What's the difference between .rdata and .idat

2019-01-17 01:25发布

问题:

I noticed in IDA that the PE file which I analyze has not only the .rdata section but also .idata. What's the difference?

回答1:

  • .rdata is for const data. It is the read only version of the .data segment.

  • .idata holds the import directory (.edata for exports). It is used by EXE's and DLL's to designate the imported and exported functions. See the PE format specification (http://msdn.microsoft.com/library/windows/hardware/gg463125) for details.

Summarizing typical segment names:

.text: Code 
.data: Initialized data
.bss: Uninitialized data
.rdata: Const/read-only (and initialized) data
.edata: Export descriptors
.idata: Import descriptors
.reloc: Relocation table (for code instructions with absolute addressing when
          the module could not be loaded at its preferred base address)
.rsrc: Resources (icon, bitmap, dialog, ...)
.tls: __declspec(thread) data (Fails with dynamically loaded DLLs -> hard to find bugs)

As Martin Rosenau mentions, the segment names are only typical. The true segment type is specified in the segment header or is defined by usage of data stored in the segment.



回答2:

In fact, the names of the segments are ignored by Windows.

There are linkers that use different segment names and it is even possible to store the Import Descriptors, Export descriptors, Resources etc. in the ".text" segment instead of using separate segments.

However it seems to be simpler to create separate sections for such metadata so most linkers will use separate sections.

This means: Sections ".idata", ".rdata", ".rsrc", ... do not contain program data (although their name ends with "data") but they contain meta information that is used by the operating system. The ".rsrc" section for example holds information about the icon that is shown when looking at the executable file in the Explorer.

".idata" contains information about all DLL files required by the program.