“导入表地址”和“导入表地址”有什么区别?和“导入地址表地址”在 PE 的日期目录中?
有人知道区别吗?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
有人知道区别吗?
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
接受
或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
发布评论
评论(4)
如果您想使用可移植可执行文件,则无法获取 的副本规格。
已经有一段时间了,但如果我没记错的话:
IT 和 IAT 是相同的,除了 IAT 在解析导入时由 PE 加载器填充- 但不要相信我的话,检查规格:)编辑:
快速浏览了一下规格,刷新了我的记忆:
导入表是主结构,您要从中导入的每个 DLL 都有一个条目。除其他外,每个条目还包含导入查找表 (ILT) 和导入地址表 (IAT)指针(iirc 这些过去被称为
OriginalFirstThunk
和FirstThunk
)。 ILT 和 IAT 表在磁盘上是相同的,但在运行时 IAT 将填充导入函数的内存地址。如果您希望能够处理非标准 EXE,则可能无法 100% 依赖 PE 标头 IAT 字段,就像您不能依赖代码和数据指针的开始/大小一样。最好忽略 IAT 标头字段并解析 IT。此外,在解析 IT 时,某些可执行文件将缺少 ILT,只有 IAT - 较旧的 borland (iirc) 链接器因不生成 ILT 而臭名昭著。
编辑 2:定义
IMAGE_IMPORT_DESCRIPTOR
的表。IMAGE_THUNK_DATA
的表。If you want to play with Portable Executables, there's no way around grabbing a copy of the specs.
It's been a while, but in case memory serves me correctly:
IT and IAT are identical, except that IAT is filled by the PE-loader while resolving imports- but don't take my word for it, check the specs :)EDIT:
Had a quick browse through the specs, and refreshed my memory a bit:
The Import Table is the master structure, with one entry per DLL you're importing from. Each entry contains, among other things, an Import Lookup Table (ILT) and Import Address Table (IAT) pointer (iirc these used to be called
OriginalFirstThunk
andFirstThunk
). The ILT and IAT tables are identical on-disk, but during runtime the IAT will be filled with the memory addresses of imported functions.The PE header IAT field probably can't be relied on 100% if you want to be able to deal with nonstandard EXEs, just like you can't depend on the start-of/size-of code and data pointers. It's best to ignore the IAT header field and parse the IT instead. Also, when parsing the IT, the ILT will be missing on some executables, having only the IAT - older borland (iirc) linkers were notorious for not generating the ILT.
EDIT 2: definitions
IMAGE_IMPORT_DESCRIPTOR
.IMAGE_THUNK_DATA
.@snemarch 基本上是正确的,尽管我认为他和文档都错误地认为 ILT 和 IAT 在磁盘上是相同的。我查看了字节,它们不一样。
不过,他对表格的定义和目的的看法是正确的。
Windows Loader 使用 ILT(导入查找表)将 EXE 使用的函数与其在 DLL 中的地址关联起来。然而,一旦建立这种关联,DLL 中的地址就会写入 EXE 中的 IAT(导入地址表)。 EXE加载后,它不再需要ILT,当它调用DLL中的函数时,它指向IAT。
@snemarch Is mostly right, though I think both him and the documentation are wrong that the ILT and IAT are the same on disk. I've looked through the bytes, they are not the same.
Though, he is right about the definition and purpose of the tables.
The ILT (Import Lookup Table) is used by the Windows Loader to associate the functions used by an EXE with their address in a DLL. However, once this association is made, the address in the DLL gets written to the IAT (Import Address Table) in the EXE. After the EXE is loaded, it doesn't need the ILT anymore, when it calls a function in a DLL it points into the IAT.
