flat assembler
Message board for the users of flat assembler.
Index
> Windows > Why every program starts on 00 40 10 00? |
Author |
|
revolution 04 Jul 2023, 17:02
Default Windows exe base address is 0x400000.
The header needs one 4kB page so add +0x1000 And if you have your entry at the beginning then the resulting address is 0x401000 You can change both of these values. Code: format pe console at 0x1000000 ;section '.idata' import data readable writeable data import dd 0,0,0,rva kernel_name,rva kernel_table dd 0,0,0,0,0 kernel_table: ExitProcess dd rva _ExitProcess GetStdHandle dd rva _GetStdHandle WriteFile dd rva _WriteFile dd 0 kernel_name db 'KERNEL32.DLL',0 _ExitProcess db 0,0,'ExitProcess',0 _GetStdHandle db 0,0,'GetStdHandle',0 _WriteFile db 0,0,'WriteFile',0 end data ;section '.text' code readable executable STD_OUTPUT_HANDLE = -11 entry $ push STD_OUTPUT_HANDLE call [GetStdHandle] push 0 mov ecx,esp push 0 push ecx push message_length push message push eax call [WriteFile] push 0 call [ExitProcess] message db 'Hello World!',13,10,0 message_length = $ - message Code: ~ objdump -f pe.exe pe.exe: file format pei-i386 architecture: i386, flags 0x0000010a: EXEC_P, HAS_DEBUG, D_PAGED start address 0x0100106e |
|||
04 Jul 2023, 17:02 |
|
sts-q 04 Jul 2023, 17:02
Hi,
for Linux Wikipedia: Executable and Linkable Format ELF and man 5 elf do know (a lot) more. Greetings |
|||
04 Jul 2023, 17:02 |
|
bitRAKE 04 Jul 2023, 19:51
Microsoft has complicated the base address defaults for various binaries. Specifically, the legacy 0x400000 value is related to the 4MB paging of x86 processors. The constraints which made it a good choice in the beginning no longer apply (unless working in embedded space). Win11 is perfectly fine using a base address of 0x1_0000.
_________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
04 Jul 2023, 19:51 |
|
int0x50 05 Jul 2023, 07:46
see if this is useful ...
Why is 0x00400000 the default base address for an executable? - https://devblogs.microsoft.com/oldnewthing/20141003-00/?p=43923 |
|||
05 Jul 2023, 07:46 |
|
Flier-Mate 19 Jul 2023, 18:35
I just aware that although PE32+ uses QWORD runtime address in memory, but in reality it will never use up all the high order DWORD, because even 40-bit address is enough for 1TB RAM, am I right?
For example, image base in PE32+ may starts with 0x0000 0001 xxxx xxxx |
|||
19 Jul 2023, 18:35 |
|
Flier-Mate 23 Jul 2023, 16:00
bitRAKE wrote: ...Win11 is perfectly fine using a base address of 0x1_0000. Hi bitRAKE, congratulations for your 20 years membership anniversary. What is the value of 0x1_0000? I don't understand the meaning of underscore, web search result doesn't reveal anything. |
|||
23 Jul 2023, 16:00 |
|
revolution 23 Jul 2023, 16:05
It's just a spacer. Same for the single quote:
Code: mov ax, 2''''______'______''''''''1 ; = 21 |
|||
23 Jul 2023, 16:05 |
|
Flier-Mate 23 Jul 2023, 16:06
revolution wrote: It's just a spacer. Same for the single quote: Oh, I see now. So simple, thanks. |
|||
23 Jul 2023, 16:06 |
|
revolution 23 Jul 2023, 17:00
Flier-Mate wrote: ... web search result doesn't reveal anything. |
|||
23 Jul 2023, 17:00 |
|
bitRAKE 23 Jul 2023, 20:43
Flier-Mate wrote: Hi bitRAKE, congratulations for your 20 years membership anniversary. Sometimes I want to test the code using the 64-bit address range. The Windows loader will put the Heap and Stack above 32-bit address range if high-entropy ASLR is turned on. Just setting a base address of 0x12345678_0000 isn't going to do that, in my experience. The loader can also move around the system DLL mapping. _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
23 Jul 2023, 20:43 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.