PE格式,IAT目录有什么用 [英] PE format, what is the use for IAT Directory
问题描述
在 PE 格式中,我们有导入表目录(由 IMAGE_DIRECTORY_ENTRY_IMPORT 访问)和 IAT 目录(由 IMAGE_DIRECTORY_ENTRY_IAT 访问)两者都是可选头数据目录的一部分.
In the PE format we have Import Table Directory (accessed by IMAGE_DIRECTORY_ENTRY_IMPORT) and IAT Directory (accessed by IMAGE_DIRECTORY_ENTRY_IAT)
both are part of the Optional Header Data Directory.
使用导入表,加载器动态加载和解析必要的库和函数.这是通过迭代导入地址表 RVA(Thunk 表)来完成的,该表是导入表的一部分.
Using the Import Table, the loader dynamically loads and resolves necessary libraries and functions. This is done by iterating through the Import Address Table RVA (Thunk Table) which is part of the Import Table.
那么,如果我们使用导入目录进行导入解析,我们需要 IAT 目录做什么?
So, if we use the import directory for import resolution what do we need IAT Directory for ?
我一直在阅读 Microsoft PE 规范,但找不到一个答案.另外,SO 中有一些问题,但大多数使用 IAT 来引用 Thunk 表,而不是 IAT 目录.
I've been reading the Microsoft PE specification but couldn't find an answer. Also, there are some questions in SO but most of them use IAT to refer to the Thunk Table and not the IAT Directory.
谢谢
编辑
我认为导入地址表是导入表目录中的一个字段,导入地址表被称为 IAT 目录.我的问题是关于 IAT 目录.
I think that there is a confusion between Import Address Table which is a field in the Import Table Directory and the Import Address Table which is called IAT Directory. My question is regarding the IAT Directory.
再次感谢
推荐答案
它在您链接的 PE 规范第 5.4.4 章中有很好的描述.它们是相同的表:
It is described well in the PE specification you linked, chapter 5.4.4. They are the same tables:
导入地址表的结构和内容与导入查找表的结构和内容相同,直到文件被绑定.在绑定期间,导入地址表中的条目会被导入符号的 32 位(对于 PE32)或 64 位(对于 PE32+)地址覆盖.这些地址是符号的实际内存地址,尽管在技术上它们仍被称为虚拟地址".加载程序通常处理绑定
The structure and content of the import address table are identical to those of the import lookup table, until the file is bound. During binding, the entries in the import address table are overwritten with the 32-bit (for PE32) or 64-bit (for PE32+) addresses of the symbols that are being imported. These addresses are the actual memory addresses of the symbols, although technically they are still called "virtual addresses." The loader typically processes the binding
也许解释一下为什么这样做很重要.PE 文件通过直接映射到内存来加载到进程中.底层操作系统原语是内存映射文件.这提供了几个重要的优化:
Perhaps it is important to explain why it is done this ways. A PE file is loaded into a process by mapping it directly to memory. The underlying operating system primitive is a memory mapped file. This provides several important optimizations:
可执行文件使用的内存不必由分页文件支持.如果操作系统需要 RAM 用于另一个进程,则可以简单地丢弃映射到可执行文件的页面.当进程产生页面错误时从 PE 文件重新加载.
the memory used by the executable doesn't have to be backed by the paging file. If the operating system needs RAM for another process then the pages mapped to the executable can simply be discarded. To be reloaded again from the PE file when the process generates a page fault.
进程为其可执行代码使用的 RAM 可以被进程的任何实例共享.换句话说,当您多次启动 Notepad.exe 时,RAM 中只有 一个 代码副本.每个进程共享相同的页面.这对于 DLL 尤其重要,尤其是在每个进程中使用的操作系统 DLL,如 ntdll.dll、kernel32.dll 和 user32.dll(等).
the RAM used by a process for its executable code can be shared by any instance of the process. In other words, when you start Notepad.exe multiple times then there's only one copy of the code in RAM. Every process shares the same pages. This is most of all important for DLLs, particularly the operating system DLLs that are used in every process, like ntdll.dll, kernel32.dll and user32.dll (etcetera).
当加载程序用导入函数的实际地址填充 IAT 时,操作系统会重新映射 IAT 的页面,并由分页文件支持它们.所以每个进程都可以有自己的一组导入地址.包含代码和导入表的其余页面仍然共享.
When the loader fills in the IAT with the actual addresses of the imported functions then the operating system remaps the pages for the IAT and has them backed by the paging file. So every process can have its own set of imported addresses. The rest of the pages, containing code and the import table, are still shared.
这篇关于PE格式,IAT目录有什么用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
