basically i understand what are unions they share same memory and whatever happens to 1 member it effects the others and vice versa.... now am trying to understand this part of code :
struct _IMAGE_THUNK_DATA64 {
union {
ULONGLONG ForwarderString; ULONGLONG Function; ULONGLONG Ordinal;
ULONGLONG AddressOfData; } u1;
} IMAGE_THUNK_DATA64; typedef IMAGE_THUNK_DATA64 * PIMAGE_THUNK_DATA64;
am trying to read/parse a process Import address table now what am doing is basically this
:
if (!memory::Read(process_base_address + import_desc.FirstThunk,&first_thunk,sizeof(first_thunk))) return 0;
am reading the data from firstThunk and storing it inside my IMAGE_THUNK_DATA which has the size of 8 bytes since its using a union now the real question is
- when i do this read memory operation which variable exactly am i reading is it the last one that got written to assuming from my target process?
- how would i read for example Ordinal from that union considring its the same value as Function which is wrong
- lastly i found some people doing this
auto function_address = process_base_address + import_desc.FirstThunk + func_index * sizeof(std::uintptr_t);
where function index is equal to 0,1,2 etc.. and by doing this without reading this line from memory i get access to an array i guess of function pointers that resides in the [.rdata] section and if i try to read it from memory using ReadprocessMemory i get the address of actual function inside the [.text] section and by multiplying it by 8 bytes i go to the next function pointer in memory.
i hope that someone could clarify this since i have been trying to understand it since 3 days and still don't understand how its supposed to work.
What I have tried:
i have done what i posted in my question paragraph but i would like to understand it more.