0

I want to find memory addresses that a exe file uses. I have the exe file and I want to have a list of addresses that it uses.

This must be done statically and without running the executable itself. Can anybody help me please?

Also, if you know a dynamic way to do it please tell me.

knx
  • 398
  • 3
  • 21
Iman Kianrostami
  • 482
  • 3
  • 13
  • 1
    That's not going to work in general - it might do something arbitrarily weird and then use that as an address (eg calculate a pre-image of a hash), or it could do something that may or may not halt and then use some random address. See the Halting Problem. – harold May 10 '13 at 09:13
  • i just want to find out what addresses does a program use and then use that addresses in sth else.it's a project for my professor. – Iman Kianrostami Jul 19 '13 at 05:58

1 Answers1

1

You must look into the exe header. There is a list of addresses that the loader must adapt relative to the base address when an executable is run. This is called a relocation table. When you look into the exe via a disassembler like IDA you can assume a load address or the exe can specify it.

Normally addresses are relative, so even if you find an address once, it's not be guaranteed that it will always be in that same place. If a program is written or compiled with position independent code, then it doesn't rely on any absolute address.

Just for disassembling you can look at tools like IDA or similar.

River
  • 8,585
  • 14
  • 54
  • 67
Devolus
  • 21,661
  • 13
  • 66
  • 113
  • thanks for your answer.you mean all addresses that a program uses is in relocation table?but what if the program uses absolute addresses not relative? – Iman Kianrostami Jul 19 '13 at 05:56
  • The relocation table only contains addresses which must be relocated. If a program uses absolute addresses, I don't think there are entries, because there is no need for it. There is an entry which specifies the base address though, but of course if the programm access other addresses like devices or such, I don't think that there will be entries found anywhere. – Devolus Jul 19 '13 at 06:57
  • So how can then find out which addresses the program uses in general? – Iman Kianrostami Jul 19 '13 at 13:02
  • Using a dissassmebler like IDA. And/or looking into the executable header, because all the relevant information is there, but only what is required for the operating system to know. Everything else must be reverse engineered. – Devolus Jul 20 '13 at 09:50