relative virtual addresses confusion

hey i have a bit confusion about relative virtual address i understand it first but then again thought about it and got confused hopefully someone will calarify to me what's it's this is about

suppose rva in iat section it uses rva right ? then it uses that address to calculate real content of the file ok so here why doesn't it just jmp at the address of that function directly instead of using a temp like variable ? also as far as i understand it's used for iat tables or it got other uses ? Please someone calarify to me what's it uses in details

Originally Posted by MrNoobah

suppose rva in iat section it uses rva right ? then it uses that address to calculate real content of the file ok so here why doesn't it just jmp at the address of that function directly instead of using a temp like variable ? also as far as i understand it's used for iat tables or it got other uses ? Please someone calarify to me what's it uses in details

Without the IAT the executable loader would have to make a huge number of fixups in the code segment. With the IAT, all the loader has to do is pass once through the table and add the true VMA to each entry.

This can reduce the number of fixups by many thousands of times for a complex DLL. And because Windows loads and unloads DLLs like nobody's business, being able to do it quickly is important.

There's another ENORMOUS reason why we do not directly modify the code segment. This would prevent us from being able to share code pages between different instances of the DLL. Essentially, it would completely defeat the purpose of having a DLL, which is to allow the same code to be loaded only ONCE into memory. If two processes load the same DLL at different addresses, then they will have different IATs. That's a much smaller impact than having two complete copies of the DLL in memory at the same time.

Originally Posted by brewbuck

Without the IAT the executable loader would have to make a huge number of fixups in the code segment. With the IAT, all the loader has to do is pass once through the table and add the true VMA to each entry.

This can reduce the number of fixups by many thousands of times for a complex DLL. And because Windows loads and unloads DLLs like nobody's business, being able to do it quickly is important.

There's another ENORMOUS reason why we do not directly modify the code segment. This would prevent us from being able to share code pages between different instances of the DLL. Essentially, it would completely defeat the purpose of having a DLL, which is to allow the same code to be loaded only ONCE into memory. If two processes load the same DLL at different addresses, then they will have different IATs. That's a much smaller impact than having two complete copies of the DLL in memory at the same time.

but using rva wouldn't alrdy get translated to dll real address in the end so it's the same ? also rva is only used for IAT ? or it has other uses aswell ?

Can you rephrase the question? I don't understand it.

when rva get's translated to the address of the function let's say printf which is in IAT table of our pe format to get it's address we add rva to load address of it (as msdn specifcation says)
which get translated to it's real address wouldn't it be easier to use real address from the begging ?

for example to get image base address which is first byte the file was loaded in we add loaded address to rva k but why in we don't load with image base address to begin with instead of all that stuff ?

Originally Posted by MrNoobah

for example to get image base address which is first byte the file was loaded in we add loaded address to rva k but why in we don't load with image base address to begin with instead of all that stuff ?

What if two DLLs both request the same base address? Obviously they cannot both load at the same place in memory. Windows will need to move ("rebase") one of them to a different base VMA.

yes your right i didn't know that windows rebase makes sense lol all that over some simple thing
thanks