ASM Forum: .idata (0x404000 to 0x404093)

----------------------------------------------------------------

The .idata section.

In this case:
As indicated, this section contains initialized data. It may be read and written, but not executed.
In memory: the .idata section starts at memory address 0x404000, and is 0x94 bytes.
In the file: the .idata section starts at file offset 0x800, and is 0x200 bytes.

The import table is at memory address 0x404000, and is 0x94 bytes, as indicated by the table directory in the Optional header.
The import address table is at memory address 0x404038, and is 0x10 bytes, as indicated by the table directory in the Optional header.

800  404000   28 40 00 00·00 00 00 00·00 00 00 00·84 40 00 00   (@          ä@
810  404010   38 40 00 00·00 00 00 00·00 00 00 00·00 00 00 00   8@
820  404020   00 00 00 00·00 00 00 00·48 40 00 00·58 40 00 00           H@  X@
830  404030   68 40 00 00·00 00 00 00·48 40 00 00·58 40 00 00   h@      H@  X@
840  404040   68 40 00 00·00 00 00 00·b6 00 45 78·69 74 50 72   h@      ╢ ExitPr
850  404050   6f 63 65 73·73 00 00 00·b0 01 47 65·74 53 74 64   ocess   ░☺GetStd
860  404060   48 61 6e 64·6c 65 00 00·8f 03 57 72·69 74 65 43   Handle  Å♥WriteC
870  404070   6f 6e 73 6f·6c 65 57 00·00 40 00 00·00 40 00 00   onsoleW  @   @
880  404080   00 40 00 00·4b 45 52 4e·45 4c 33 32·2e 64 6c 6c    @  KERNEL32.dll
890  404090   00 00 00 00·           ·           ·

----

The import table begins with the import directory table, an array structures, each 0x14 bytes, one per DLL to import from, terminated by a null filled structure.

800  404000   28 40 00 00·           ·           ·              (@

Import Lookup Table RVA: 0x4028 (relative to ImageBase)
The import lookup table to use for this DLL will be at memory address 0x404028.

800  404000              ·00 00 00 00·           ·

Time/Date Stamp: 0
This will be patched with the DLL's timestamp.

800  404000              ·           ·00 00 00 00·

Forwarder Chain: 0

800  404000              ·           ·           ·84 40 00 00               ä@

Name RVA: 0x4084 (relative to ImageBase)
The name of this DLL will at memory address 0x404084.

810  404010   38 40 00 00·           ·           ·              8@

Import Address Table RVA: 0x4038 (relative to ImageBase)
The Import Address Table for this DLL will be at 0x404038.

----

810  404010              ·00 00 00 00·00 00 00 00·00 00 00 00
820  404020   00 00 00 00·00 00 00 00·           ·

The terminating null structure.

--------

This import lookup table at 0x404028 is pointed to by the RVA at 0x404000.

Each import lookup table identifies the symbols to import from the DLL. It is an array of dwords, terminated by a null dword.
In each dword, if the high bit is set, the symbol will be imported by ordinal. If the high bit is clear, the symbol will be imported by name, and the low 32 bits are the relative address of the name.

820  404020              ·           ·48 40 00 00·                      H@
820  404020              ·           ·           ·58 40 00 00               X@
830  404030   68 40 00 00·           ·           ·              h@

Import by name. Hint/Name table RVA: 0x4048 (relative to image base) Memory address: 0x404048.
Import by name. Hint/Name table RVA: 0x4058 (relative to image base) Memory address: 0x404058.
Import by name. Hint/Name table RVA: 0x4068 (relative to image base) Memory address: 0x404068.

830  404030              ·00 00 00 00·           ·

Terminating null dword.

--------

This import address table at 0x404038 is pointed to by the RVA at 0x404010.
It is also pointed to by the RVA at 0x404158, but I don't understand why that's necessary. I think there could be multiple import address tables, and the specification doesn't specifiy which one would be referred to in the table directory.

830  404030              ·           ·48 40 00 00·58 40 00 00           H@  X@
840  404040   68 40 00 00·00 00 00 00·           ·               h@

It is identical to the import lookup table at 0x404028. At load time, it will be patched with the memory addresses corresponding to the symbols.

--------

The hint/name table starting at 0x404048 contains the names of the symbols to import. Each takes the form of a word hint, a null terminated string, and then, if necessary, and extra null to maintain word alignment.
In this case, the table seems to be padded to dword alignment, even though the specification calls for word alignment.
The hint is an index into the DLL's export name table. It will be used, if possible. Otherwise, the DLL's export name table will be searched for the name.

This entry at 0x404048 is pointed to by the RVA at 0x404028.

840  404040              ·           ·b6 00 45 78·69 74 50 72           ╢ ExitPr
850  404050   6f 63 65 73·73 00 00 00·           ·              ocess

Hint: 0xb6
Name: "ExitProcess"

--

This entry at 0x404058 is pointed to by the RVA at 0x40402c.

850  404050              ·           ·b0 01 47 65·74 53 74 64           ░☺GetStd
860  404060   48 61 6e 64·6c 65 00 00·           ·              Handle

Hint: 0x1b0
Name: "GetStdHandle"

--

This entry at 0x404068 is pointed to by the RVA at 0x404030.

860  404060              ·           ·8f 03 57 72·69 74 65 43           Å♥WriteC
870  404070   6f 6e 73 6f·6c 65 57 00·           ·              onsoleW

Hint: 0x38f
Name: "WriteConsoleW"

--------

870  404070              ·           ·00 40 00 00·00 40 00 00            @   @
880  404080   00 40 00 00·           ·           ·               @

This seems to be garbage.

--------

This name at 0x404084 is pointed to by the RVA at 0x40400c.

880  404080              ·4b 45 52 4e·45 4c 33 32·2e 64 6c 6c       KERNEL32.dll
890  404090   00 00 00 00·           ·           ·

Name: "KERNEL32.dll"

--------

Padding to the next FileAlignment boundary:

890  404090              ·00 00 00 00·00 00 00 00·00 00 00 00
8a0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
8b0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
8c0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
8d0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
8e0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
8f0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
900  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
910  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
920  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
930  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
940  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
950  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
960  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
970  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
980  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
990  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
9a0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
9b0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
9c0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
9d0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
9e0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00
9f0  ------   00 00 00 00·00 00 00 00·00 00 00 00·00 00 00 00