PE - IAT resolve mechanism

Reverse Engineering Asked on December 4, 2020

I’m trying to understand how Windows is resolving functions with the IAT.

I have noticed that when a call is made to a Win API function, the structure of that call is not always the same (it’s still consistent inside a binary, but not between two differents binary).

Sometime, if i follow the target address of that call, i find a jump to the resolved Win API function.
And sometime, it’s directly a call to the resolved function.

For instance:

  • the binary A is using call like :
    call ds:GetSystemDirectoryW

  • the binary B is calling like that:
    call GetSystemDirectoryW -> jmp ds:__imp_GetSystemDirectoryW

Can someone explain me the this difference in the calling procedure ?

One Answer

The direct call can be generated by the compiler when it knows that the function comes from a DLL at compile time, or whole program optimization is used. If the target function is not marked as dllimport, the compiler generates a simple call to an external symbol and at link time this external symbol is resolved to a stub which actually jumps to the DLL import. For more info:

Importing function calls using __declspec(dllimport)

What is DLL import binding?

Answered by Igor Skochinsky on December 4, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP