flat assembler
Message board for the users of flat assembler.

Index > Windows > image base address.

Author
Thread Post new topic Reply to topic
vbVeryBeginner



Joined: 15 Aug 2004
Posts: 884
Location: \\world\asia\malaysia
vbVeryBeginner
i saw some program image base is 40 00 00, notepad is 1 00 00 00 and their start address also different, some is 40 20 00, notepad 1 00 6A E0, anyone know why they are different, coz i always thought, image base address and start address is generally 400000.

wish to know why there is a difference. thank you.
Post 06 May 2006, 10:47
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Start address can be more or less anything, it will depend on the compiler (or assembler) and the standard library used.

As for why you'd use a non-0x400000 imagebase for EXE files, no idea. For DLLs it makes good sense, though.
Post 06 May 2006, 14:05
View user's profile Send private message Visit poster's website Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
f0dder wrote:
As for why you'd use a non-0x400000 imagebase for EXE files, no idea. For DLLs it makes good sense, though.


http://www.honeynet.org/scans/scan33/nico/index.html

that was pointed by shism2 to me, interesting Very Happy

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 06 May 2006, 14:20
View user's profile Send private message MSN Messenger Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 490
Location: Belarus
zhak
In "Microsoft Portable Executable and Common Object File Format Specification, Rev. 6.0" it is stated that ImageBase is a
Quote:
preferred address of first byte of image when loaded into memory; must be a multiple of 64K. The default for DLLs is 0x10000000. The default for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 95, and Windows 98 is 0x00400000.

It seems that EXEs in WINDOWS dir and its subdirs use different ImageBase just... to be different from all the rest applications. Maybe MS programmers just do not want these standard win32 executables to share the same address space with other apps... to decrease loading time, for example, or whatever else, who knows...
Post 06 May 2006, 19:20
View user's profile Send private message Reply with quote
vbVeryBeginner



Joined: 15 Aug 2004
Posts: 884
Location: \\world\asia\malaysia
vbVeryBeginner
thanks fodder, okasvi & zhak for the clarification Smile

i recalled from some of the documents i read, it said that each (program/pe file) in win32 has their own 4gb of memory, so how the
Quote:

standard win32 executables to share the same address space with other apps

i felt confuse Sad

how windows OS actually manages the memory? i don't have big picture yet Sad Sad
Post 06 May 2006, 19:57
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
okasvi: that article is an interesting read, but "this simple modification will confuse some Reverse Engineers" is a bit weak Smile

vbVeryBeginner: each program doesn't have it's own 4gb of memory, but it has it's own address space (which on standard configurations is 2GB "shared" for kernel, and 2GB private for each process). It's done by the use of x86 protected mode paging, and giving each process it's own pagetables.
Post 07 May 2006, 09:28
View user's profile Send private message Visit poster's website Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 490
Location: Belarus
zhak
Read about protected mode memory management in "IA-32 Intel® Architecture Software Developer’s Manual, volume 3". There you'll find the complete description of how paging and segmentation work.
Post 07 May 2006, 11:09
View user's profile Send private message Reply with quote
Ancient One



Joined: 28 Feb 2005
Posts: 55
Ancient One
or specifically, read "inside Windows" kind of books.. btw start address will never be the same as image base. image base is the start of your exe "file" (or image) in memory while start address (or entrypoint) is where code execution start.

we need different image base for dll because we can load many dlls inside 1 process and if their image base are the same, they will be relocated to different address. this is fatal for dlls which doesn't have relocations info since absolute addresses inside the dll no longer correct. relocations for exe generally not needed because it is the first to be loaded inside the process address space (other than kernel32.dll).
Post 22 May 2006, 08:26
View user's profile Send private message MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.