Assembly Language for Beginners

(Jeff_L) #1

6.5. WINDOWS NT


Figure 6.1: A scheme that unites all PE-file structures related to imports

The main structure is the arrayIMAGE_IMPORT_DESCRIPTOR. Each element for each DLL being imported.


Each element holds theRVAaddress of the text string (DLL name) (Name).


OriginalFirstThunkis theRVAaddress of theINTtable. This is an array ofRVAaddresses, each of which
points to a text string with a function name. Each string is prefixed by a 16-bit integer (“hint”)—“ordinal”
of function.


While loading, if it is possible to find a function by ordinal, then the strings comparison will not occur. The
array is terminated by zero.


There is also a pointer to theIATtable namedFirstThunk, it is just theRVAaddress of the place where the
loader writes the addresses of the resolved functions.


The points where the loader writes addresses are marked byIDAlike this:__imp_CreateFileA, etc.


There are at least two ways to use the addresses written by the loader.



  • The code will have instructions likecall __imp_CreateFileA, and since the field with the address of

Free download pdf