导入table、导入地址table、导入名称table有什么区别?
What's the difference between the import table, import adress table, and import name table?
当 disassembling/dumping exe 我在 .idata 导入部分得到三个 tables:
- 进口table(IT)
- 导入地址table (IAT)
- 导入名称table (INT)
我明白 IAT 和 INT 是什么,但更确切地说,IT 是什么?
谁能解释一下,因为各种 PE 教程令人困惑。我不完全理解他们描述的那些官方结构名称在这个特定数据上的映射。
Hints/Answers这里会有帮助
示例 PE 文件部分
SECTION .idata align=4 noexecute ; section number 3, data
Import_table: ; dword
db 50H, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403000 _ P0......
db 00H, 00H, 00H, 00H, 0ACH, 30H, 00H, 00H ; 00403008 _ .....0..
db 68H, 30H, 00H, 00H, 58H, 30H, 00H, 00H ; 00403010 _ h0..X0..
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403018 _ ........
db 0C0H, 30H, 00H, 00H, 70H, 30H, 00H, 00H ; 00403020 _ .0..p0..
db 60H, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403028 _ `0......
db 00H, 00H, 00H, 00H, 0D0H, 30H, 00H, 00H ; 00403030 _ .....0..
db 78H, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403038 _ x0......
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403040 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403048 _ ........
db 80H, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403050 _ .0......
db 8EH, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403058 _ .0......
db 98H, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403060 _ .0......
Import_address_table: ; dword
imp_ExitProcess: ; import from KERNEL32.dll
dd 00003080H, 00000000H ; 00403068 _ 12416 0
imp_printf: ; import from msvcrt.dll
dd 0000308EH, 00000000H ; 00403070 _ 0000308E 00000000
imp_MessageBoxA: ; import from USER32.dll
dd 00003098H, 00000000H ; 00403078 _ 00003098 00000000
Import_name_table: ; byte
db 17H, 01H, 45H, 78H, 69H, 74H, 50H, 72H ; 00403080 _ ..ExitPr
db 6FH, 63H, 65H, 73H, 73H, 00H, 0B1H, 02H ; 00403088 _ ocess...
db 70H, 72H, 69H, 6EH, 74H, 66H, 00H, 00H ; 00403090 _ printf..
db 0B2H, 01H, 4DH, 65H, 73H, 73H, 61H, 67H ; 00403098 _ ..Messag
db 65H, 42H, 6FH, 78H, 41H, 00H, 00H, 00H ; 004030A0 _ eBoxA...
db 00H, 30H, 00H, 00H, 4BH, 45H, 52H, 4EH ; 004030A8 _ .0..KERN
db 45H, 4CH, 33H, 32H, 2EH, 64H, 6CH, 6CH ; 004030B0 _ EL32.dll
db 00H, 00H, 00H, 00H, 14H, 30H, 00H, 00H ; 004030B8 _ .....0..
db 6DH, 73H, 76H, 63H, 72H, 74H, 2EH, 64H ; 004030C0 _ msvcrt.d
db 6CH, 6CH, 00H, 00H, 28H, 30H, 00H, 00H ; 004030C8 _ ll..(0..
db 55H, 53H, 45H, 52H, 33H, 32H, 2EH, 64H ; 004030D0 _ USER32.d
db 6CH, 6CH, 00H, 00H, 00H, 00H, 00H, 00H ; 004030D8 _ ll......
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004030E0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004030E8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004030F0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004030F8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403100 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403108 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403110 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403118 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403120 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403128 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403130 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403138 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403140 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403148 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403150 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403158 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403160 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403168 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403170 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403178 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403180 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403188 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403190 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403198 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031A0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031A8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031B0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031B8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031C0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031C8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031D0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031D8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031E0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031E8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031F0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031F8 _ ........
导入Table
来自 manual 第 6.4.1 节:
The import information begins with the Import Directory Table, which describes the remainder of the import information. The Import Directory Table contains address information that is used to resolve fix-up references to the entry points within a DLL image.
每个导入目录 table 条目的格式为
Offset Size Field
0 4 Import Lookup Table RVA
4 4 Time/Date Stamp
8 4 Forwarder Chain
12 4 Name RVA
16 4 Import Address Table RVA
注意:由于DLL可以加载到不同的内存位置RVA代表Relative Virtual Address,这是内容的地址,一旦加载,相对于图像基址
导入查找Table
再次来自文档:
The collection of these entries describes all imports from the image to a given DLL.
这些字段包含有关如何 处理导入的信息(序号与名称)。如果它指定按序号导入,则 table 中条目的其余部分包含序号,否则它包含 Hint/Name Table 条目的 RVA。
Hint/Name Table
Hint/Name table 中的条目格式如下:
Offset Size Field Notes
0 2 Hint Index into the Export Name Pointer Table
2 varies Name Null terminated ASCII string
* 0 or 1 Pad Each entry must be on an even boundary
导入地址Table
The structure and content of the Import Address Table are identical to that of the Import Lookup Table, until the file is bound. During binding, the entries in the Import Address Table are overwritten with the 32-bit (or 64-bit for PE32+) addresses of the symbols being imported: these addresses are the actual memory addresses of the symbols themselves (although technically, they are still called “virtual addresses”). The processing of binding is typically performed by the loader.
