dll- pointers in IAT- physical addresses?

0
votes

Everywhere the explanation is that the IAT of a process importing functions is filled with the addresses of the exported functions from the dll it wants them from.

But in what address space are these pointers to imported functions? If it's a virtual address, that won't make sense because the importing process has its own virtual space, and those dll functions aint in it.

But protected mode doesn't allow physical addressing, so it can't be a physical address either. What gives?

1
c++windowswinapidllimport
msdn.microsoft.com/en-us/magazine/bb985992.aspx - Jonathan Potter
What do you mean by "those DLL functions aint in it"? The first thing that happens when a process loads a DLL is that the DLL is mapped into the process address space! - Harry Johnston
you misunderstand virtual address concept. Virtual address space is created for an entire process and is shared for all loaded images and otherwise allocated memory in this process. - j_kubik
I now understand. The dll is loaded into the process' virtual address space. I thought the import tables were just filled and that's it. - Lawrence M

1 Answers

1
votes

The whole reason for the IAT is precisely because the DLL is loaded at some unknown offset in the virtual address space. With ASLR, it's in fact intentionally unpredictable. The IAT serves as a jump table at a fixed location to the functions at the unpredictable location.

Obviously, the IAT can only be filled in once the DLL has been loaded into the process space. This is in fact the key operation performed by LoadLibrary. Actually loading the DLL may happen later, as it is demand-paged in.