Sign in to follow this  

[win32] PE Format and loading DLLs

This topic is 4748 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Heya, folks. I'm deving part of an embedded system that validates code in memory from an image on disk, and I've got a question about just what the loader does to a process' address space when loading dlls. Most of the research I've done refers to the microsoft white paper on PE files: http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx and Matt Pietrek's MSDN Magazine articles, parts 1 and 2: http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/default.aspx The problem is, the documentation is pretty thin. I've had more luck looking at a few people's virus code comments than I have the acutal docs. I was hoping that someone here may have worked on something similar to this before, and would be able to help, or possibly know where else to look. Here's what I've got so far. Basically, I undo what the loader does to the address space while it applies its fixups, then do a binary compare on a section by section basis. The problem is that I'm missing some type of fixup or runtime modified code. I know about the IAT fixups and the base relocation fixups. When walking through a code section and comparing it to the image on disk, I undo what the loader did, so that the addresses compare the same. For most modules, this is all I need to do, the compare says that they are identical images. There are other times, however, when this isn't the case. Usually it's a mismatch 2 bytes off of a section boundry, such as: Mismatch at offset 0x7002 of 2 bytes. Mismatch at offset 0xe002 of 2 bytes. IMHO, these look like they could definitely be RVAs that need fixed up, but I can find no reloc data pointing to these sections. Something is changed in the image in ram, but I have no idea what or why. Furthermore, sometimes huge differences appear: Mismatch at offset 0x200289c of 5 bytes. Mismatch at offset 0x20033a8 of 11 bytes. These do not look like RVAs to me, and they seem to be in random places. Lastly, in the reloc section (from the IMAGE_DIRECTORY_ENTRY_BASERELOC Data Directory), I'll get undocumented fix-up types: Unknown fix-up type (6) address 0x02005000 Unknown fix-up type (9) address 0x02008000 Type 9 is listed in WINNT.h as IMAGE_REL_BASED_IA64_IMM64. I'm not on an IA64, lol. I got one for a MIPS processor, too, in an ati driver dll. It's possible that I'm pointing to some data that is incorrect, but I'm pretty sure that what I'm doing to walk the reloc tables is correct. My main questions are, other than the .reloc table fixups and the IAT, what else can cause a code section to change in memory vs. what was read from disk? What would cause type/offset entries in the .reloc table to use types that aren't even for my platform, even though the executable was compliled and linked natively? Thank you for your time in advance, --Succinct

Share this post


Link to post
Share on other sites

This topic is 4748 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this