AnswerBun.com

PE - IAT resolve mechanism

Reverse Engineering Asked on December 4, 2020

I’m trying to understand how Windows is resolving functions with the IAT.

I have noticed that when a call is made to a Win API function, the structure of that call is not always the same (it’s still consistent inside a binary, but not between two differents binary).

Sometime, if i follow the target address of that call, i find a jump to the resolved Win API function.
And sometime, it’s directly a call to the resolved function.

For instance:

  • the binary A is using call like :
    call ds:GetSystemDirectoryW

  • the binary B is calling like that:
    call GetSystemDirectoryW -> jmp ds:__imp_GetSystemDirectoryW

Can someone explain me the this difference in the calling procedure ?

One Answer

The direct call can be generated by the compiler when it knows that the function comes from a DLL at compile time, or whole program optimization is used. If the target function is not marked as dllimport, the compiler generates a simple call to an external symbol and at link time this external symbol is resolved to a stub which actually jumps to the DLL import. For more info:

Importing function calls using __declspec(dllimport)

What is DLL import binding?

Answered by Igor Skochinsky on December 4, 2020

Add your own answers!

Related Questions

Is an ELF SHT_RELA section with a 0 `sh_link` valid?

1  Asked on May 1, 2021 by john-klln

 

Pe file code starting address

2  Asked on May 1, 2021 by daros911

       

How to extract the kernel assembly code from a zImage?

1  Asked on April 26, 2021 by btpython

     

Disassemble scanf storage register

1  Asked on April 24, 2021

   

Why can’t you edit pseudo code?

3  Asked on April 20, 2021 by spyindabox

   

MIPS codeExplain the main task

0  Asked on April 19, 2021 by user35718

 

How can i add plugins in x64dbg?

2  Asked on April 18, 2021 by crotonain

     

How to read dnSpy code from assembly_csharp.dll

1  Asked on April 17, 2021 by zombunny

   

How to reverse engineer cx_Freeze exe’s?

1  Asked on April 17, 2021 by user14118720

   

Setting Breakpoints on Thumb Instructions in GDB

1  Asked on April 13, 2021 by caustic

     

x64dbg for linux executables?

0  Asked on April 13, 2021 by x64dgb23

   

Ask a Question

Get help from others!

© 2022 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir