PE file structure (children under five years old) base relocation

PE file structure (children under five years old)

References

Book: "Encryption and decryption"

Video: Small Turtle decryption Series video

Base Relocation

When the linker generates a PE file, it will be used if the program is loaded in the default ImageBase base address (VC default EXE base address 00400000h. DLL base address 10000000h), and will use all the instructions in the Code of the addresses used in the default base address (such as the program code of Push 10001000, that is, 10000000h as the base address, the push 10001000 write to the file). If the address of one DLL in an EXE is in conflict with other DLL addresses (because the Windows program is a virtual address space, EXE generally does not have an address conflict, there may be an address conflict when loading the DLL), you need to change the address in the code, such as push 10001000. Call 10002000 and so on.

This is where you need to relocate the base address. The Base relocation table is stored, assuming the default address is changed. The address of the code that needs to be changed. In the PE file. The Base Address relocation table is generally placed in a separate ". Reloc" area. The RVA of the base relocation table can be viewed through datadirectory[5 in Image_optional_header.

Like what:

View Demo.dll with W32dasm (: HTTP://PAN.BAIDU.COM/S/1QWDEPO4)

Picture 1

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvymlsbhzzbwu=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

Be able to find mymessagebox this function and see the push 10006040 in its code. The address in push 10006030 is a pointer to a string.

Suppose a program loads Demo.dll because the Demo.dll default address is occupied. Using a different base address, such as using 20000000h as the base address, Demo.dll starts loading from 20000000h. So the string "Demo" and "Hello world! "It is not in the 10006040h and 10006030h, then you need to push 10006040." Push 10006030 is changed to push 20006040, push 20006030.

A Base Address relocation table is made up of a image_base_relocation structure.

Picture 2

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvymlsbhzzbwu=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center "height=" 455 "width=" 587 ">

Image_base_relocation structure:

typedef struct _IMAGE_BASE_RELOCATION {    DWORD   virtualaddress;    DWORD   sizeofblock;//  WORD    typeoffset[];} Image_base_relocation;typedef image_base_relocation UNALIGNED * pimage_base_relocation;

Where virtualaddress represents the starting RVA of this set of addresses.

Sizeofblock represents the size of the current image_base_relocation structure. Typeoffset is an array whose number of elements is (SIZEOFBLOCK-8)/2, Typeoffset each element occupies two bytes or 16 bits. The high 4 bits indicate the relocation type (typically 3). The low 12 bits represent the relocation address.

Example Analysis:

View Demo.dll's first image_base_relocation structure

Picture 3

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvymlsbhzzbwu=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

To discover:

virtualaddress  for 1000h

sizeofblock      for 0164h

typeoffset[0]   0333h  3 is the relocation type   33H relocation address
typeoffset[1]   0338h

typeoffset[2]   0340h

     .....

By type low 12-bit +virtualaddress to be able to know the first three addresses are 1033h,1038h. 1040h.

Take a look at the Demo.dll code in Figure 1 to find out that 1033h is the 10006040,1038h in push 10006040 in picture 1 is the 10006030 in push 10006030.

Assuming that the DLL is loaded, and that the default base address is not used, the PE loader will change the value of the address that is written in the base relocation table.

The way to do this is to add the original value to the actual base address-the value of the default base address.

Copyright notice: This article blog original articles, blogs, without consent, may not be reproduced.

PE file structure (children under five years old) base relocation