windowsreverse-engineeringportable-executable

What's the difference between .rdata and .idata segments?


I noticed in IDA that the PE file which I analyze has not only the .rdata section but also .idata. What's the difference?


Solution

  • Summarizing typical segment names:

    .text: Code 
    .data: Initialized data
    .bss: Uninitialized data
    .rdata: Const/read-only (and initialized) data
    .edata: Export descriptors
    .idata: Import descriptors
    .pdata: Exception information
    .xdata: Stack unwinding information
    .reloc: Relocation table (for code instructions with absolute addressing when
              the module could not be loaded at its preferred base address)
    .rsrc: Resources (icon, bitmap, dialog, ...)
    .tls: __declspec(thread) data (Fails with dynamically loaded DLLs -> hard to find bugs)
    

    As Martin Rosenau mentions, the segment names are only typical. The true segment type is specified in the segment header or is defined by usage of data stored in the segment.