What's the difference between "Import Table address" and "Import Address Table address" in Date Directories of PE?

Question

Anyone knows the difference?

Answer 1

If you want to play with Portable Executables, there's no way around grabbing a copy of the specs.

It's been a while, but in case memory serves me correctly: IT and IAT are identical, except that IAT is filled by the PE-loader while resolving imports - but don't take my word for it, check the specs :)

EDIT:

Had a quick browse through the specs, and refreshed my memory a bit: The Import Table is the master structure, with one entry per DLL you're importing from. Each entry contains, among other things, an Import Lookup Table (ILT) and Import Address Table (IAT) pointer (iirc these used to be called OriginalFirstThunk and FirstThunk). The ILT and IAT tables are identical on-disk, but during runtime the IAT will be filled with the memory addresses of imported functions.

The PE header IAT field probably can't be relied on 100% if you want to be able to deal with nonstandard EXEs, just like you can't depend on the start-of/size-of code and data pointers. It's best to ignore the IAT header field and parse the IT instead. Also, when parsing the IT, the ILT will be missing on some executables, having only the IAT - older borland (iirc) linkers were notorious for not generating the ILT.

EDIT 2: definitions

• IT: Import Table (PeCoff section 6.4.1) - table of per-DLL IMAGE_IMPORT_DESCRIPTOR.
• ILT: Import Lookup Table (PeCoff section 6.4.2) - table of per-import IMAGE_THUNK_DATA.
• IAT: Import Address Table (PeCoff section 6.4.4) - on-disk: identical to ILT, runtime: filled with imported function memory addresses.

Answer 2

IMAGE_DIRECTORY_ENTRY_IMPORT eventually leads to multiple IAT thunks, which are stored in a memory region, which starts at [IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress, and has size [IMAGE_DIRECTORY_ENTRY_IAT].Size.

I guess it is useful when all the sections are loaded by default as read-only, and you can use IMAGE_DIRECTORY_ENTRY_IAT to make the IAT (but not the ILT) thunks writable.

BTW, ILT and IAT can have different content, when DLL is bound. In that case, IAT thunks contain the pre-calculated addresses of the imported functions.