Hello,
I would like to know what is the difference, beetween .idata and .rdata. Some programs use .idata and others use .rdata (that contains it IAT).
But sometime we can found .idata and .rdata together, so why ?
I would like to know what is the difference, beetween .idata and .rdata. Some programs use .idata and others use .rdata (that contains it IAT).
But sometime we can found .idata and .rdata together, so why ?
.idata, IIRC that's the import section of a PE. It contains a table of imported functions from eg system dlls like Kernel32.dll and user32.dll.
.rdata, IIRC that's the resource section. Here you'll find string tables, icon-, dialog-, menu- resources, and the VERSION_INFO_SOMETHING (the "Version"-tab yu sometimes see when choosing properties for some PE-apps.).
MASM creates the .idata automatically, the .rdata is created when you have resources compiled into the exe/obj file.
Hope I've shaded some light, I'm still learning about the sections of a PE (since I more and more use FASM, then you write these sections your self (by hand or with help of macros)).
.rdata, IIRC that's the resource section. Here you'll find string tables, icon-, dialog-, menu- resources, and the VERSION_INFO_SOMETHING (the "Version"-tab yu sometimes see when choosing properties for some PE-apps.).
MASM creates the .idata automatically, the .rdata is created when you have resources compiled into the exe/obj file.
Hope I've shaded some light, I'm still learning about the sections of a PE (since I more and more use FASM, then you write these sections your self (by hand or with help of macros)).
.rdata, IIRC that's the resource section. Here you'll find string tables, icon-, dialog-, menu- resources, and the VERSION_INFO_SOMETHING (the "Version"-tab yu sometimes see when choosing properties for some PE-apps.).
the resource section will always be named '.rsrc'
'.rdata' is related to thread local storage iirc.
Do not rely on section names, they just contain arbitrary data.
You might rename .idata to .edata (or 'xxxxx') the loader will still load the content of the section the same way.
Just as you may find the IAT somewhere inside the data or code section...
You might rename .idata to .edata (or 'xxxxx') the loader will still load the content of the section the same way.
Just as you may find the IAT somewhere inside the data or code section...
Do not rely on section names, they just contain arbitrary data.
with .rsrc being the only exception ;)
Are you sure about .rsrc being an exception?
Win2K loader seem to have no problems if the name is changed, and since
the resource root directory RVA is specified in the PE header, I don't see
why the section name is so important.
Win2K loader seem to have no problems if the name is changed, and since
the resource root directory RVA is specified in the PE header, I don't see
why the section name is so important.
I would like to know what is the difference, beetween .idata and .rdata. Some programs use .idata and others use .rdata (that contains it IAT).
But sometime we can found .idata and .rdata together, so why ?
But sometime we can found .idata and .rdata together, so why ?
It depends on used linker.
idata - Import DATA
rdata - Read only DATA
masm's linker donesn't create .idata section.
It places all import (and export) info to .rdata section. And all .const data goes there.
These sections names are by default.
You can simply change it specifying corresponding option to linker:
To rename .text to mycode
/merge:.text=mycode
You can also combine some sectioons in one:
To merge .rdata to .text:
/merge:.rdata=.text
You'll get some linker warning. Suppress it with:
/ignore:4078
BTW: Linker places resources in .rsrc section.