Import Address Table.
Section: .data
 |
| IAT in section idata |
During Application loading into memory by Windows, all value at IAT will be resolve.
 |
| Import Address has been populated in IAT |
Assembly code:
 |
| Call to Windows API(GetVersion) |
Reffering at 0x004012c8:
- FF 15 : indirect call
- 38604000 >> 0x00046038 : contains 0x775944c7(address of GetVersion function)
- EIP will jump to GetVersion().
- Since its a CALL, execution will return to 0x004012CE afterwords
ref: http://win32assembly.programminghorizon.com/pe-tut6.html
No comments:
Post a Comment
Terima kasih