Why We Need Import Reconstruction After Dump?

[rever_ser]

hi everyone!

 

as you know after dumping from a process we must rebuild import table to execute the dump file but why?

 

another questions related to this:

 

1. is address of system dlls (e.g kernell32.dll)  changes after each execution of program or after each system reboot? (if the anwer is "yes" is loader reconstruct import table after each execution?)
   
2. is system dlls loads in the process address range or they have a uniqe address and all of processes access to the dll by that address?
   

 

i know there are alot of reasons for import reconstruction after dump. but i want to know about in mentioned reason in detail.

 

thanks in advance!!!

Edited December 24, 2014 by rever_ser

[DMichael]

hi everyone!

 

as you know after dumping from a process we must rebuild import table to execute the dump file but why?

 

another questions related to this:

 

1. is address of system dlls (e.g kernell32.dll)  changes after each execution of program or after each system reboot? (if the anwer is "yes" is loader reconstruct import table after each execution?)

is system dlls loads in the process address range or they have a uniqe address and all of processes access to the dll by that address?

 

i know there are alot of reasons for import reconstruction after dump. but i want to know about in mentioned reason in detail.

 

thanks in advance!!!

because application using imports i order to call various API

about other questions:

1.address of import don't change at all only the application it self if ASLR is enabled

2.they have unique adresss but some protections just copies it functional in order to access them internally