Imports and exports are the mechanisms that enable the dynamic linking process of executables described earlier. Consider an executable that refer- ences functions in other executables while it is being compiled and linked. The compiler and linker have no idea of the actual addresses of the imported func- tions. It is only in runtime that these addresses will be known. To solve this problem, the linker creates a special import table that lists all the functions imported by the current module by their names. The import table contains a list of modules that the module uses and the list of functions called within each of those modules.
When the module is loaded, the loader loads every module listed in the import table, and goes to find the address of each of the functions listed in each module. The addresses are found by going over the exporting module’s export table, which contains the names and RVAs of every exported function.
When the importing module needs to call into an imported function, the calling code typically looks like this:
call [SomeAddress]
Where SomeAddress is a pointer into the executable import address table (IAT). When the modue is linked the IAT is nothing but an list of empty values, but when the module is loaded, the linker resolves each entry in the IAT to point to the actual function in the exporting module. This way when the call- ing code is executed, SomeAddress will point to the actual address of the imported function. Figure 3.4 illustrates this process on three executables: ImportingModule.EXE, SomeModule.DLL, and AnotherModule.DLL.
Directories
PE Executables contain a list of special optional directories, which are essen- tially additional data structures that executables can contain. Most directories have a special data structure that describes their contents, and none of them is required for an executable to function properly.
Windows Fundamentals 99 07_574817 ch03.qxd 3/16/05 8:35 PM Page 99
Figure 3.4 The dynamic linking process and how modules can be interconnected using their import and export tables.
Table 3.1 lists the common directories and provides a brief explanation on each one. Code Section Export Section Function1 Function2 Function3 Import Section SomeModule.DLL: Function1 Function2 AnotherModule.DLL: Function4 Function 9 ImportingModule.EXE Code Section Export Section Function1 Function2 SomeModule.DLL Code Section Export Section Function1 Function2 Function3 AnotherModule.DLL 100 Chapter 3
Table 3.1 The Optional Directories in the Portable Executable File Format.
ASSOCIATED DATA
NAME DESCRIPTION STRUCTURE
Export Table Lists the names and RVAs of IMAGE_EXPORT_ all exported functions in the DIRECTORY current module.
Import Table Lists the names of module IMAGE_IMPORT_ and functions that are DESCRIPTOR imported from the current
module. For each function, the list contains a name string (or an ordinal) and an RVA that points to the current function’s import address table entry. This is the entry that receives the actual pointer to the imported function in runtime, when the module is loaded.
Resource Table Points to the executable’s IMAGE_RESOURCE_ resource directory. A resource DIRECTORY
directory is a static definition or various user-interface elements such as strings, dialog box layouts, and menus.
Base Relocation Table Contains a list of addresses IMAGE_BASE_ within the module that must RELOCATION be recalculated in case the
module gets loaded in any address other than the one it was built for.
Debugging Information Contains debugging IMAGE_DEBUG_ information for the executable. DIRECTORY This is usually presented in
the form of a link to an external symbol file that contains the actual debugging information.
Thread Local Storage Table Points to a special thread-local IMAGE_TLS_ section in the executable that DIRECTORY can contain thread-local
variables. This functionality is managed by the loader when the executable is loaded.
(continued)
Windows Fundamentals 101 07_574817 ch03.qxd 3/16/05 8:35 PM Page 101
Table 3.1 (continued)
ASSOCIATED DATA
NAME DESCRIPTION STRUCTURE
Load Configuration Table Contains a variety of image IMAGE_LOAD_ configuration elements, such CONFIG_ as a special LOCK prefix table DIRECTORY (which can modify an image
in load time to accommodate for uniprocessor or
multiprocessor systems). This table also contains information for a special security feature that lists the legitimate exception handlers in the module (to prevent malicious code from installing an illegal exception handler).
Bound Import Table Contains an additional IMAGE_BOUND_ import-related table that IMPORT_ contains information on DESCRIPTOR
boundimport entries. A bound import means that the importing executable contains actual addresses into the exporting module. This directory is used for confirming that such addresses are still valid.
Import Address Table (IAT) Contains a list of entries for A list of 32-bit each function imported from pointers the current module. These
entries are initialized in load time to the actual addresses of the imported functions.
Delay Import Descriptor Contains special information ImgDelayDescr that can be used for
implementing a delayed-load importing mechanism whereby an imported function is only resolved when it is first called. This mechanism is not supported by the operating system and is implemented by the C runtime library.