Digging into Import Tables in PE Files - What is the IMAGE_IMPORT

Digging into Import Tables in PE Files - What is the IMAGE_IMPORT_DESCRIPTOR Structure?

Рет қаралды 4,118

Күн бұрын

Пікірлер: 22

@comicsmania6782 Жыл бұрын

I don't know why this content isn't so popular, but I want to thank you very much for what you did regarding PE file format, despite of everything. It's very helpful.

@jstrosch Жыл бұрын

Thank you - I'm really glad to hear you found it useful. I'm aiming to have a good collection of content around PE file format.

@comicsmania6782 Жыл бұрын

@@jstrosch Well! Looking forward to it! Thank you 🙏

@sg6610 Жыл бұрын

This gets deep and most enjoy surface level (GUI, maybe Wireshark) in my experience (command prompt scares many as it is).

@YiannisFertis 11 ай бұрын

I really like these video series, just what I was searching to begin my reverse engineering journey. Thank you !

@jstrosch 11 ай бұрын

Great to hear!

@mmm-me4kk 11 ай бұрын

Sir thank you , I have two questions, it would be great if you are willing to answer these: 1. - When I locate the import directory table on disk, via the data directories, it have five fields (RVA to ILT, T/D, FC, RVA to Name and RVA to IAT). - For IAT (FT): When I do your calculation, I retrieve the offset of the IAT entry on disk; when I go to that offset, it contains an RVA value, e.g. 1234. - For ILT (OFT): When I do your calculation, I retrieve the offset of the ILT entry on disk, it also contains an RVA , to the H/N table, e.g. 1234. Now, this RVA value is the same. I know that on disk the IAT and ILT are the same (and in memory IAT is overwritten with the absolute address), but I'm a little surprised that it both refers to the H/N table. I thought that, on disk, the IAT refered to the ILT entry, and that the ILT refered to the H/N. 2. What I find a bit strange.. when I analyse a PE file in memory, the IAT entries of the functions are in fact overwritten with the absolute addresses of the functions (so far so good). But the firstthunk value of the import descriptor (so the one that refers to the IAT entry of that module) is not overwritten with an absolute address to the IAT (it still contains an RVA). Am I confused (or did I make a mistake or..?).

@kissanoita255 Жыл бұрын

amazing series~ thank you so much for covering it in depth

@jstrosch Жыл бұрын

Glad you like them!

@mmm-me4kk 11 ай бұрын

Thank you! Very useful!

@jstrosch 11 ай бұрын

Thanks for the feedback, much appreciated!

@x0rZ15t Жыл бұрын

Sweet, another awesome video! You ROCK!

@jstrosch Жыл бұрын

Thanks!! ☺️

@YiannisFertis 11 ай бұрын

If it is possible I would like to ask you a question. There is the IMPORT DIRECTORY TABLE, the IMPORT LOOKUP TABLE and the IMPORT ADDRESS TABLE. Which of these tables did we watch in this video ? I am omitting my guess in order to not confuse the others..

@jstrosch 11 ай бұрын

Well, I typically see this structure referred to as the IAT - or import address table. I could see it also referred to as the import directory table, but perhaps that is referring to something more specific that I’ve either forgotten or simply don’t know!

@YiannisFertis 11 ай бұрын

Thanks a lot for your response @@jstrosch!