IMAGE_DIRECTORY_ENTRY_IMPORT
最终导致多个 IAT thunk,它们存储在一个内存区域中,该内存区域从[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress
开始,大小为[IMAGE_DIRECTORY_ENTRY_IAT].Size
。我想当所有部分默认加载为只读时,它很有用,并且您可以使用 IMAGE_DIRECTORY_ENTRY_IAT 使 IAT(但不是 ILT)thunk 可写。
顺便说一句,当 DLL 绑定时,ILT 和 IAT 可以有不同的内容。在这种情况下,IAT thunk 包含导入函数的预先计算的地址。
IMAGE_DIRECTORY_ENTRY_IMPORT
eventually leads to multiple IAT thunks, which are stored in a memory region, which starts at[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress
, and has size[IMAGE_DIRECTORY_ENTRY_IAT].Size
.I guess it is useful when all the sections are loaded by default as read-only, and you can use
IMAGE_DIRECTORY_ENTRY_IAT
to make the IAT (but not the ILT) thunks writable.BTW, ILT and IAT can have different content, when DLL is bound. In that case, IAT thunks contain the pre-calculated addresses of the imported functions.
导入目录指向一个导入目录表,该表是.rdata中的一个表,在导入表中,每个dll都有一个IMAGE_IMPORT_DESCRIPTOR条目,该条目指向dll的名称字符串,即IAT部分的开头从该 dll 导入,以及从该 dll 导入的 ILT 部分的开始。
绑定导入目录表通常位于头页中,并包含每个绑定模块的 IMAGE_BOUND_IMPORT_DESCRIPTOR。每个描述符都包含一个指向绑定模块名称字符串(也在标头中)的指针和一个时间戳,即它所绑定的 dll 的时间戳。
延迟导入表通常位于 .rdata 中,并包含每个延迟加载模块的 IMAGE_DELAY_IMPORT_DESCRIPTOR。 IMAGE_DELAY_IMPORT_DESCRIPTORs 包含时间戳、模块名称链接、延迟加载 IAT 和延迟加载 ILT 以及绑定延迟加载 IAT 和卸载延迟导入表的链接。
在 dwmcore.dll 中,.rdata 部分看起来类似于(按顺序):IAT、常量文件作用域变量、导出目录、EAT、ELT、EOT、导出函数名称、更多常量文件作用域变量和字符串、延迟导入表、延迟导入模块名称、延迟 ILT、延迟导入函数名称、导入表、导入模块名称、ILT、导入函数名称、展开信息。
延迟IAT实际上位于.data的开头。我不确定模块是否共享相同的延迟 IAT/ILT,或者它们是否是独立的。我不确定为什么延迟和延迟界限有单独的 IAT 而不是使用主 IAT。
如果函数未绑定、延迟或延迟绑定,则 IAT 包含磁盘上函数名称字符串的 RVA。如果已绑定,则 IAT 包含该函数的地址提示。如果它被延迟/延迟绑定,那么它包含辅助函数的地址。如果只有 绑定 那么 IAT 包含一个索引提示。
The import directory points to an import directory table, which is a table in .rdata, and in the import table, there's an IMAGE_IMPORT_DESCRIPTOR entry for each dll and the entry points to the name string of the dll, the start of the IAT portion for the imports from that dll, and the start of the ILT portion for the imports from that dll.
The bound import directory table is usually in the header page, and contains IMAGE_BOUND_IMPORT_DESCRIPTORs for each bound module. Each descriptor contain a pointer to the bound module name string (also in the header), and a timestamp, which is the timestamp of the dll it's bound to.
The delay import table is usually in .rdata and contains IMAGE_DELAY_IMPORT_DESCRIPTORs for each delay loaded module. IMAGE_DELAY_IMPORT_DESCRIPTORs contain a timestamp, link to module name, link to the delay load IAT and delay load ILT and the bound delay load IAT and the unload delayed import table.
In dwmcore.dll, the .rdata section looks something like (in order): IAT, constant file scope variables, export directory, EAT, ELT, EOT, export function names, more constant file scope variables and strings, delay import table, delay import module names, delay ILT, delay import function names, import table, import module names, ILT, import function names, unwind info.
Delay IAT is actually at the start of .data. I'm not sure if modules share the same delay IAT/ILTs or whether they're separate. I'm not sure why delay and delay bound has separate IAT instead of using the main IAT.
The IAT contains the RVA of the function name string on disk if the function is not bound, delayed or delay bound. If it is bound then the IAT contains an address hint for the function. If it is delayed / delay bound then it contains the address of a helper function. If only hinting is used instead of binding then the IAT contains an index hint.