goblin: Missing import (IAT) information for Windows PE

In the struct

Struct goblin::pe::import::SyntheticImportDirectoryEntry { ... }

The field import_address_table does not point to the IAT but instead points to the Import Name Table.

About this issue

  • Original URL
  • State: open
  • Created 5 years ago
  • Comments: 20 (3 by maintainers)

Most upvoted comments

No, there was an example file in the original report #28, but we now parse that successfully.

+1
philipc on Aug 3, 2021

I’ve also noticed now that the import_lookup_table can have holes in it: https://github.com/m4b/goblin/blob/b43b93ed2243b75043d6fb1021ad9aec227df1f5/src/pe/import.rs#L144-L145 so calculating the RVAs may be inaccurate. That is, we do need to store them.

Something that is unclear to me is what happens when the ILT and the IAT have different initial values? Which one does the loader use when setting the IAT?

+1
philipc on Aug 2, 2021

The RVA is useful when disassembling or patching binaries. image For example IDA knows this is a jmp to the function CloseHandle because the operand is CloseHandle’s RVA. The loader didn’t set them yet, but we know it will set it there. So we can already draw conclusions about what the code does, without running the code. Hopefully that was clear!

Also thanks for replying so fast, I’ll open a PR soon. Thanks for the help and your comments!

+1
Maimonator on Aug 2, 2021
Read more comments on GitHub
← goblin: elf: The strtab in the section header is wrong.
scroll: test::pread fails on s390x →