Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PE format, what is the use for IAT Directory

In the PE format we have Import Table Directory (accessed by IMAGE_DIRECTORY_ENTRY_IMPORT) and IAT Directory (accessed by IMAGE_DIRECTORY_ENTRY_IAT) both are part of the Optional Header Data Directory.

Using the Import Table, the loader dynamically loads and resolves necessary libraries and functions. This is done by iterating through the Import Address Table RVA (Thunk Table) which is part of the Import Table.

So, if we use the import directory for import resolution what do we need IAT Directory for ?

I've been reading the Microsoft PE specification but couldn't find an answer. Also, there are some questions in SO but most of them use IAT to refer to the Thunk Table and not the IAT Directory.

Thanks

EDIT

I think that there is a confusion between Import Address Table which is a field in the Import Table Directory and the Import Address Table which is called IAT Directory. My question is regarding the IAT Directory.

Thanks again

like image 970
Yuval Avatar asked Dec 18 '13 16:12

Yuval


People also ask

What is the IAT in PE?

INT describes the address of the area which stores API names imported by the PE file. IAT is used when actually calling an API, and writes an entry address of the functions corresponding to the API when the module which exports the function is loaded.

What is Import address Table IAT used for?

The import address table is the part of the Windows module (executable or dynamic link library) which records the addresses of functions imported from other DLLs.

What is IAT table?

Windows portable executable contains a structure called Import Address Table (IAT) IAT contains pointers to information that is critical for an executable to do its job: a list of DLLs it depends on for providing the expected functionality.

What is PE and non PE files?

dot) is NON-PE. This means the file is a file which does not contain a portable executable header i.e. . dot extension. Webroot is currently only capable of PE malware detection, however the program also contains a heuristics engine for some NON-PE files.


2 Answers

It is described well in the PE specification you linked, chapter 5.4.4. They are the same tables:

The structure and content of the import address table are identical to those of the import lookup table, until the file is bound. During binding, the entries in the import address table are overwritten with the 32-bit (for PE32) or 64-bit (for PE32+) addresses of the symbols that are being imported. These addresses are the actual memory addresses of the symbols, although technically they are still called “virtual addresses.” The loader typically processes the binding

Perhaps it is important to explain why it is done this ways. A PE file is loaded into a process by mapping it directly to memory. The underlying operating system primitive is a memory mapped file. This provides several important optimizations:

  • the memory used by the executable doesn't have to be backed by the paging file. If the operating system needs RAM for another process then the pages mapped to the executable can simply be discarded. To be reloaded again from the PE file when the process generates a page fault.

  • the RAM used by a process for its executable code can be shared by any instance of the process. In other words, when you start Notepad.exe multiple times then there's only one copy of the code in RAM. Every process shares the same pages. This is most of all important for DLLs, particularly the operating system DLLs that are used in every process, like ntdll.dll, kernel32.dll and user32.dll (etcetera).

When the loader fills in the IAT with the actual addresses of the imported functions then the operating system remaps the pages for the IAT and has them backed by the paging file. So every process can have its own set of imported addresses. The rest of the pages, containing code and the import table, are still shared.

like image 54
Hans Passant Avatar answered Oct 19 '22 19:10

Hans Passant


According to the documentation for PE the IAT / IMAGE_DIRECTORY_ENTRY_IAT seems to be used for delayed loading of DLL

https://docs.microsoft.com/en-us/windows/desktop/Debug/pe-format#delay-import-address-table

like image 36
jpvolkmann Avatar answered Oct 19 '22 21:10

jpvolkmann