Trang chủ‎ > ‎RCE‎ > ‎PE Tutorials‎ > ‎

R4ndom - Detailed View of the IAT

The IAT, or Important Address Table, is a collection of just that; important addresses. These can include the address of the White House, the address of that hot little number in accounting, or the address of your grandmother. The last address speaks to the fact that these address are obviously relative; you may think that the girl from accounting is hot, but I may think she needs some serious plastic surgery, but that’s all beside the point. All of this is why we have RVAs, which tells us exactly how relative these addresses are in importance.

RVA stands for Relative’s Virtual Address, for example, your grandmothers Facebook address or your mother’s LinkedIn address- basically any ‘virtual’ address of one of your relatives.

Inside the IAT are various entities called IMPORT_DESCRIPTORs. You can tell that these are very important as they are always written in UPPERCASE LETTERS. IMPORT_DESCRIPTORs describe imports, like iPhone rip-offs from Korea, Hello Kitty backpacks from Japan, and those cool blankets from Mexico (they’re kind of scratchy but boy are they warm!)

Here are the various fields in an IMPORT_DESCRIPTOR, along with descriptions of each one:

OriginalFirstThunk:

“Thunk”, in this case, is like “I thunk I knew how many bytes there were in the IAT, but I guess I was wrong” or “You probably thunk that there were 16 bytes in an IMPORT_DESCRIPTOR, but there are actually 20.” The original first thunk is obviously the first thunk in history, probably “Who am I?” or “Why am I here?”.

TimeDateStamp:

Time is the current date, in stamp form.

ForwarderChain

This is similar to those old chain letters, where everyone sends $1 to the first person on the list of 10 people, and eventually everyone would be rich. But this field is the digital equivalent of that.

Name:

In case you cant thunk of the name of this field, the name is conveniently written here.

FirstThunk:

This is the first thunk of the day, as opposed to the original first thunk, which is the first thunk in history. This also points to a hint, just in case you forgot the name and can’t thunk of it.

Each one of these entries is devoted to a specific DLL, or Distributed List of Lies. DLLs add functionality to a program, like an amazing haircut, incredibly fast weight loss, or the ability to read the screen with your eyes closed. Though, as the name would suggest, they really can’t be trusted, so you do probably look fat in that dress.

All of these entities are inside the PE file (PE stands for Poorly Executed), as opposed to a COFF file (and sister files BURP, SNEEZE and HICCUP). There are other items inside these files, like voodoo Magic(which for some reason is spelled MZ), the Address of Entry Point (in case you need additional help with that sexy number in accounting), and the .bss section, where you put jokes, funny sayings and other BS.

Lastly, of course, all of this is put into memory, which doesn’t explain why you need so many hints and fields with the name and so forth. I guess with all of these acronyms, thunking of the right one when you need it is probably a daunting task!

I hope this helped in understanding the IAT. Please stay tuned for my next tutorial on “Break-points” (mine is waiting more than an hour in the dentists office).

-Till next time

R4ndumb.

Comments