PE Format: Why the IAT can be empty, and a MS detours myth

Question

To my knowledge the import address table (IAT) is a table of import functions. But lately I found that in some executables the IAT is empty: in IAT's directory, both VirtualAddress and Size are zero. To my surprise, An executable without IAT could run.

Then I found some code in MS detours:

// If the file doesn't have an IAT_DIRECTORY, we create it...
if (inh.IAT_DIRECTORY.VirtualAddress == 0) {
    inh.IAT_DIRECTORY.VirtualAddress = obBase;
    inh.IAT_DIRECTORY.Size = cbNew;
}

There is an API called DetourCreateProcessWithDllExA in MS detours, as its name said, it could launch an executable with specified DLLs - it will create a process in suspended mode, modify the import table (add DLLs), and resume the main thread to run. The code above is a part of this procedure.

Depending on my test, if you comment the code above, process will crash at very beginning. But even more amazing is that you could modify the VirtualAddress and Size freely, for example:

// If the file doesn't have an IAT_DIRECTORY, we create it...
if (inh.IAT_DIRECTORY.VirtualAddress == 0) {
    inh.IAT_DIRECTORY.VirtualAddress = 123;
    inh.IAT_DIRECTORY.Size = 456;
}

And it works ! I don't know why. It seems that obBase and cbNew do not make any sence too.

Q1: Why the IAT can be empty

Q2: Why MS detours must modify the IAT, what's going on

Edit:

An executable with empty IAT may be a packed executable. Although I still don't know the questions.

score 1 · Answer 1 · answered Sep 02 '16 at 10:15

1

Q1: IAT directory can be empty because the information it contains is useless for windows loader. All needed information is in Import Table. See IMAGE_IMPORT_DESCRIPTOR -> FirstThunk in WinNT.h

answered Sep 02 '16 at 10:15

Neo85

11
1

PE Format: Why the IAT can be empty, and a MS detours myth

1 Answers1