VA and memory addresses

Question

This should be a simple question: I know that VA = RVA + imagebase for a PE, now I'm trying to locate in a disassembler a string and happens to be located at 0042720E in the .text section.

The imagebase is 400000 and 2720E is the RVA, it is okay till now.

But why when I load the exe in a debugger the memory where the instruction is mapped is 0140720E ?

0140720E (what I see in ram) and 0042720E (the VA) differs by FE0000, why is that? Am I missing something?

@Paul : Does that particular .exe contain a base relocation table? — ildjarn, Apr 25 '11 at 17:12
You won't believe that but it's a hello world app built with visual studio 2010. Anyway yes, there is a relocation directory — Marco A., Apr 25 '11 at 17:33
Assuming you're using VS to debug, check the image's base address in Debug -> Windows -> Modules. By default, Address Space Layout Randomization is enabled for PEs built in Visual Studio. — Peter Huene, Apr 25 '11 at 19:53

score 4 · Accepted Answer · answered Apr 25 '11 at 19:01

4

There are really only two possibilities: a reallocation occured or you got the RVA wrong. The more likely is its a reallocation, especially if your running on windows vista or windows 7 due to ASLR. Depending on how you attached and what debugger your using, its possible to get the debugger to adjust the reported addresses to match the base section load addresses specified in the PE, ollydbg is one of these (you must start the app through ollydbg, same for dlls)

answered Apr 25 '11 at 19:01

Necrolis

25,836
3
63
101

Is that valid for VS debugger too? The address seems the same – Marco A. Apr 25 '11 at 19:45
@Paul: No, the VS debugger does not do any such translation; it reports the VAs as is. If ASLR is in play, then the Modules window should display the actual base address the module loaded at and from there you can apply the RVA. – Peter Huene Apr 25 '11 at 20:00
Yes, it indeed displays an address which added to the RVA gives exactly the instruction address. So what's that address? An imagebase+somethingrandom ? – Marco A. Apr 25 '11 at 21:17
1

@Paul: It's simply the location in virtual memory where the operating system loader decided to map the module. When the module opts-in to ASLR and it is loaded on an ASLR-enabled version of Windows (Vista+), then the loader will ignore the preferred base address (ImageBase in the PE's optional header) and instead pick a different location. I'm not sure if the exact process by which Windows decides the new location is documented; I'd have to Google. – Peter Huene Apr 25 '11 at 21:39

VA and memory addresses

1 Answers1