Question

According to the documentation I've read, the import directory for a Windows executable is typically placed in a section called .idata. (I know the names are effectively just comments, but 'typically... called' presumably means the Microsoft tool chain will use that name by default.)

When I compile and link a simple C test program with the Microsoft compiler and then dumpbin the result, there is no section called .idata. There is, however, in the optional header, a positive RVA and size of import directory, so the import table is there.

Is the import directory nowadays placed in a section with a different name, or am I missing something?

Was it helpful?

Solution

Indeed, in the executable I just built, there is no .idata section.

Using PE Explorer, we can see that the Import Table, and the IAT are stored as part of the .rdata section. (Note the "Pointing Directories" column):

enter image description here

enter image description here

On the Data Directories page, we see that the virtual address of the Import Table is 0x403354. This lands within the range of the .rdata section (0x403000 - 0x403C00).

Interestingly (and somewhat frustratingly), the PE loader for IDA synthetically "creates" an .idata section which doesn't actually exist in the file:

enter image description here

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top