根据我读过的文档,Windows可执行文件的导入目录通常放在名为.idata的部分中。 (我知道名称实际上只是注释,但'通常......被称'可能意味着Microsoft工具链默认使用该名称。)
当我使用Microsoft编译器编译和链接一个简单的C测试程序然后dumpbin结果时,没有名为.idata部分。 但是,在可选标题中,有一个正RVA和导入目录的大小,因此导入表就在那里。
现在导入目录是放在一个名称不同的部分,还是我遗漏了什么?
According to the documentation I've read, the import directory for a Windows executable is typically placed in a section called .idata. (I know the names are effectively just comments, but 'typically... called' presumably means the Microsoft tool chain will use that name by default.)
When I compile and link a simple C test program with the Microsoft compiler and then dumpbin the result, there is no section called .idata. There is, however, in the optional header, a positive RVA and size of import directory, so the import table is there.
Is the import directory nowadays placed in a section with a different name, or am I missing something?
最满意答案
实际上,在我刚刚构建的可执行文件中,没有.idata部分。
使用PE Explorer,我们可以看到Import Table和IAT存储为.rdata部分的一部分。 (注意“指向目录”栏):
在Data Directories页面上,我们看到Import Table的虚拟地址是0x403354 。 这落在.rdata部分( 0x403000 - 0x403C00 )的范围内。
有趣的是(有点令人沮丧),IDA的PE加载器综合“创建”了一个实际上不存在于文件中的.idata部分:
Indeed, in the executable I just built, there is no .idata section.
Using PE Explorer, we can see that the Import Table, and the IAT are stored as part of the .rdata section. (Note the "Pointing Directories" column):
On the Data Directories page, we see that the virtual address of the Import Table is 0x403354. This lands within the range of the .rdata section (0x403000 - 0x403C00).
Interestingly (and somewhat frustratingly), the PE loader for IDA synthetically "creates" an .idata section which doesn't actually exist in the file:
更多推荐
发布评论