Reputation: 5241
Is "IMPORT ADDRESS TABLE" of PE per dll or per exe?
Does anyone know whether the 'import address table' in the PE executable format on Windows is 'per dll' or 'per exe'?
Upvotes: 1
Views: 4186
Answers (2)
Reputation: 81
Short answer:
IAT(Import Address Table) is per PE file(dll and exe).
Long answer:
When the loader load exe file its copy each section of the PE to the process memory, unless IMAGE_SCN_MEM_DISCARDABLE is set for this sections. The IAT is in the .idata section (msdn):
The PE file's .idata section contains the information necessary for the loader to determine the addresses of the target functions and patch them into the executable image. The .idata section (or import table, as I prefer to call it) ...
IMAGE_SCN_MEM_DISCARDABLE is not set for idata section. Therefore- idata section copied to memory, and both exe and dll have this section- meaning IAT is per PE.
I wrote a simple dll loader here, if it help you understand.
Upvotes: 0
Reputation: 29476
Any PE can have an import address table, so both DLLs and EXEs can have them. This makes sense since both can have dependencies (imports) on other binaries. Unless you're doing dynamic loading (LoadLibrary/GetProcAddress), you'll have an import address table when calling into another module.
You can use the dumpbin utility with Visual Studio to see the imports of a PE:
An example on user32.dll:
C:\Windows\System32> dumpbin /imports user32.dll
Microsoft (R) COFF/PE Dumper Version 10.00.30319.01 Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file user32.dll
File Type: DLL
Section contains the following imports:
ntdll.dll 7DC60000 Import Address Table 7DCCACEC Import Name Table 0 time date stamp 0 Index of first forwarder reference 15A NtOpenKey 7A9 wcscat_s 7AD wcscpy_s ...
...and for notepad.exe...
C:\Windows\System32> dumpbin /imports notepad.exe
Microsoft (R) COFF/PE Dumper Version 10.00.30319.01 Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file notepad.exe
File Type: EXECUTABLE IMAGE
Section contains the following imports:
ADVAPI32.dll 1001000 Import Address Table 100A234 Import Name Table FFFFFFFF time date stamp FFFFFFFF Index of first forwarder reference 77C71C82 27E RegSetValueExW 77C7BCD5 26E RegQueryValueExW 77C7BED4 230 RegCloseKey ...
Upvotes: 2
Related Questions
- Add an entry to the import table of PE
- How to tell if an exe will load a DLL statically or dynamically by looking at the PE file header?
- How exactly does a program load a DLL at runtime? (Also wondering a bit about the PE file format since it's related)
- Address of entry point
- What is the reason for null entries in address export table of a windows pe file?
- What arguments are passed to entry point of a PE (Portable Executable) file?
- Resolve Function Address with PE Export Table
- Questions Regarding DLL Loading in a Process Address Space
- List imported DLL of PE file
- Getting the full path of the DLLs from a PE import table