per entry). Since GetStockObject is the first entry in this case you'll
find it at offset 2A+0 (=2A), while the actual name is found at offset 2D,
as seen in the entry name offset table.
Also note that entries are sorted alphabetically. This is because a binary
search is preferred when looking up names in the linking phase.
The linker will basically just try to match an unresolved symbol against the
entries in all libraries that has been included by the program. If a match
is found, the entry is added to the executable's import table so that the
dll will be loaded and the function linked as the program is started.
|
Not Categorized, Please Help
|
|
