A
Windows

Initial process memory and 4 millionth byte?

Happy reading everyone,
I decided to make .exe aka PE with my own hands and it is also an executable file. More specifically, on fasma (or I have already switched to tasm), I write all sorts of goodies with the help of db, rb, dw and dd so that in the end I get a fully working Shnik.exe
But then I came across the ImageBase fields and the Import section. At the same time, contradictory information is mixed in the articles with all confidence, at first they say that without importing there is nothing and I can’t do anything, and then they say that the code needs to be loaded over 4_000_000 byte, but if you do a feint with your ears, then 1.mln will also work, so as before that everything is occupied by system libraries. And then I fell out. Please tell me where you can start loading, what should be loaded separately through import, and what will happen if I turn to the lower addresses without initializing anything there?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
N
none7, 2016-11-26
@Ruins

The ImageBase field tells the system in which part of the process's virtual memory the executable file should be placed. Traditionally, .exe files are located at 0x400000, this does not mean that it takes 4 megabytes, just an address. Dlls are traditionally placed at 0x10000000; since address conflicts are quite possible for dlls, relocks are necessarily attached to them. The location address of .exe and .dll can, strictly speaking, be any multiple of 0x10000, but not 0, not the address of ntdll.dll, and not in kernel space. The executable file itself can occupy at least 1 page (4KB on x86) of memory + at least 1 page per section, regardless of the location of the executable file.
The fact that nothing can be done without an import table is strictly speaking false. You can find out through the standard addresses where the system .dlls and their exported functions are located and load everything you need through them. But without the system .dlls themselves, you can only hang or die. You need to load what is necessary for the application code to work, it completely depends on the application itself. For example for the classic HelloWorld

void func() {
    MessageBoxA(NULL, "Hello", "Hello, World!", MB_OK);
    ExitProcess(0);
}
user32.dll:MessageBoxA and kernel32.dll:ExitProcess are needed.
If you access memory addresses without initializing them in any way, an exception will occur. If at the same time exception handlers are not configured, then the traditional window will pop up.ef716e0677a846e0a53b4665103d2029.png

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question