#1
|
|||
|
|||
PE Loader Questions
Hello, I have a number of questions about the PE file format, and what is considered a valid/loadable file by the OS.
Here's a few of my thoughts while coding a PE loader: 1) Is it possible that a valid executable can have overlapping sections? 2) Is it possible for a single code instruction to overflow into another section? 3) Is it possible to have executable code between two sections, and if so, what memory characteristics are given to data in such a region? Regards! |
#2
|
||||
|
||||
1. No.
2. Haven't seen, but I think, yes. 3. Sections must go butt-to-butt in virtual address space without gaps. |
#3
|
|||
|
|||
1. You don't say if you're talking about raw offsets/sizes (yes, the sections can overlap that way) or virtual addresses/sizes (I don't think they can)
2. Yes 3. Again, you should be more specific about what exactly you mean; gaps in addresses (probably not), gaps in raw data (certainly yes), uninitialized data at the end of sections (yes, those zeroes can be executed) |
#4
|
|||
|
|||
1. Sections in file can overlap, sections in memory cannot. But they both can have gaps.
3. To execute your code between two pages correctly you must have at least EXECUTABLE attribute on both pages (READ_EXECUTE on Intel x86), if not - instruction will cause an exception. So, set EXECUTABLE flag in section attributes for both sections and executed code anywhere you want. |
#5
|
|||
|
|||
Quote:
If i remember well (played with this thing much time ago), when i left an opened gap between virtual sections i got punished by the winloader... are you sure about this? |
#6
|
||||
|
||||
1. Yes
2. Sections, yes pages no 3. Whatever the protection of the section is - it is rounded up to the page size |
#7
|
|||
|
|||
Quote:
2. possible, if you have the section already rounded. needs testing. 3. between 2 sections where? inside the file or in mem? to exist in mem, must be declared as a section, because the loader maps in mem only what it finds in sections header. |
#8
|
|||
|
|||
1. file content can overlap, but section addresses cannot.
There cannot be gaps in section addresses in Windows NT+. Only Windows 9x/Me allows gaps. 2. Yes, you can have the entire code cross lots of sections. No problem there. 3. If you mean after the end of one section and before the start of another section, then no - because there can be no gap. The characteristics for a section cover the entire section. |
#9
|
|||
|
|||
Gap is possible when you have size of section alignment larger than page size.
Example can be found here: c:\Windows\SysWOW64\ntdll.dll section alignment is 0x10000 but size of committed header is 0x1000 so first section starts at 0x10000 and there is gap between 0x1000 and 0x10000 but you can't access that memory in any way since it's not committed and you can't commit it manually. Use VmMap to see how it looks like there are no protection flags and so on... |
#10
|
|||
|
|||
That's not a gap. We are talking about virtual addresses, like 0x1000 and then 0x3000. This is possible only in Windows 9x. On NT+, addresses must be sequential in memory.
Physical gaps are obviously possible on all of the platforms - you can have sections that contain no physical data, by setting SizeOfRawData to 0, and set the characteristics to non-readable so the region cannot be accessed, but that's not special. |
#11
|
|||
|
|||
Why isn't it a gap? I suppose we should define what a "gap" actually is first...
As the ntdll.dll example shows, when the virtual size of a section is considered rounded up to the section size (0x10000 in this case), then there really isn't any gap between the addresses. But since the PE loader actually rounds the virtual size up to the page size only (0x1000) when mapping the image, then there are unallocated/inaccessble blocks of memory between the sections (and it has nothing to do with the physical size, SizeOfRawData, it's all about virtual addresses and sizes). I would probably call it a gap, but yes, it's a bit special |
#12
|
|||
|
|||
PE Loader rounds virtual size to "Section Alignment" value, which is specified in header. On NT even user-space programs can have virtual alignment not only on 4096 bytes, but on 4 bytes, for example. Whole page is reserved in this case by loader, and sections with different access rights must be aligned on physical page boundaries, cause you cannot make 32 first bytes just read/write, and other 32 bytes only read/executable
|
#13
|
|||
|
|||
No, it doesn't - check the example given above in debugger or vmmap.
Note that we're talking about a case when section alignment, as specified in PE header, is actually bigger than one page. |
#14
|
|||
|
|||
I don't understand why they designed such a loose and bug-ridden format in the first place.
What's the point of having weird undocumented behaviour that dramatically affects compatibility and even worse, changes across OS versions. Give this a read, if you haven't seen it already: http://reversinglabs.com/advisory/pecoff.php If that doesn't make you curl up on the floor and weep like a 5 year-old, kudos to you good sir |
Tags |
header, loader, overflow, overlap, section |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Armadillo questions? | ManSun | General Discussion | 20 | 05-12-2004 17:46 |
2 questions (IDA / Windows 2k/2k3) | skyper | General Discussion | 8 | 04-22-2004 08:44 |
questions about code | bartster | General Discussion | 19 | 02-14-2004 01:31 |
some unpacking questions | gnasher | General Discussion | 2 | 01-03-2004 20:44 |