Hello,

The subject is about IAT:

Is someone can say me what is the size of IMAGE_IMPORT_BY_NAME structure ?
I Believed it had 2 members, the ordinal and the RVA of the name of the function, so one WORD for the first and a DWORD for the RVA...., So 6 Bytes lenth.
however when I use "mov eax, Sizeof IMAGE_IMPORT_BY_NAME" it returns me 3 and not 6.

Where I'm wrong ?
Posted on 2002-01-20 04:22:17 by Morgatte
IMAGE_IMPORT_BY_NAME has a variable size. First the hint, then
the asciz import name (the actual chars, not a RVA).
Posted on 2002-01-20 05:18:07 by f0dder
Ok, I believe you


But I do'nt anderstand why I find a size of 3 bytes only.

Second, for the name of the function, it is variable but is the next name's function is directely separated with a NULL or after the first name we found a 32bits alignment.


name1.name2 40.54.21.12.31.00.40.54.21.12.32.0

OR

name1...name2 40.54.21.12.31.00.00.00
40.54.21.12.32.00.00.00
Posted on 2002-01-20 05:50:14 by Morgatte
SizeOf works at assemble-time, so it has no way of knowing the
"correct" length of the structure. If you look at windows.inc, you'll
see that IMAGE_IMPORT_BY_NAME.name1 is defined as a single byte.
This is just so you can address it.

The names are NUL terminated... I can't remember if they're aligned,
but word alignment sounds likely. But this shouldn't matter too much,
as you're supposed to get at the IMAGE_I_B_N structures through
the FirstThunk array - not by going to a single I_B_N and reading
through them.
Posted on 2002-01-20 05:59:33 by f0dder