2

To clarify, my specific confusion is centered around the fact that all instructions in a PE executable are written assuming the base image address is = 00400000. However, when debugging an executable, the addresses used adapt to whatever base image address is decided at runtime.

I have opened a simple process at a base image different from the default: Process base image address Then ran a debugger and took note of the call of a simple function: SimpleFunctionCall The call is to a pointer that has a B0F4 offset from the base image address (930000 + B0F4). The B0F4 pointer being the IAT to the dll containing the function being used. IATPointer

My confusion is, how is the instruction calling that particular address, which uses 930000 as a base address. This base address is decided at runtime.

When looking at that same instruction inside the PE file, the same call is made, but the default address is used. InstructionInFile The B0F4 offset is applied to 00400000.

How does windows do this. Is there a hardware solution to this? Some sort of instruction that decides that all further instructions operate with an offset? Or, as ridiculous as that sounds, does the os somehow identify all addresses used and changes them based on the new image base

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Horace
  • 131
  • 5
  • 6
    Yes the OS does identify and fix all the instructions. There is metadata in your executable for this, called relocation entries. See also [microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-reloc-section-image-only) – Jester Jun 02 '21 at 18:48
  • Thank you! I understand, I have read the docs and checked the .reloc section for the above examples and it all checks out. Damn, that seemed like a crazy solution to me prior to this, but I suppose it's what you have to do. – Horace Jun 03 '21 at 04:25
  • If you want to, could you write the same thing as an answer, so I can mark you as having answered the question? – Horace Jun 03 '21 at 04:28

0 Answers0