Reverse Engineering Asked by FigureItOut on September 30, 2021
I’m doing a small research regarding PE files and while I drilled every related question or the documentation itself I couldn’t explain this issue.
Why can I go to CFF explorer or some other PE editing software and nullify the IMAGE_IAT_DIRECTORY in the OptionalHeader and the program will still run fine?
As far as I understood, the loader will iterate the array of PIMAGE_THUNK_DATA pointed by OriginalFirstThunk, will parse the symbol, and then will overwrite the memory pointed by FirstThunk with the corresponding function address.
I also understood that the IMAGE_IAT_DIRECTORY Will serve as a container for these function pointer arrays, for each corresponding FirstThunk in each IMAGE_IMPORT_DESCRIPTOR.
When is it needed for an IAT directory to exist? Can it be that a lack of this directory will prevent an file from starting?
Thanks!
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP