You know that functions in a dll can be imported either by name or by ordinal index.
From wikipedia: For most Windows API functions only the names are preserved across different Windows releases; the ordinals are subject to change. Thus, one cannot reliably import Windows API functions by their ordinals.
My Question: I know these ordinals MAY CHANGE, but I want to know if they’ve ever ACTUALLY CHANGED. (Especially about kernel32 & user32 dlls)
Why I’m asking this? I heard some viruses do import win32 functions by ordinal. I want to catch them, and I want to know whether I can test for an ordinal number or not.
Thanks.
This question is very easily answered, and the answer is yes. Just take two versions of kernel32.dll and look at them with a PE viewer.
For example, on the left is Windows 7’s kernel32.dll, and on the right is Windows Vista’s kernel32.dll. You can see that the addition of
AddIntegrityLabelToBoundaryDescriptorhas caused the functions below it to have their ordinals increased by 1 compared to Vista.I don’t understand why you would want to use this information for catching viruses. Viruses could use plenty of other ways to get the address of a function.