-1

The default entry point for most application processes is usually 0x401000.

Is there any way we could shift or change the entry point of a process? For example, if I wanted to change the entry point to 0x901000 externally using a DLL (assuming that the process loaded the DLL via C++)?

I'm trying to create a DLL to edit the process's default entry point.

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
Wei Chen
  • 35
  • 5
  • 1
    I don't see how you can possibly do it in a DLL. By the time your DLL is loaded the process exists and the entry point address is fixed. What are you really trying to achieve? – Alan Stokes Apr 20 '14 at 21:51

2 Answers2

0

On Windows, the default load address for EXEs is 0x400000 - so that's where that part of 0x401000 comes from.

The 0x1000 component is the offset into the image in memory where (usually) the text segment that hold the bulk of the code starts. That's where this particular program's entry point is.

That offset is a field in the PE header, as is indeed the default load address of 0x400000. Both can be changed, but be aware that for EXEs, relocation information is often stripped: Since the default load address is always guaranteed to be free when a new process is first created, relocation information is often assumed to not be needed for EXEs.

If that is the case for your EXE then you can't change the load address without doing major surgery to the image to manually identify and fix up any references that are relative to the assumed 0x400000 load address used during compilation/linking.

500 - Internal Server Error
  • 28,327
  • 8
  • 59
  • 66
  • Thanks for the reply! With regards to "If that is the case for your EXE then you can't change the load address without doing major surgery to the image to manually identify and fix up any references that are relative to the assumed 0x400000 load address used during compilation/linking.", is there anyway we can do it externally, and presuming the default EP is 0x400000, and I want to shift it to 0x900000 (+0x500000), is there a way to allow all the affecting codes/reference to add (0x500000) all at once via dll? – Wei Chen Apr 20 '14 at 20:33
  • Is it the case that you have an EXE for which you don't have source, that you wish to do this for and relocations have been stripped? – 500 - Internal Server Error Apr 20 '14 at 20:53
  • Yes I don't have source for the EXE. However I'm trying to relocate the entry point for that target's process. – Wei Chen Apr 20 '14 at 21:10
  • If your EXE has fixups, the EditBin utility that comes with Visual Studio can do it for you. See [this question](http://stackoverflow.com/questions/10114492/whats-the-replacement-for-rebase-exe). If it doesn't then it's going to be difficult to do it reliably. You will have to disassemble the code and hope that any references in the 0x401000 to 0x400000+code length range are indeed image references that need to be adjusted and not just unrelated constants that happen to be in that range. – 500 - Internal Server Error Apr 20 '14 at 22:12
0

Yes, you can change ImageBase in Optional Header of Portable Executable, if your linker allows this. Most linkers set ImageBase=0x10000 when linking executable and 0x400000 when linking DLL. However, this number is chosen arbitrarily (I guess because it is easy to remember and looks good in debuggers) and it may be disobeyed by the loader if the memory is already occupied. See http://msdn.microsoft.com/en-us/library/ms809762.aspx Table 3. paragraph IMAGE_OPTIONAL_HEADER.ImageBase:

When the linker creates an executable, it assumes that the file will be memory-mapped to a specific location in memory. That address is stored in this field, assuming a load address allows linker optimizations to take place. If the file really is memory-mapped to that address by the loader, the code doesn't need any patching before it can be run. In executables produced for Windows NT, the default image base is 0x10000. For DLLs, the default is 0x400000. In Windows 95, the address 0x10000 can't be used to load 32-bit EXEs because it lies within a linear address region shared by all processes. Because of this, Microsoft has changed the default base address for Win32 executables to 0x400000. Older programs that were linked assuming a base address of 0x10000 will take longer to load under Windows 95 because the loader needs to apply the base relocations.

vitsoft
  • 5,515
  • 1
  • 18
  • 31
  • Thanks for the reply! Hmm, I roughly gotten what you meant, however I apologize for not explaining in details (I've edited my 1st question), is there anyway to do it externally via dll (Coded in C++)? – Wei Chen Apr 20 '14 at 20:32