Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the difference between .rdata and .idata segments?

Tags:

I noticed in IDA that the PE file which I analyze has not only the .rdata section but also .idata. What's the difference?

like image 933
Adam Sznajder Avatar asked Sep 25 '13 18:09

Adam Sznajder


2 Answers

  • .rdata is for const data. It is the read only version of the .data segment.

  • .idata holds the import directory (.edata for exports). It is used by EXE's and DLL's to designate the imported and exported functions. See the PE format specification (http://msdn.microsoft.com/library/windows/hardware/gg463125) for details.

Summarizing typical segment names:

.text: Code  .data: Initialized data .bss: Uninitialized data .rdata: Const/read-only (and initialized) data .edata: Export descriptors .idata: Import descriptors .reloc: Relocation table (for code instructions with absolute addressing when           the module could not be loaded at its preferred base address) .rsrc: Resources (icon, bitmap, dialog, ...) .tls: __declspec(thread) data (Fails with dynamically loaded DLLs -> hard to find bugs) 

As Martin Rosenau mentions, the segment names are only typical. The true segment type is specified in the segment header or is defined by usage of data stored in the segment.

like image 174
Andreas H. Avatar answered Dec 11 '22 21:12

Andreas H.


In fact, the names of the segments are ignored by Windows.

There are linkers that use different segment names and it is even possible to store the Import Descriptors, Export descriptors, Resources etc. in the ".text" segment instead of using separate segments.

However it seems to be simpler to create separate sections for such metadata so most linkers will use separate sections.

This means: Sections ".idata", ".rdata", ".rsrc", ... do not contain program data (although their name ends with "data") but they contain meta information that is used by the operating system. The ".rsrc" section for example holds information about the icon that is shown when looking at the executable file in the Explorer.

".idata" contains information about all DLL files required by the program.

like image 41
Martin Rosenau Avatar answered Dec 11 '22 21:12

Martin Rosenau