Geek Answers Handbook

What is the difference between “Import table address” and “Import address table address” in “PE Date Directories”?

alt text

Does anyone know the difference?

+7
portable-executable datadirectory
source share
3 answers

If you want to play with Portable Executables, then there is no way to grab a copy of the specifications .

It was a while, but in case the memory changes correctly: IT and IAT are identical, except that the IAT is populated with a PE loader when import is allowed - but do not change my word for this, check the specifications :)

EDIT:

If you would quickly look through the specifications and update my memory a bit: The import table is the main structure, with one entry for each DLL from which you import. Each entry contains, among other things, an import lookup table ( ILT ) and an import index table ( IAT ) (iirc they were called OriginalFirstThunk and FirstThunk ). The ILT and IAT tables are identical on disk, but at runtime, the IAT will be populated with the memory addresses of the imported functions.

The IAT field of the PE header can probably not be 100% relied upon if you want to deal with non-standard EXEs, just as you cannot depend on the start and size indications of the code and data pointers. It is best to ignore the IAT header field and analyze IT. In addition, in the analysis of IT, ILT will be absent in some executable files, since only IATs - older borland (iirc) were known for not generating ILT.

EDIT 2: Definitions

  • IT: import table (section 6.4.1 PeCoff) - table for DLL IMAGE_IMPORT_DESCRIPTOR .
  • ILT: Import lookup table (PeCoff section 6.4.2) - table for import IMAGE_THUNK_DATA .
  • IAT: import the address table (PeCoff 6.4.4 section) - on disk: identical to ILT, runtime: filled with imported function memory addresses.
+6
source share

IMAGE_DIRECTORY_ENTRY_IMPORT ultimately results in several IATs that are stored in a memory area that starts with [IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress and has a size of [IMAGE_DIRECTORY_ENTRY_IAT].Size .

I think this is useful when all sections are loaded by default as read-only, and you can use IMAGE_DIRECTORY_ENTRY_IAT to make the IAT (but not ILT) writable.

BTW, ILT, and IAT can have different contents when a DLL is bound. In this case, the IAT thunks contains the pre-calculated addresses of the imported functions.

+2
source share

@snemarch is mostly right, although I think both he and the documentation are wrong that ILT and IAT are the same on disk. I looked at the bytes, they do not match.

Although, he is right about the definition and purpose of tables.

The ILT (import lookup table) is used by the Windows loader to associate the functions used by the EXE with their address in the DLL. However, after creating this association, the address in the DLL is written to the IAT (Import Address Table Table) in the EXE. After loading the EXE, it no longer needs ILT, when it calls a function in a DLL, it points to IAT.

+1
source share

More articles:


All Articles