The PE format specification states that
All image files that import symbols, including virtually all executable (EXE) files, have an .idata section.
But I've notices that while it's true for debug builds, It's not true for release builds (at least when compiling with VS2010).
Visual Studio merges the IAT & Import Directory (and some other directories as well) together with the read-only data into .rdata section (I guess this is done to save space and load time).
It's easy enough to determine the location and size of both IAT & Import Directory (reading the directories information), But I couldn't find a way to determine where the actual data (read-only initialized data) starts and ends.
So, Is there any way to get that information out of the PE header?
Thanks
Aucun commentaire:
Enregistrer un commentaire