I’d love to have a clear explanation on, in a Windows environment (PE executables), how do CALL XXXXXXXXXXXXXXX instructions work. I’ve been studying the PE format but I’m quite confused about the relationship between the CALL ADDRESS instruction, the importing of a function from a dll and how does the CALL ADDRESS reach out the code in a DLL. Besides ASLR and other security functions may move around DLLs, how do executables cope with this?
I’d love to have a clear explanation on, in a Windows environment (PE executables),
Share
It (that is, directly calling an import with a normal relative call) doesn’t work, and that’s why that’s not how it’s done.
To call an imported function, you go through something called the Import Address Table (IAT). In short, entries in the IAT first point to function names (ie it starts out as a copy of the Import Name Table), and those pointers are changed to point to the actual functions by the loader.
The IAT is at a fixed address, but can be relocated if the image has been rebased, so calling through it only involves a single indirection – so
call r/mis used with a memory operand (which is just a simple constant) to call imported functions, for examplecall [0x40206C].