Anyone knows the difference?
views:
41answers:
1
+1
A:
If you want to play with Portable Executables, there's no way around grabbing a copy of the specs.
It's been a while, but in case memory serves me correctly: IT and IAT are identical, except that IAT is filled by the PE-loader while resolving imports - but don't take my word for it, check the specs :)
EDIT:
Had a quick browse through the specs, and refreshed my memory a bit:
The Import Table is the master structure, with one entry per DLL you're importing from. Each entry contains, among other things, an Import Lookup Table (ILT) and Import Address Table (IAT) pointer (iirc these used to be called OriginalFirstThunk and FirstThunk). The ILT and IAT tables are identical on-disk, but during runtime the IAT will be filled with the memory addresses of imported functions.
The PE header IAT field probably can't be relied on 100% if you want to be able to deal with nonstandard EXEs, just like you can't depend on the start-of/size-of code and data pointers. It's best to ignore the IAT header field and parse the IT instead. Also, when parsing the IT, the ILT will be missing on some executables, having only the IAT - older borland (iirc) linkers were notorious for not generating the ILT.
EDIT 2: definitions
- IT: Import Table (PeCoff section 6.4.1) - table of per-DLL
IMAGE_IMPORT_DESCRIPTOR. - ILT: Import Lookup Table (PeCoff section 6.4.2) - table of per-import
IMAGE_THUNK_DATA. - IAT: Import Address Table (PeCoff section 6.4.4) - on-disk: identical to ILT, runtime: filled with imported function memory addresses.
snemarch
2010-09-27 06:58:14
But you can see from the graph above,they are NOT identical,IT is `517C` while IAT is `5000`
COMer
2010-09-27 07:07:32
Identical doesn't mean they point to the same *location*, but that the *contents* are the same.
snemarch
2010-09-27 07:11:35
*IAT is filled by the PE-loader while resolving imports*, so IAT should be valid only when loaded,say,doesn't exists when in a hex viewer,right?
COMer
2010-09-27 07:14:50
It means that on disk, you should see the same byte contents, whereas after loading, the IAT will be modified.
snemarch
2010-09-27 07:26:32
No,I just inspected the byte contents at IT and IAT on disk,they are different.
COMer
2010-09-27 07:39:54
@COMer: see my updated answer, it should be correct now :)
snemarch
2010-09-27 07:54:18
What do you mean by `ILT`? I don't see such a term even in this article:http://sandsprite.com/CodeStuff/Understanding_imports.html
COMer
2010-09-27 08:41:40
@COMer: Import Lookup Table, term from the PECOFF.DOC.
snemarch
2010-09-27 09:06:36
What's ILT for since there's no info regarding the memory addresses of imported functions? IMO,only runtime filled IAT is useful.
COMer
2010-09-28 09:52:33
@COMer: it's to make Bound Imports possible check [this](http://www.symantec.com/connect/articles/dynamic-linking-linux-and-windows-part-two) article for a short explanation.
snemarch
2010-09-28 10:33:57