1

Say two processes are using Kernel32.dll, does Windows map the DLLs to the same virtual address space in both processes? If not, how does paging mechanism end up using the same physical address where the DLL is in fact loaded for both processes? I tried finding this info in the windows internals book but didn't find anything

  • 1
    *If not, how does paging mechanism end up using the same physical address where the dll is in fact loaded for both processes?* You mean because 32-bit code using absolute (virtual) addresses would need runtime fixups (text relocations) to match whatever virtual address it was running from in each specific process, so the machine code couldn't be the same? That's possible if the DLL isn't fully position-independent, which I think Windows code tends not to be (instead only relocatable via metadata to apply fixups), especially in 32-bit mode. – Peter Cordes Mar 20 '22 at 04:41
  • 1
    It is of course trivial for two separate page-tables to point different virtual pages to a shared physical page. Even within one process, it's possible to map the same file twice, to two separate virtual addresses. Remember, paging is a mapping from virtual to physical, not the other way around. – Peter Cordes Mar 20 '22 at 04:43
  • 3
    It will use the same physical pages for read-only data while modified data (e.g. relocation fixup) is handled via copy-on-write. – Luke Mar 20 '22 at 08:24

1 Answers1

5

TL;DR: No, it might be loaded somewhere else in another process.

Ntdll and Kernel32 are special and always load at the same address so it is better to focus on something else, Shell32 for example.

A dll has what is known as a preferred base address and this is stored in the PE header (ImageBase). The loader will first attempt to load the dll at this address. If that address range is free then loading will succeed with no extra work required.

If the address is not free then the loader has to load it somewhere else. Loading at a different address usually requires relocation information and if this was removed during linking (/FIXED) then loading will fail! If there was space somewhere else to load the dll, the loader will use the relocation information to patch the given locations in the dll with the new base address. Because dlls are loaded as copy-on-write, this will cause extra memory usage compared to loading at the preferred address since each memory page that needed a patch is now a private copy in the process. This means that the answer to your question is no, a dll might not load at the same address in a different process if that process already has something else loaded there.

So far I have only talked about the loader. The loader is implemented in Ntdll as normal usermode code and is not involved with how a file mapped into memory actually works. Memory mapped files (known as Sections internally in NT) is a co-operation between the operating system kernel and the CPU hardware. This is a whole topic in of itself but the important thing to know is that physical memory and the page/swap file mechanism is completely disconnected from how a usermode process accesses its virtual memory pages. The kernel can map a physical memory page to zero, one, or multiple places in a processes virtual memory and the CPU will automatically translate when a virtual page is accessed by the process.

As a final note, ASLR does complicate things a little bit but the "offset" only changes on reboot and should not have an impact on this specific question in current implementations. In theory Windows could change this in the future and always load things at different addresses in different processes but this is unlikely to happen because of the copy-on-write downsides.

Anders
  • 97,548
  • 12
  • 110
  • 164
  • 1
    *preferred base address and this is stored in the PE header (ImageBase).* this was before ASLR. now in kernel, when section on image created, system select new random preferred base address and just relocate image for this base. then it try load dll in processes at this preferred address. so almost the same, but preferred base address now not from PE but random – RbMm Mar 20 '22 at 12:47
  • 1
    The dll still has a preferred address which does not require any relocations, it is just that ASLR means the system ignores this request but also tries its best to minimize the impact of ASLR. A exe without relocations will not have ASLR applied to that image, it will load at the address specified by the PE. – Anders Mar 20 '22 at 14:07
  • If [PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON](https://learn.microsoft.com/en-us/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies) is enabled, it will not load PE images without relocations. – ssbssa Mar 21 '22 at 11:39