In the PE format we have Import Table Directory (accessed by IMAGE_DIRECTORY_ENTRY_IMPORT
) and IAT Directory (accessed by IMAGE_DIRECTORY_ENTRY_IAT
)
both are part of the Optional Header Data Directory.
Using the Import Table, the loader dynamically loads and resolves necessary libraries and functions. This is done by iterating through the Import Address Table RVA (Thunk Table) which is part of the Import Table.
So, if we use the import directory for import resolution what do we need IAT Directory for ?
I've been reading the Microsoft PE specification but couldn't find an answer. Also, there are some questions in SO but most of them use IAT to refer to the Thunk Table and not the IAT Directory.
Thanks
EDIT
I think that there is a confusion between Import Address Table which is a field in the Import Table Directory and the Import Address Table which is called IAT Directory. My question is regarding the IAT Directory.
Thanks again
INT describes the address of the area which stores API names imported by the PE file. IAT is used when actually calling an API, and writes an entry address of the functions corresponding to the API when the module which exports the function is loaded.
The import address table is the part of the Windows module (executable or dynamic link library) which records the addresses of functions imported from other DLLs.
Windows portable executable contains a structure called Import Address Table (IAT) IAT contains pointers to information that is critical for an executable to do its job: a list of DLLs it depends on for providing the expected functionality.
dot) is NON-PE. This means the file is a file which does not contain a portable executable header i.e. . dot extension. Webroot is currently only capable of PE malware detection, however the program also contains a heuristics engine for some NON-PE files.
It is described well in the PE specification you linked, chapter 5.4.4. They are the same tables:
The structure and content of the import address table are identical to those of the import lookup table, until the file is bound. During binding, the entries in the import address table are overwritten with the 32-bit (for PE32) or 64-bit (for PE32+) addresses of the symbols that are being imported. These addresses are the actual memory addresses of the symbols, although technically they are still called “virtual addresses.” The loader typically processes the binding
Perhaps it is important to explain why it is done this ways. A PE file is loaded into a process by mapping it directly to memory. The underlying operating system primitive is a memory mapped file. This provides several important optimizations:
the memory used by the executable doesn't have to be backed by the paging file. If the operating system needs RAM for another process then the pages mapped to the executable can simply be discarded. To be reloaded again from the PE file when the process generates a page fault.
the RAM used by a process for its executable code can be shared by any instance of the process. In other words, when you start Notepad.exe multiple times then there's only one copy of the code in RAM. Every process shares the same pages. This is most of all important for DLLs, particularly the operating system DLLs that are used in every process, like ntdll.dll, kernel32.dll and user32.dll (etcetera).
When the loader fills in the IAT with the actual addresses of the imported functions then the operating system remaps the pages for the IAT and has them backed by the paging file. So every process can have its own set of imported addresses. The rest of the pages, containing code and the import table, are still shared.
According to the documentation for PE the IAT / IMAGE_DIRECTORY_ENTRY_IAT seems to be used for delayed loading of DLL
https://docs.microsoft.com/en-us/windows/desktop/Debug/pe-format#delay-import-address-table
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With