All geek questions in one place

How does a PE file get into memory?

So, I have been studying PE format for the last couple of days, and I still have some questions.

  • Is the data section in the process memory shared or is the program reading it from disk?

  • If it falls into his memory, how can a process get a section offset? (And other sections)

  • Is there a way to get the entry point of a process that has already been mapped into memory without touching the file on disk?

+3
source share
3 answers

Is the data section divided into process memory

Yes. It is unlikely to survive for a very long time, the program can write to this section. Which launches a copy of the copy page to write, which receives the page supported by the page file, not the PE file.

how can a process get a section offset?

The compiler has already calculated the variable offsets in the section. It can be moved, distributed to DLLs with an inconvenient base address, which is already used when loading DLLs. In this case, the relocation table in the PE file is used by the loader to correct the addresses in the code. Pages containing such corrected code receive the same access to the data section, they are no longer supported by the PE file and cannot be shared between processes.

Is there any way to get the process entry point

The entire PE file goes into memory, including its headers. Therefore, you can read IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint from memory without reading the file. Keep in mind that it hurts if you do it for another process, since you do not have direct access to its virtual address space. You should use ReadProcessMemory (), which is pretty little fun and is unlikely to be faster than reading a file. The file is most likely present in the file system cache. The function of randomizing the layout of the address space can give you a headache designed to make it difficult.

+5
source

Is the data section in the process memory shared or is the program reading it from disk?

It is displayed in the process memory.

If it falls into his memory, how can a process get a section offset? (And other sections)

Using a relocation table: each reference to a global object (data or function) from an executable code that uses direct addressing has an entry in this table so that the loader corrects the code, fixing the original offset. Please note that you can make a PE file without a move section, in which case all sections of data and code have a fixed offset, and the executable file has a fixed entry point.

Is there a way to get the entry point of a process that has already been mapped into memory without touching the file on disk?

Not sure, but if you don’t touch it, you mean that you don’t even read the file, then you can figure it out by picking up the stack.

+1
source

  • Yes, all sections described in the PE header are displayed in memory. The IMAGE_SECTION_HEADER structure tells the loader how to map it (a section can, for example, be much larger in memory than on disk).

  • I'm not quite sure if I understand what you are asking. Do you mean how the code in the code section knows where to access the data in the data section? If the module is loaded with the preferred load address, then the addresses that are statically created by the linker are correct, otherwise the loader fixes the addresses with movement information.

  • Yes, the window loader also loads the PE header into memory at the base address of the module. There you can record all the information contained in the PE-header file, as well as the entry point.

I can recommend this article for everything regarding the PE format, especially when moving.

0
source

Source: https://habr.com/ru/post/1214975/

More articles:


All Articles