参考资料
- Portable Executable
上的维基百科条目
- Official Documentation
- 埃罗·卡雷拉 helpful diagrams
以上所有引用和 table 均来自参考文献 2 中列出的 Microsoft PE/COFF 手册。
让我们从以下两个 table 的简化图开始:
这张图显示了你在磁盘上的executable文件的情况。 table 具有完全相同的内容,具有完全相同的 API 函数名称列表和完全相同的顺序。
(好吧,你可能会问:“这么长的名字怎么可能放到 4 个字节中?”继续阅读以获得答案;正如我所写,我们从一张简化的图片开始。)
现在加载程序将您的 executable 加载到内存中,因此最初复制到内存中的这些 table 仍然相同。但是:
将所有需要的 DLL(动态-Link 库)加载/映射到内存后,它已经知道所有导入函数的地址,所以
它用它们的地址(仅那么名称“Import Address Table”对应于它的内容)。
所以内存中的情况就变得不一样了:
现在回答上面的(我自己的)问题:
How is possible to place such long names into 4 bytes?
当然不可能。在 导入查找 Table 中只有指向名称的 指针 (地址)。
而这里第三个table、ImportHint/Nametable,这些指针的目标,所以现实(而不是前两张图片中的简化)看起来像这样(我使用了与您列表中相同的地址):
到这里我只回答了我自己的问题,是时候回答你的问题了:
I understand what the IAT and INT are, but what is IT more exactly?
导入Table,更准确地说导入目录Table,是一个条目数组(一个table),一个条目(一个行)对于每个导入的库(在你的例子中 3 库,所以 table 由 3 行组成。
这里是它的简化图片:
每行由5个双字(指针)组成。对我们来说只有其中的 3 个很重要,第一个(指向 ILT 的指针),最后一个(指向 IAT 的指针),最后一个(通过 DLL 的名称标识行;所以它是指向DLL的名字在Hint/Nametable).
导入目录 Table 与其他两个 table 的合作如下所示:
(这张图中我省略了与第三个table的合作,已经提到Hint/NameTable。)
注意:我在图片中故意省略了零填充分隔行,我没有处理按序号导入(为了简单起见强调思想)。
当 disassembling/dumping exe 我在 .idata 导入部分得到三个 tables:
- 进口table(IT)
- 导入地址table (IAT)
- 导入名称table (INT)
我明白 IAT 和 INT 是什么,但更确切地说,IT 是什么?
谁能解释一下,因为各种 PE 教程令人困惑。我不完全理解他们描述的那些官方结构名称在这个特定数据上的映射。
Hints/Answers这里会有帮助
示例 PE 文件部分
SECTION .idata align=4 noexecute ; section number 3, data
Import_table: ; dword
db 50H, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403000 _ P0......
db 00H, 00H, 00H, 00H, 0ACH, 30H, 00H, 00H ; 00403008 _ .....0..
db 68H, 30H, 00H, 00H, 58H, 30H, 00H, 00H ; 00403010 _ h0..X0..
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403018 _ ........
db 0C0H, 30H, 00H, 00H, 70H, 30H, 00H, 00H ; 00403020 _ .0..p0..
db 60H, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403028 _ `0......
db 00H, 00H, 00H, 00H, 0D0H, 30H, 00H, 00H ; 00403030 _ .....0..
db 78H, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403038 _ x0......
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403040 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403048 _ ........
db 80H, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403050 _ .0......
db 8EH, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403058 _ .0......
db 98H, 30H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403060 _ .0......
Import_address_table: ; dword
imp_ExitProcess: ; import from KERNEL32.dll
dd 00003080H, 00000000H ; 00403068 _ 12416 0
imp_printf: ; import from msvcrt.dll
dd 0000308EH, 00000000H ; 00403070 _ 0000308E 00000000
imp_MessageBoxA: ; import from USER32.dll
dd 00003098H, 00000000H ; 00403078 _ 00003098 00000000
Import_name_table: ; byte
db 17H, 01H, 45H, 78H, 69H, 74H, 50H, 72H ; 00403080 _ ..ExitPr
db 6FH, 63H, 65H, 73H, 73H, 00H, 0B1H, 02H ; 00403088 _ ocess...
db 70H, 72H, 69H, 6EH, 74H, 66H, 00H, 00H ; 00403090 _ printf..
db 0B2H, 01H, 4DH, 65H, 73H, 73H, 61H, 67H ; 00403098 _ ..Messag
db 65H, 42H, 6FH, 78H, 41H, 00H, 00H, 00H ; 004030A0 _ eBoxA...
