portable-executable

I found a tool to repair import table here , but how are PE executable without import table built in the first place in c/c++? Just don't use CRT, and don't use any imported functions. #pragma comment(linker, "/entry:start") int start() { return 42; } To use WinAPI functions, find kernel32 base, parse it's export directory and find LoadLibrary() function (you should already have something like GetProcAddress() to find LoadLibrary()) This may looks like this: // compile as console application, "release" configuration with /MT /GS- #include <Windows.h> #pragma comment(linker, "/entry:start")

I have gone through How does a PE file get mapped into memory? , this is not what i am asking for. I want to know which sections (data, text, code, ...) of a PE file are always completely loaded into memory by the loader no matter whatever the condition is? As per my understanding, none of the sections (code,data,resources,text,...) are always loaded completely, they are loaded as and when needed, page by page. If few pages of code (in the middle or at the end), are not required to process user's request then these pages will not always get loaded. I have tried making exe files with lots of

I just learned ImageBase is specified in PE format,and OS will load it to the exact position for .EXE , then comes the question: what if two .EXE is requiring the same ImageBase location? st0le Incase of 2 EXE's, they have Completely Different Address Spaces...Every Executable has its own space. This means, every time you execute an EXE, it is assigned its own independent 4GB (on 32bit systems, although the process can use just part of it, the rest goes the kernel.) worth address space. It's Virtual Address Space . It's different from your Physical Memory. So there's no conflict. Technically,

I just used objdump -x ... to check the sections of a PE file. There's about 90,000 lines of reloc entries: reloc 92 offset bc0 [524bc0] HIGHLOW reloc 93 offset bc4 [524bc4] HIGHLOW .... Does it hold true that the majority space of most PE files are composed of the reloc entries like above? What are those entries for? UPDATE Anyone can explain how the relocation entries work like above? Relocations are needed when there is a base conflict in the memory. If a dynamic-link-library wants to load its code section in a certain memory space but when it has already been accupied by another module, it

How do I determine if an EXE (or DLL) participate in ASLR, i.e. is relocatable? I want to check some EXE's on my system whether they are relocatable and participate in ASLR. I know the default behavior of the linker is to strip base relocations, so that the EXE is not relocatable? How do I see from a tool like FileAlyzer whether the image participate in ASLR? miguel A relocatable module (exe or dll) doesn't necessarily need to have ASLR enabled but a module that has ASLR enabled needs to be relocatable. A module that is ASLR-enabled (using the /DYNAMICBASE linker switch) will be loaded at a

Well, I read several of Matt Pietrek's articles on Portable Executable (PE) files, like: An In-Depth Look into the Win32 Portable Executable File Format, Part 1 and Part 2 MSJ article on linkers MSJ article on COFF format In addition, I have read a few other sources on the subject. It is either me overlooking some parts, or the questions aren't answered there. So, here are the questions: It is known that, when loading an EXE, the Windows Loader reads the list of imported DLL's from the Importa Address Table (IAT), and loads them into the process address space. The process address space is a