flat assembler
Message board for the users of flat assembler.
Index
> Windows > image base address. |
Author |
|
f0dder 06 May 2006, 14:05
Start address can be more or less anything, it will depend on the compiler (or assembler) and the standard library used.
As for why you'd use a non-0x400000 imagebase for EXE files, no idea. For DLLs it makes good sense, though. |
|||
06 May 2006, 14:05 |
|
okasvi 06 May 2006, 14:20
f0dder wrote: As for why you'd use a non-0x400000 imagebase for EXE files, no idea. For DLLs it makes good sense, though. http://www.honeynet.org/scans/scan33/nico/index.html that was pointed by shism2 to me, interesting _________________ When We Ride On Our Enemies support reverse smileys |: |
|||
06 May 2006, 14:20 |
|
zhak 06 May 2006, 19:20
In "Microsoft Portable Executable and Common Object File Format Specification, Rev. 6.0" it is stated that ImageBase is a
Quote: preferred address of first byte of image when loaded into memory; must be a multiple of 64K. The default for DLLs is 0x10000000. The default for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 95, and Windows 98 is 0x00400000. It seems that EXEs in WINDOWS dir and its subdirs use different ImageBase just... to be different from all the rest applications. Maybe MS programmers just do not want these standard win32 executables to share the same address space with other apps... to decrease loading time, for example, or whatever else, who knows... |
|||
06 May 2006, 19:20 |
|
vbVeryBeginner 06 May 2006, 19:57
thanks fodder, okasvi & zhak for the clarification
i recalled from some of the documents i read, it said that each (program/pe file) in win32 has their own 4gb of memory, so how the Quote:
i felt confuse how windows OS actually manages the memory? i don't have big picture yet |
|||
06 May 2006, 19:57 |
|
f0dder 07 May 2006, 09:28
okasvi: that article is an interesting read, but "this simple modification will confuse some Reverse Engineers" is a bit weak
vbVeryBeginner: each program doesn't have it's own 4gb of memory, but it has it's own address space (which on standard configurations is 2GB "shared" for kernel, and 2GB private for each process). It's done by the use of x86 protected mode paging, and giving each process it's own pagetables. |
|||
07 May 2006, 09:28 |
|
zhak 07 May 2006, 11:09
Read about protected mode memory management in "IA-32 Intel® Architecture Software Developer’s Manual, volume 3". There you'll find the complete description of how paging and segmentation work.
|
|||
07 May 2006, 11:09 |
|
Ancient One 22 May 2006, 08:26
or specifically, read "inside Windows" kind of books.. btw start address will never be the same as image base. image base is the start of your exe "file" (or image) in memory while start address (or entrypoint) is where code execution start.
we need different image base for dll because we can load many dlls inside 1 process and if their image base are the same, they will be relocated to different address. this is fatal for dlls which doesn't have relocations info since absolute addresses inside the dll no longer correct. relocations for exe generally not needed because it is the first to be loaded inside the process address space (other than kernel32.dll). |
|||
22 May 2006, 08:26 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.