imported. Locating the IAT is quite easy and can be done with a variety of dif-
ferent tools that dump the module’s PE header and provide the address of the
IAT. Tools for dumping PE headers are discussed in Chapter 4.
Some disassemblers and debuggers will automatically indicate an imported
function call (by internally checking the IAT address), thus saving you the
trouble.Single-Branch Conditionals
The most basic form of logic in most programs consists of a condition and an
ensuing conditional branch. In high-level languages, this is written as an if
statement with a condition and a block of conditional code that gets executed
if the condition is satisfied. Here’s a quick sample:if (SomeVariable == 0)
CallAFunction();From a low-level perspective, implementing this statement requires a logi-
cal check to determine whether SomeVariablecontains 0 or not, followed by
code that skips the conditional block by performing a conditional jump if
SomeVariableis nonzero. Figure A.1 depicts how this code snippet would
typically map into assembly language.
The assembly language code in Figure A.1 uses TESTto perform a simple
zero check for EAX. TESTworks by performing a bitwise ANDoperation on EAX
and setting flags to reflect the result (the actual result is discarded). This is an
effective way to test whether EAXis zero or nonzero because TESTsets the zero
flag (ZF) according to the result of the bitwise ANDoperation. Note that the con-
dition is reversed: In the source code, the program was checking whether
SomeVariableequals zero, but the compiler reversed the condition so that the
conditional instruction (in this case a jump) checks whether SomeVariableis
nonzero. This stems from the fact that the compiler-generated binary code is
organized in memory in the same order as it is organized in the source code.
Therefore if SomeVariableis nonzero, the compiler must skip the conditional
code section and go straight to the code section that follows.
The bottom line is that in single-branch conditionals you must always
reverse the meaning of the conditional jump in order to obtain the true high-
level logical intention.488 Appendix A21_574817 appa.qxd 3/16/05 8:52 PM Page 488