Does anyone know whether the 'import address table' in the PE executable format on Windows is 'per dll' or 'per exe'?
A:
Any PE can have an import address table, so both DLLs and EXEs can have them. This makes sense since both can have dependencies (imports) on other binaries. Unless you're doing dynamic loading (LoadLibrary/GetProcAddress), you'll have an import address table when calling into another module.
You can use the dumpbin utility with Visual Studio to see the imports of a PE:
An example on user32.dll:
C:\Windows\System32> dumpbin /imports user32.dll
Microsoft (R) COFF/PE Dumper Version 10.00.30319.01 Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file user32.dll
File Type: DLL
Section contains the following imports:
ntdll.dll 7DC60000 Import Address Table 7DCCACEC Import Name Table 0 time date stamp 0 Index of first forwarder reference 15A NtOpenKey 7A9 wcscat_s 7AD wcscpy_s ...
...and for notepad.exe...
C:\Windows\System32> dumpbin /imports notepad.exe
Microsoft (R) COFF/PE Dumper Version 10.00.30319.01 Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file notepad.exe
File Type: EXECUTABLE IMAGE
Section contains the following imports:
ADVAPI32.dll 1001000 Import Address Table 100A234 Import Name Table FFFFFFFF time date stamp FFFFFFFF Index of first forwarder reference 77C71C82 27E RegSetValueExW 77C7BCD5 26E RegQueryValueExW 77C7BED4 230 RegCloseKey ...
Chris Schmich
2010-09-27 03:50:16
So there will be 1 IAT for each dependent dll,right?
COMer
2010-09-27 04:19:32
If A.dll depends on B.dll and C.dll, then A.dll will have an IAT (if B.dll and C.dll have imports, then they, too, will have an IAT). In the IAT for A.dll, there will be two `IMAGE_IMPORT_DIRECTORY` entries: one for B.dll and one for C.dll. The structure is explained well here: http://sandsprite.com/CodeStuff/Understanding_imports.html
Chris Schmich
2010-09-27 04:38:56
So I was wrong,there will be only 1 IAT at the top level,right?
COMer
2010-09-27 04:45:00
What do you mean by "at the top level"? For *every* PE (DLL or EXE in your process), you can have the following: the `IMAGE_DOS_HEADER` which points to a `IMAGE_NT_HEADERS` which can have a `IMAGE_OPTIONAL_HEADER` containing many `IMAGE_DATA_DIRECTORY` structures, one of which points to the set of `IMAGE_IMPORT_DIRECTORY` structures (one for each dependency the PE has). This group of `IMAGE_IMPORT_DIRECTORY` structures can be considered to be the IAT for the PE.
Chris Schmich
2010-09-27 04:59:14
I just read the article you cited,it says **This is a table of function pointers filled in by the windows loader as the dlls are loaded. ** , so the contents of IAT is not visible in a hex viewer,but only when it's loaded,right?
COMer
2010-09-27 06:15:37
Yes, the actual addresses themselves are filled in at runtime by the loader. The point of the IAT is to be able to dynamically resolve where a function is located. This allows DLLs on Windows to change independently of one another (patches, updates) without breaking automatically.
Chris Schmich
2010-09-27 06:24:34