flat assembler
Message board for the users of flat assembler.

Index > Windows > question about dll function addresses

Author
Thread Post new topic Reply to topic
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 05 Jul 2013, 09:11
suppose we have a dll for 64 bit windows such as
Code:
section '.text' code readable executable
proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
        mov     rax,TRUE
        ret
endp

f:
        push  rbp
        int3 
        mov  rax,g
....
        ret

g: .....
    


Now, the dll is loaded at different addresses each time that is is loaded, so the actual addresses of f and g are not fixed. However, I looked at the instruction mov rax,g in a debugger, and it indeed points to the correct function g every time. Then, I look at the instruction mov rax,g in a raw hex editor at it was set to address 0x00403ADE. What is going on? How does fasm tell windows that it needs to fix(rewrite) something as complicated as this every times the dll loads? To what extent can we expected things to be fixed correctly after dll load?
Post 05 Jul 2013, 09:11
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4060
Location: vpcmpistri
bitRAKE 05 Jul 2013, 09:32
For a DLL a relocation section should be included, which specifies where address fixups should take place. The assembler keeps track of which addresses and sizes that need updating. So, that when it creates the fixup section the correct data is stored. Then the loader reads the fixup data, and makes the required changes.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 05 Jul 2013, 09:32
View user's profile Send private message Visit poster's website Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 05 Jul 2013, 09:38
Yeah - I guess that must be the way.
Challenge: Can you make a 64 bit dll in fasm that works when not relocated, but breaks when relocated by windows? Twisted Evil

Seriously, though, has the relocator mechanism been proven correct for all files (of lets say size < 4MB)?
Post 05 Jul 2013, 09:38
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4060
Location: vpcmpistri
bitRAKE 05 Jul 2013, 11:10
I have a number of very radical PE64 files and come across unusual errors [1]. Most tools claim they are not even executables, but Windows executes them. RIP relative addressing could be used to eliminate relocation requirement.

https://code.google.com/p/corkami/wiki/PE

...might give you some ideas for avenues of extended research. corkami has compiled a nice variety of 32-bit PE files for testing requirements of loader across windows versions. The 64-bit loader has just as much flexibility it seems.
Post 05 Jul 2013, 11:10
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.