db 00H, 30H, 00H, 00H, 4BH, 45H, 52H, 4EH ; 004030A8 _ .0..KERN
db 45H, 4CH, 33H, 32H, 2EH, 64H, 6CH, 6CH ; 004030B0 _ EL32.dll
db 00H, 00H, 00H, 00H, 14H, 30H, 00H, 00H ; 004030B8 _ .....0..
db 6DH, 73H, 76H, 63H, 72H, 74H, 2EH, 64H ; 004030C0 _ msvcrt.d
db 6CH, 6CH, 00H, 00H, 28H, 30H, 00H, 00H ; 004030C8 _ ll..(0..
db 55H, 53H, 45H, 52H, 33H, 32H, 2EH, 64H ; 004030D0 _ USER32.d
db 6CH, 6CH, 00H, 00H, 00H, 00H, 00H, 00H ; 004030D8 _ ll......
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004030E0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004030E8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004030F0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004030F8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403100 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403108 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403110 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403118 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403120 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403128 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403130 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403138 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403140 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403148 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403150 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403158 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403160 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403168 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403170 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403178 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403180 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403188 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403190 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 00403198 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031A0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031A8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031B0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031B8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031C0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031C8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031D0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031D8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031E0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031E8 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031F0 _ ........
db 00H, 00H, 00H, 00H, 00H, 00H, 00H, 00H ; 004031F8 _ ........
导入Table
来自 manual 第 6.4.1 节:
The import information begins with the Import Directory Table, which describes the remainder of the import information. The Import Directory Table contains address information that is used to resolve fix-up references to the entry points within a DLL image.
每个导入目录 table 条目的格式为
Offset Size Field
0 4 Import Lookup Table RVA
4 4 Time/Date Stamp
8 4 Forwarder Chain
12 4 Name RVA
16 4 Import Address Table RVA
注意:由于DLL可以加载到不同的内存位置RVA代表Relative Virtual Address,这是内容的地址,一旦加载,相对于图像基址
导入查找Table
再次来自文档:
The collection of these entries describes all imports from the image to a given DLL.
这些字段包含有关如何 处理导入的信息(序号与名称)。如果它指定按序号导入,则 table 中条目的其余部分包含序号,否则它包含 Hint/Name Table 条目的 RVA。
Hint/Name Table
Hint/Name table 中的条目格式如下:
Offset Size Field Notes
0 2 Hint Index into the Export Name Pointer Table
2 varies Name Null terminated ASCII string
* 0 or 1 Pad Each entry must be on an even boundary
导入地址Table
The structure and content of the Import Address Table are identical to that of the Import Lookup Table, until the file is bound. During binding, the entries in the Import Address Table are overwritten with the 32-bit (or 64-bit for PE32+) addresses of the symbols being imported: these addresses are the actual memory addresses of the symbols themselves (although technically, they are still called “virtual addresses”). The processing of binding is typically performed by the loader.
参考资料
- Portable Executable 上的维基百科条目
- Official Documentation
- 埃罗·卡雷拉 helpful diagrams
以上所有引用和 table 均来自参考文献 2 中列出的 Microsoft PE/COFF 手册。
让我们从以下两个 table 的简化图开始:
这张图显示了你在磁盘上的executable文件的情况。 table 具有完全相同的内容,具有完全相同的 API 函数名称列表和完全相同的顺序。
(好吧,你可能会问:“这么长的名字怎么可能放到 4 个字节中?”继续阅读以获得答案;正如我所写,我们从一张简化的图片开始。)
现在加载程序将您的 executable 加载到内存中,因此最初复制到内存中的这些 table 仍然相同。但是:
将所有需要的 DLL(动态-Link 库)加载/映射到内存后,它已经知道所有导入函数的地址,所以
它用它们的地址(仅那么名称“Import Address Table”对应于它的内容)。
所以内存中的情况就变得不一样了:
现在回答上面的(我自己的)问题:
How is possible to place such long names into 4 bytes?
当然不可能。在 导入查找 Table 中只有指向名称的 指针 (地址)。
而这里第三个table、ImportHint/Nametable,这些指针的目标,所以现实(而不是前两张图片中的简化)看起来像这样(我使用了与您列表中相同的地址):
到这里我只回答了我自己的问题,是时候回答你的问题了:
I understand what the IAT and INT are, but what is IT more exactly?
导入Table,更准确地说导入目录Table,是一个条目数组(一个table),一个条目(一个行)对于每个导入的库(在你的例子中 3 库,所以 table 由 3 行组成。
这里是它的简化图片:
每行由5个双字(指针)组成。对我们来说只有其中的 3 个很重要,第一个(指向 ILT 的指针),最后一个(指向 IAT 的指针),最后一个(通过 DLL 的名称标识行;所以它是指向DLL的名字在Hint/Nametable).
导入目录 Table 与其他两个 table 的合作如下所示:
(这张图中我省略了与第三个table的合作,已经提到Hint/NameTable。)
注意:我在图片中故意省略了零填充分隔行,我没有处理按序号导入(为了简单起见强调思想)。