flat assembler
Message board for the users of flat assembler.

Index > Compiler Internals > IAT in Directory Table

Author
Thread Post new topic Reply to topic
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 08 Nov 2006, 22:14
Don't know if it (IAT in Directory Table) is really needed, but fasm doesn't set it in PE header. The questin - why? is it useless, playing no role field?

_________________
Any offers?
Post 08 Nov 2006, 22:14
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 08 Nov 2006, 23:39
really not sure, but in reality it's NOT needed. just in some hacking and in untypical PEs.
Post 08 Nov 2006, 23:39
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 09 Nov 2006, 19:44
looks like it's not special necessarily, but nevertheless Microsoft's linker sets this field.
Post 09 Nov 2006, 19:44
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8356
Location: Kraków, Poland
Tomasz Grysztar 09 Nov 2006, 20:04
fasm did't set it only because you did not told it to do so. Wink
You create the IAT with "data 12" directive. It is required in KMD, for example.
Post 09 Nov 2006, 20:04
View user's profile Send private message Visit poster's website Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 09 Nov 2006, 20:53
But, Tomasz, IAT is already included in import data (section), and the IAT entry in data directory in optional header it's just a pointer the IAT in import data... according to MS linker & docs. So if PE exe har imports and import has IAT then IAT data directory entry in PE header should have be set to that addess. Arrrggg cannot explain it more simplier)
Post 09 Nov 2006, 20:53
View user's profile Send private message Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 09 Nov 2006, 21:07
by the way your example by link is wrong according to my understanding - cuz you declare lookup table, not IAT... and in data directory - IAT is just a pointer to the same IAT in data import.
Code:
section '.rdata' readable notpageable 

data 12 

   ImportAddress:
        dd rva szRead_port_uc 
        dd rva szWrite_port_uc 
        dd rva szHalmakebeep 
        dd 0 

end data 

section 'INIT' import readable notpageable 

        dd rva ImportLookup 
        dd 0 
        dd 0 
        dd rva szHal_dll 
        dd rva ImportAddress 
        times 5 dd 0 

  ImportLookup:
        imp_READ_PORT_UCHAR         dd rva szRead_port_uc 
        imp_WRITE_PORT_UCHAR        dd rva szWrite_port_uc 
        imp_HalMakeBeep             dd rva szHalmakebeep 

  szHalmakebeep     dw 0 
                    db 'HalMakeBeep',0 
  szRead_port_uc    dw 0 
                    db 'READ_PORT_UCHAR',0 
  szWrite_port_uc   dw 0 
                    db 'WRITE_PORT_UCHAR',0 

  szHal_dll db 'HAL.dll',0
    

the correction is just in exchanging ImportLookup with ImportAddress. But nevertheless can FASM just put the generated IAT address by import macro and its size in data directory in optional header?

_________________
Any offers?
Post 09 Nov 2006, 21:07
View user's profile Send private message Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 09 Nov 2006, 21:14
alseo can there nested data directives?
e.g
Code:
data import
;. . .
data 12
;bla-bla
end data
;. . .
end data
    

and finally data directive takes as argument numbers from 0 to 15 yes?

_________________
Any offers?
Post 09 Nov 2006, 21:14
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8356
Location: Kraków, Poland
Tomasz Grysztar 09 Nov 2006, 21:22
Yes, you can nest it. However the example I provided is correct in context of KMD, it was based on the analysis of KMD generated by Microsoft's linker.
Post 09 Nov 2006, 21:22
View user's profile Send private message Visit poster's website Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 09 Nov 2006, 22:11
I just anilized PE made by MS linker v7.x with Hiew and pecoff_v8.doc (provided by MS) and it the same as i said before... exactly IAT not lookup table address as placed in IAT data directory. It's not my fantasy, but reality of MS Linker.
I found that IAT data entry contains address to monolith block of IATs (one by one) of all import libraries and contains the sum of sizes of all IATs. each import entry points with its IAT member to each place in this monolith block... Lookup tables are standalone...
Post 09 Nov 2006, 22:11
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8356
Location: Kraków, Poland
Tomasz Grysztar 09 Nov 2006, 22:41
You're right, that sample has it reversed by mistake. It was fixed in later driver example packages.

As for the regular PEs (not drivers), they usually (not counting those made with MS tools Wink) have no IAT directory entry at all. Also if the IAT entries point to the same place as ILT entries, it doesn't seem to cause any problems.

Anyway, fasm leaves you free to do it any way you want. Here Joshua provided a macro that makes an IAT for you. Also other interesting approaches to creating imports are provided in that thread.


Last edited by Tomasz Grysztar on 09 Nov 2006, 22:55; edited 4 times in total
Post 09 Nov 2006, 22:41
View user's profile Send private message Visit poster's website Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 09 Nov 2006, 22:51
Thank, Tomasz, i would appreciate if you give me the right direction to discovering what is it (IAT data directory entry) for if it is useless and can be obtained by simple taking the appopriate field from the import data... Is it for correct work of drivers only?
Post 09 Nov 2006, 22:51
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8356
Location: Kraków, Poland
Tomasz Grysztar 09 Nov 2006, 23:07
The Import Lookup and Import Address entries (according to specifications) are identical in file, but when loading program into memory, the Import Address entries get replaced with the addresses of imported functions. Old variants of fasm macros did generate them pointing to the same place (practically making the Import Lookup entries lost after binding), but later it was changed to be more conforming to specifications (even though that variant was working perfectly on all versions of Windows). So now standard fasm's macros generate separate entries for Import Address, but not in continuous block, and for this reason it's impossible to pack it into one common IAT (see the Joshua's macro linked in my previous post for some interesting alternative).

Because Import Address entries are the only part of imports that gets modified, it may be actually a good idea to place them outside the import section, so the pages containing imports may be safely discarded, as only the pages containing IAT will get "dirty" status. I believe this also may be the reason why kernel drivers need to have them separated.
Post 09 Nov 2006, 23:07
View user's profile Send private message Visit poster's website Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 09 Nov 2006, 23:15
Biggest Thanks, Tomasz!
I adore FASM more and more)
Post 09 Nov 2006, 23:15
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.