dumpbin / imports显示的输入地址表和输入名称表是什么?
[英]What is Input Address Table and Input Name Table as displayed by dumpbin /imports?
问题描述
What is Input Address Table and Input Name Table as displayed by dumpbin /imports ? 
dumpbin /imports显示的Input Address Table和Input Name Table是什么?
Dump of file c:\windows\System32\kernel32.dll
File Type: DLL
Section contains the following imports:
API-MS-Win-Core-RtlSupport-L1-1-0.dll
78DBC000 Import Address Table
78E18D58 Import Name Table
0 time date stamp
0 Index of first forwarder reference
My initial guess was, it is the RVA IMAGE_IMPORT_DESCRIPTOR.FirstThunk , but looking at the value for IAT, it looks quite large to be a RVA. 我最初的猜测是,它是RVA IMAGE_IMPORT_DESCRIPTOR.FirstThunk ,但是从IAT的价值来看,要成为RVA看起来相当大。 I also guess, it cannot be an absolute address, as then the value would be meaningless (as that would mean wrt PE load address). 我还猜想,它不能是绝对地址,否则该值将无意义(因为这将意味着PE加载地址)。
Use Case 用例
I am creating a C++ Library to emulate dumpbin, and I am currently wondering what these two values would map to? 我正在创建一个C ++库来模拟dumpbin,并且我现在想知道这两个值将映射到什么?
1 个解决方案
解决方案1
1 已采纳 2013-09-30 19:40:17
I believe that dumpbin is displaying these two values (FirstThunk and OriginalFirstThunk) as virtual addresses based on the preferred base address (image base) of the module. 我相信dumpbin会根据模块的首选基址(图像基址)将这两个值(FirstThunk和OriginalFirstThunk)显示为虚拟地址。
In this example, the values are "ImageBase from optional header + FirstThunk/OriginalFirstThunk". 在此示例中,值是“来自可选标头的ImageBase + FirstThunk / OriginalFirstThunk”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.