2

Once again, sorry for the bad title.

So I've been researching the PE format the last week, and I didn't quite get something. When a process loads, all the DLL's get mapped into memory. What I don't understand is, because a DLL can get loaded at a random base address, how is the code of the .exe file able to know the addresses of the API functions? Is there some "startup code" that looks for Kernel32.dll or something? I understand that is easy for the process to find functions with GetProcAddress, but how does it obtain the address of GetProcAddress?

user2073973
  • 564
  • 6
  • 21

1 Answers1

4

All Windows .EXE files (and all .DLL files depending on other .DLL files) have a so-called imports table.

This table contains a list of DLLs and functions required and arrays of function addresses.

When the .EXE file is loaded into memory Windows will internally call LoadLibrary for all DLLs and GetProcAddress for all API functions required by that .EXE file. It will fill the arrays in the imports table with the values returned by GetProcAddress.

If GetProcAddress returns NULL that value is not written to the array but loading the .EXE file will fail!

Martin Rosenau
  • 17,897
  • 3
  • 19
  • 38
  • 1
    Is the address of the import always the same? How would it obtain this address? Also, is there a different import table of every loaded DLL, or is there just 1 import table, where all the functions of each DLL get loaded into? – user2073973 Feb 21 '14 at 14:58
  • the dll knows where the addresses of the functions are within its space. The operating system (and the dll) know where the dll as a whole is in space. The application and the dll both know the names of the functions, so the application asks the dll for each function and the dll and/or operating system by this point knows from the imports table where each item is and tells the application – old_timer Feb 21 '14 at 15:52
  • So when I call LoadLibrary, does it automatically add the addresses etc to the IAT? – user2073973 Feb 21 '14 at 16:21