iat_hooking article issue #2
Description
The OriginalFirstThunk uses the AddressOfData element of the IMAGE_THUNK_DATA structure to point to IMAGE_IMPORT_BY_NAME structure that contains the Name element, function name.
It contains either the ordinal of imported API or a RVA to an IMAGE_IMPORT_BY_NAME structure.
-
If the high bit is set, the bottom 31 bits (or 63 bits for a 64-bit executable) is treated as an ordinal value. The function is therefore imported by its ordinal and there would be no name available.
-
If the high-bit is not set, the whole DWORD is an RVA to an IMAGE_IMPORT_BY_NAME structure.
Please fix your article.