Reverse Engineering Asked on December 4, 2020
I’m trying to understand how Windows is resolving functions with the IAT.
I have noticed that when a call is made to a Win API function, the structure of that call is not always the same (it’s still consistent inside a binary, but not between two differents binary).
Sometime, if i follow the target address of that call, i find a jump to the resolved Win API function.
And sometime, it’s directly a call to the resolved function.
the binary A is using call like :
the binary B is calling like that:
call GetSystemDirectoryW -> jmp ds:__imp_GetSystemDirectoryW
Can someone explain me the this difference in the calling procedure ?
The direct call can be generated by the compiler when it knows that the function comes from a DLL at compile time, or whole program optimization is used. If the target function is not marked as dllimport, the compiler generates a simple call to an external symbol and at link time this external symbol is resolved to a stub which actually jumps to the DLL import. For more info:
Answered by Igor Skochinsky on December 4, 2020
1 Asked on May 1, 2021 by john-klln
2 Asked on April 29, 2021 by dexters
0 Asked on April 28, 2021 by moooonx
1 Asked on April 27, 2021 by wawouille
0 Asked on April 27, 2021 by sanders
0 Asked on April 26, 2021
1 Asked on April 26, 2021 by btpython
0 Asked on April 26, 2021 by daniel-nslund
0 Asked on April 24, 2021
1 Asked on April 17, 2021 by user14118720
2 Asked on April 14, 2021 by user6916458
0 Asked on April 13, 2021 by jorr1
Get help from others!