Reverse Engineering Asked on December 4, 2020
I’m trying to understand how Windows is resolving functions with the IAT.
I have noticed that when a call is made to a Win API function, the structure of that call is not always the same (it’s still consistent inside a binary, but not between two differents binary).
Sometime, if i follow the target address of that call, i find a jump to the resolved Win API function.
And sometime, it’s directly a call to the resolved function.
the binary A is using call like :
the binary B is calling like that:
call GetSystemDirectoryW -> jmp ds:__imp_GetSystemDirectoryW
Can someone explain me the this difference in the calling procedure ?
The direct call can be generated by the compiler when it knows that the function comes from a DLL at compile time, or whole program optimization is used. If the target function is not marked as dllimport, the compiler generates a simple call to an external symbol and at link time this external symbol is resolved to a stub which actually jumps to the DLL import. For more info:
Answered by Igor Skochinsky on December 4, 2020
Get help from others!