Cainiao also learns the input table

BY happygreen


About the import table:
 
When an executable file uses code or data from another dll, it is called an input. When the PE file is loaded,
 
One of the work of the Windows loader is to locate all input functions and data and let the loading
 
Addresses that can be used for PE files. This process is based on the input table of the PE file (the Import Tab is also called
 
Import table). The input table stores the function name and the dll name in which the function resides, and the information required for dynamic connection,
 
The input table plays an important role in the software shell technology. Therefore, you must master this part when studying the shell technology.
 
Knowledge.
 
 
 
 
To learn the input table, start with the entire PE file,
-------------*-------------------------------------------------*
| DOS Header (IMAGE_DOS_HEADER) | --> 64 bytes
DOS header --------------------------------------------------
| DOS Stub | -- & gt; 112 Byte
-------------*-------------------------------------------------*
| "PE" 00 (Signature) | --> 4 bytes
-------------------------------------------------
| IMAGE_FILE_HEADER | --> 20 bytes
PE File Header --------------------------------------------------
| IMAGE_OPTIONAL_HEADER32 | --> 96 bytes
---------------------------------------------------
| Data directory table | --> 128 bytes
-------------*--------------------------------------------------*
| IMAGE_SECTION_HEADER | --> 40 bytes
---------------------------------------------------
Block table | IMAGE_SECTION_HEADER | --> 40 bytes
--------------------------------------------------
| IMAGE_SECTION_HEADER | --> 40 bytes
-------------*--------------------------------------------------*
|. Text | -- & gt; 512 Byte
---------------------------------------------------
Block |. rdata | --> 512 bytes
---------------------------------------------------
|. Data | --> 512 bytes
-------------*-------------------------------------------------*
| COFF row number | --> NULL
---------------------------------------------------
Debugging information | COFF symbol table | --> NULL
---------------------------------------------------
| Code View debugging information | --> NULL
-------------*--------------------------------------------------*
--------- >>> Excerpted from the Internet (Fang zhouzi worried about us, and I waited for the cainiao to write something to fear) the above is a simple PE Structure Diagram (I will attach a detailed PE Structure Diagram to serve food and entertainment ),
We can find out the partition and data structure related to the input table and their location in the PE file.
 
1. IMAGE_NT_HEADER-> IMAGE_OPTIONAL_HEADER32-> 104th bytes (that is, IMAGE_DIRECTORY_ENTRY_IMPORT of the data directory table): struct _ IMAGE_DATA_DIRECTORY {DWORD VirtualAdress; DWORD Size ;};
The first member of this structure points to the first address of the. idata field.
 
 
2. Section Table. idata
Typedef struct _ IMAGE_SECTION_HEADER {
BYTE Name [IMAGE_SIZEOF_SHORT_NAME];
Union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
DWORD VirtualAddress;
DWORD SizeOfRawData;
DWORD PointerToRawData;
DWORD PointerToRelocations;
DWORD PointerToLinenumbers;
WORD NumberOfRelocations;
WORD NumberOfLinenumbers;
DWORD Characteristics;
};
The fifth member indicates the starting address of the segment in the file.
 
 
3. idata Section
Refer to the image in the attachment.
 
Typedef struct _ IMAGE_IMPORT_DESCRIPTOR {
Union {
DWORD Characteristics; // 0 for terminating null import descriptor
DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
};
DWORD TimeDateStamp; // 0 if not bound,
//-1 if bound, and real date \ time stamp
// In IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
// O. W. date/time stamp of DLL bound to (Old BIND)
 
DWORD ForwarderChain; //-1 if no forwarders
DWORD Name;
DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
Typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED * PIMAGE_IMPORT_DESCRIPTOR;
// The legendary IID structure.
This structure is very important. We will analyze it one by one.
 
 
1) point to the RVA of the input name table (INT). INT Is an IMAGE_THUNK_DATA structure array. Each IMAGE_THUNK_DATA structure in the array points to the IMAGE_IMPORT_BY_NAME structure, and the last content of the array is the IMAGE_THUNK_DATA whose content is 0.
 
Typedef struct _ IMAGE_IMPORT_BY_NAME {
WORD Hint;
BYTE Name [1];
} IMAGE_IMPORT_BY_NAME, * PIMAGE_IMPORT_BY_NAME;
 
Member 1:
WORD Hint indicates the serial number of the function in the input table where the dll resides. This domain is loaded by the PE Loader
It is used to quickly query functions in the DLL output table. This value is not required. Some connectors set this value to 0.
 
Member 2:
BYTE Name [1]; Name of the function containing the input function. The function Name is an ASCII string.
 
 
2) 32-bit time mark.
 
3) This is the index of the first API to be switched, generally 0.
 
4) DLL Name Pointer, which is an RVA address with ASCII characters ending with 00, for example, "kernel32.dll"
 
 
5) contains the RVA pointing to the input Address Table (IAT. IAT is an IMAGE_THUNK_DATA array.
 
 
Member 1 is very similar to member 5. They point to two essentially identical arrays IMAGE_THUNK_DATA.
 
 
 
The above is the data structure related to the input table in PE.