comicfan
April 30th, 2009, 10:09
I have a question about how PE loader in Windows platform works. I am researching on a very small EXE file with only .text and .rdata section. .text includes a piece of shellcode using WSAStartup, WSASocketA etc (5 functions) from WS2_32.dll. However, from the hintname part from the IMAGE_IMPORT_DESCRIPTOR of WS2_32.dll, I can only found WSASocketA in the list. There are no description for other 4 functions. But the loader can fill the IAT table for those 5 functions without any trouble. How come the loader can know that? where is the info hidden from the file. I can't find any function names in file anywhere else.
Thanks a lot for your help!
Thanks a lot for your help!