5

After Rebasing the main program very high up in it's own imagebase.

How do I guarantee that the dll that gets loaded will load in 0x400000

dllImageBase = LoadLibrary("test.dll");
printf("imagebase = 0x%x", dllImageBase);

I always get 0x460000 instead of 0x400000

I need my dll first instruction to start from 0x401000, it used to start at 0x600000 before rebasing

Command for linker to rebase is

#pragma comment( linker, "/BASE:8000000")

So 0x400000 is actually free right now yet it doesn't use it by default.. so any way I can control it, where it should relocate. Some WIN32API maybe?

SSpoke
  • 5,656
  • 10
  • 72
  • 124
  • How do you know `0x400000` is free? Some other DLL might be there. – Seth Carnegie Sep 11 '11 at 18:08
  • I looked at memory map and my program's .code/PE header starts at `0x8000000`.. and before it is `0x3300000` which is just sortbls.nls and it just keeps getting lower and lower nothing really is using `0x4000000`. But what you are saying somewhere in the future it will break by some freak accident yeah? thats if i figure it out how to set too 0x4000000. Then again if I somehow figure out how to control this they will never load there again – SSpoke Sep 11 '11 at 18:13
  • I'm not aware of any way to control that. If your code depends on a particular DLL living at a particular address, it's broken. Simple as that (e.g., x64 Windows specifically attempts to randomize the addresses at which various DLLs are loaded as a security measure). – Jerry Coffin Sep 11 '11 at 18:29
  • You need your DLL to load at a specific address. What could you be writing with that requirement? – David Heffernan Sep 11 '11 at 20:04
  • I'm trying to load a EXE which i renamed to .dll and I need it to load at the same image base so all the dynamic calculations of other functions need to be done properly from the same OEP has to match. – SSpoke Aug 18 '13 at 03:58

2 Answers2

5

You are going to have to disable Address Space Layout Randomization to get the DLL loaded where you want it. A feature designed to stop you from what you are trying to do. /DYNAMICBASE linker option. Loading at 0x400000 worked when I tried it.

Hans Passant
  • 922,412
  • 146
  • 1,693
  • 2,536
  • lol warning LNK4044: unrecognized option "DYNAMICBASE:NO"; ignored, I'm guessing my compiler is outdated – SSpoke Sep 11 '11 at 18:41
3

Never rely on a DLL loading at a specific base. If you could force DLLs to load at a specific base then you are opening a potential security hole.

If you have a map file you know what the offset of a given function is. Therefore you can use GetProcAddress to work out what the base address of the DLL is. This is a far safer way to work even if it means that updating your DLL breaks the code loading the DLL.

Goz
  • 61,365
  • 24
  • 124
  • 204
  • The assembly code uses math to generate next call offset which is hardcoded into that specific base address. I know it's a pretty odd to see this but it was never supposed to be called as a dll function in the first place – SSpoke Sep 11 '11 at 18:38
  • @SSpoke: Well if you can't work out the base address using a trick like i suggest above then you have no choice but to use Hans Passant's solution. Just bear in mind that nothing guarantees that a later version of windows won't break your code though. A different solution is definitely the best way forward. I'm not at all sure what exactly you are trying to do, though, it sounds to me like you could use any base address you choose. – Goz Sep 11 '11 at 18:41
  • I wish that too Goz, but I am reverse engineering a huge program with 128 functions, best solution would be to convert all that assembly to C code or atleast inline it, but I want a lazy way out for now, so I converted the exe to a dll removed it's main() and replaced it with a dllmain so it can succesfully load as dll now – SSpoke Sep 11 '11 at 18:45
  • I agree with Goz, any other DLL could take this memory and you won't be able to control where your DLL is loaded. – seva titov Sep 11 '11 at 19:36
  • Bear in mind that this is not a good long-term strategy, since it is dependent on many things that can change at any time. Make sure your customers understand this. – Raymond Chen Sep 11 '11 at 21:37