windows .rdata 和 .idata 段之间有什么区别?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19012300/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What's the difference between .rdata and .idata segments?
提问by Adam Sznajder
I noticed in IDA that the PE file which I analyze has not only the .rdatasection but also .idata. What's the difference?
我在 IDA 中注意到,我分析的 PE 文件不仅有.rdata部分,而且还有.idata. 有什么不同?
回答by Andreas H.
.rdatais for const data. It is the read only version of the .data segment..idataholds the import directory (.edata for exports). It is used by EXE's and DLL's to designate the imported and exported functions. See the PE format specification (http://msdn.microsoft.com/library/windows/hardware/gg463125) for details.
.rdata用于常量数据。它是 .data 段的只读版本。.idata保存导入目录(用于导出的 .edata)。EXE 和 DLL 使用它来指定导入和导出的函数。有关详细信息,请参阅 PE 格式规范 ( http://msdn.microsoft.com/library/windows/hardware/gg463125)。
Summarizing typical segment names:
总结典型的段名称:
.text: Code
.data: Initialized data
.bss: Uninitialized data
.rdata: Const/read-only (and initialized) data
.edata: Export descriptors
.idata: Import descriptors
.reloc: Relocation table (for code instructions with absolute addressing when
the module could not be loaded at its preferred base address)
.rsrc: Resources (icon, bitmap, dialog, ...)
.tls: __declspec(thread) data (Fails with dynamically loaded DLLs -> hard to find bugs)
As Martin Rosenau mentions, the segment names are only typical. The true segment type is specified in the segment header or is defined by usage of data stored in the segment.
正如 Martin Rosenau 所提到的,段名称只是典型的。真正的段类型在段头中指定或由段中存储的数据的使用定义。
回答by Martin Rosenau
In fact, the names of the segments are ignored by Windows.
实际上,Windows 忽略了段的名称。
There are linkers that use different segment names and it is even possible to store the Import Descriptors, Export descriptors, Resources etc. in the ".text" segment instead of using separate segments.
有使用不同段名称的链接器,甚至可以将导入描述符、导出描述符、资源等存储在“.text”段中,而不是使用单独的段。
However it seems to be simpler to create separate sections for such metadata so most linkers will use separate sections.
但是,为此类元数据创建单独的部分似乎更简单,因此大多数链接器将使用单独的部分。
This means: Sections ".idata", ".rdata", ".rsrc", ... do notcontain program data (although their name ends with "data") but they contain meta information that is used by the operating system. The ".rsrc" section for example holds information about the icon that is shown when looking at the executable file in the Explorer.
这意味着:“.idata”、“.rdata”、“.rsrc”等部分不包含程序数据(尽管它们的名称以“data”结尾)但它们包含操作系统使用的元信息。例如,“.rsrc”部分包含有关在资源管理器中查看可执行文件时显示的图标的信息。
".idata" contains information about all DLL files required by the program.
“.idata”包含有关程序所需的所有 DLL 文件的信息。
