flat assembler
Message board for the users of flat assembler.
Index
> Windows > Why every program starts on 00 40 10 00? |
Author |
|
revolution 04 Jul 2023, 17:02
Default Windows exe base address is 0x400000.
The header needs one 4kB page so add +0x1000 And if you have your entry at the beginning then the resulting address is 0x401000 You can change both of these values. Code: format pe console at 0x1000000 ;section '.idata' import data readable writeable data import dd 0,0,0,rva kernel_name,rva kernel_table dd 0,0,0,0,0 kernel_table: ExitProcess dd rva _ExitProcess GetStdHandle dd rva _GetStdHandle WriteFile dd rva _WriteFile dd 0 kernel_name db 'KERNEL32.DLL',0 _ExitProcess db 0,0,'ExitProcess',0 _GetStdHandle db 0,0,'GetStdHandle',0 _WriteFile db 0,0,'WriteFile',0 end data ;section '.text' code readable executable STD_OUTPUT_HANDLE = -11 entry $ push STD_OUTPUT_HANDLE call [GetStdHandle] push 0 mov ecx,esp push 0 push ecx push message_length push message push eax call [WriteFile] push 0 call [ExitProcess] message db 'Hello World!',13,10,0 message_length = $ - message Code: ~ objdump -f pe.exe pe.exe: file format pei-i386 architecture: i386, flags 0x0000010a: EXEC_P, HAS_DEBUG, D_PAGED start address 0x0100106e |
|||
04 Jul 2023, 17:02 |
|
sts-q 04 Jul 2023, 17:02
Hi,
for Linux Wikipedia: Executable and Linkable Format ELF and man 5 elf do know (a lot) more. Greetings |
|||
04 Jul 2023, 17:02 |
|
bitRAKE 04 Jul 2023, 19:51
Microsoft has complicated the base address defaults for various binaries. Specifically, the legacy 0x400000 value is related to the 4MB paging of x86 processors. The constraints which made it a good choice in the beginning no longer apply (unless working in embedded space). Win11 is perfectly fine using a base address of 0x1_0000.
_________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
04 Jul 2023, 19:51 |
|
int0x50 05 Jul 2023, 07:46
see if this is useful ...
Why is 0x00400000 the default base address for an executable? - https://devblogs.microsoft.com/oldnewthing/20141003-00/?p=43923 |
|||
05 Jul 2023, 07:46 |
|
Flier-Mate 19 Jul 2023, 18:35
I just aware that although PE32+ uses QWORD runtime address in memory, but in reality it will never use up all the high order DWORD, because even 40-bit address is enough for 1TB RAM, am I right?
For example, image base in PE32+ may starts with 0x0000 0001 xxxx xxxx |
|||
19 Jul 2023, 18:35 |
|
Flier-Mate 23 Jul 2023, 16:00
bitRAKE wrote: ...Win11 is perfectly fine using a base address of 0x1_0000. Hi bitRAKE, congratulations for your 20 years membership anniversary. What is the value of 0x1_0000? I don't understand the meaning of underscore, web search result doesn't reveal anything. |
|||
23 Jul 2023, 16:00 |
|
revolution 23 Jul 2023, 16:05
It's just a spacer. Same for the single quote:
Code: mov ax, 2''''______'______''''''''1 ; = 21 |
|||
23 Jul 2023, 16:05 |
|
Flier-Mate 23 Jul 2023, 16:06
revolution wrote: It's just a spacer. Same for the single quote: Oh, I see now. So simple, thanks. |
|||
23 Jul 2023, 16:06 |
|
revolution 23 Jul 2023, 17:00
Flier-Mate wrote: ... web search result doesn't reveal anything. |
|||
23 Jul 2023, 17:00 |
|
bitRAKE 23 Jul 2023, 20:43
Flier-Mate wrote: Hi bitRAKE, congratulations for your 20 years membership anniversary. Sometimes I want to test the code using the 64-bit address range. The Windows loader will put the Heap and Stack above 32-bit address range if high-entropy ASLR is turned on. Just setting a base address of 0x12345678_0000 isn't going to do that, in my experience. The loader can also move around the system DLL mapping. _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
23 Jul 2023, 20:43 |
|
Mat Quasar 02 Jan 2025, 06:01
Quote:
Source: https://learn.microsoft.com/en-us/cpp/build/reference/base-base-address?view=msvc-170 |
|||
02 Jan 2025, 06:01 |
|
macomics 02 Jan 2025, 07:41
Mat Quasar wrote:
No one restricts you in the placement of modules in memory. You just need to understand that only 2 GB of addresses are available in 32-bits, and you need to fit everything in them so that the largest possible block of addresses remains to allocate memory for data for the program. At the same time, you should have allocated stack blocks for each thread of the process, blocks for each section of each module, blocks for the heap and blocks for system needs. And after loading all this, you need to have a block of addresses for allocating memory in the program and filemapping of the maximum amount (at runtime). |
|||
02 Jan 2025, 07:41 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.