flat assembler
Message board for the users of flat assembler.

Index > Windows > discardable / IMAGE_SCN_MEM_DISCARDABLE a piece of advice

Author
Thread Post new topic Reply to topic
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan
Small notice to this flag: it should be used to the very last sections of image so that all sections with this flag (IMAGE_SCN_MEM_DISCARDABLE / discardable) would be the rally last ones that are expected to be loaded by loader.
They are commonly called: INIT, .rsrc, .reloc
The loader make no holes in consistent address space of loaded image and discards only the last sections with this flag.

So position your discardable sections to the end of image by properly placing them in asm file. Otherwise discardable (IMAGE_SCN_MEM_DISCARDABLE) flag have no meaning at runtime and sections will not be discarded by loader.

_________________
Any offers?
Post 05 Nov 2010, 11:20
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
asmfan,

Sections are page-aligned, what good this will do? Discardable (or "pure" for code) segments were significant hints in Win16, NT memory manager doesn't depend on them (probably — I'm still studying WRK).
Post 05 Nov 2010, 17:14
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17271
Location: In your JS exploiting you and your system
revolution
My Win XP SP2 box never discards any sections. I used to always put relocations at the end and mark them as discardable, but they were always present in the memory space. So I later "discarded" that idea and just started using the relocation section as uninitialised data overlapping the relocations.

It does make some debuggers go a bit mental sometimes
Post 05 Nov 2010, 17:24
View user's profile Send private message Visit poster's website Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan
Keep studying WRK - a good habit.
Hint is mainly for R0 than R3. R0 x32 much more restricted in memory than per-process R0 VM area.
@Segments. They are flat since you mentioned them.
Sections are units of PEs contiguous allocations of pages of same characteristics. discarded sections (if they're at the very end of image) under R0 are freed from (system) PTEs after initialization.

relocation section as uninitialised data overlapping the relocations
A piece of code how sizes are calculated. Some $ usage and then addition of the rest of uninit?
Post 05 Nov 2010, 22:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17271
Location: In your JS exploiting you and your system
revolution
Code:
section 'mixed' data readable writeable
virtual
  var1 dd ?
  ;...
  uninit_end=$
end virtual
data fixups
end data
if uninit_end - $ > 0
  rb uninit_end - $
end if    
Post 06 Nov 2010, 00:50
View user's profile Send private message Visit poster's website Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
Discardable (or pure code) segments in Win16 mean that their contents can be discarded as a whole and reloaded on demand from file (i.e. they're immutable). NT paging makes this unusable. Yes, I've seen sections with IMAGE_SCN_MEM_DISCARDABLE bit set that (almost, but not completely) outlive OS runtime.
Post 06 Nov 2010, 09:13
View user's profile Send private message Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan
baldr study WRK more. As well as Intel mans. Segmentation and paging are different mechanisms of different processes of memory management. Don't confuse OS with h/w behavior.
Here's about sections that OS provides. IMAGE_SCN_MEM_DISCARDABLE is still and yet well used by some clever guys in MS dev. Look into every .sys build with DDK/WDK for IMAGE_SCN_MEM_DISCARDABLE flag and make right decisions regarding use of it and sections with flag positions in PE files. And yet "secret" to you purpose of all of this.*)
*) hint WRK gives answers for this. Keep studying.
Post 06 Nov 2010, 10:33
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
asmfan,

Those code fragments in mminit.c and sysload.c don't resemble true discardable behavior of Win16 segments. Looks like a shim to me (additional checks for section's name make me firm in my opinion).
Post 06 Nov 2010, 13:22
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.