Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why do some functions appear more than once in the import table?

Tags:

hook

delphi

delphi-xe2

I am working on a resource leak detection unit, written in Delphi XE2. I want to monitor the creation and deletion of handles (file handles, event handles, etc) and GDI objects (bitmaps, brushes, etc.). So, every time a handle or GDI object is created, I want to put it in a list and when it gets deleted, I remove it. This way I am able to detect leaks, or duplicate deletions. To accomplish this, I hook the statically linked api's by altering the Import Table. Api's that are delay loaded or obtained by GetProcAddress are hooked differently, but that's not important for my question.

So much for the background information, now lets move on to the question.

When I was writing the hooking algorithm for the statically linked functions, I had to look into the PE file format and specifically the Import Table. I noticed that some imported functions (in my case for example 'CloseHandle'), are imported twice! I alos found that the some modules appear more than once. For example, the module 'kernel32.dll' occurred 6 times it the application I was working on.

My question is, why do some functions appear more than once in the import table. And, why do some modules appear more than once in the import table?

In my application I just replace all occurrences of a function to my function (the hook), but I was wondering what the reason is for these duplications. When I know the reason, I may need to change my application.

like image 309
R. Beiboer Avatar asked Nov 25 '25 05:11

R. Beiboer

1 Answers

If you declare an external import multiple times, in different units, it will appear in the import table multiple times. The compiler/linker does not merge them together.

If you declare an external import multiple times in the same unit, the compiler/linker does merge them into one.

Regarding CloseHandle, it is declared in the Windows unit. But in addition it is declared in WindowsAPIs.inc which is included by the System unit. So that's two declarations for starters. Clearly your program uses other units which re-declare CloseHandle.

like image 79
David Heffernan Avatar answered Nov 28 '25 17:11

David Heffernan
Sign in to Comment

Related questions

Handle PUT and DELETE requests in TIdHTTPServer in Delphi 7
TAction.ShortCut not working in dynamically created TAction
Indy Http Server with resume support
Delphi Indy TIdHTTP Website recognize robots
Is Int64 supported on all Windows versions?
delphi action manager shortcut for +,-, enter for actions
Exception is not caught although it is included in catch statement
Why does ListView ignores font and brush settings in custom drawing? [duplicate]
DLL (Delphi) with ADO (connection and query) not work in Java (using jna)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!