9

Few days after asking the question I realised I misinterpreted my original findings. It seems .rdata section on file is copied directly to memory, but then first 36 bytes are overwritten by loader with IAT RVA. The erroneous question about added 96 bytes is result of me not noticing that the sequence of bytes I was checking in my tests is repeated on the file.

What I just said still might not be 100% accurate. The investigation will continue for the next few days.

Original Question

I'm trying to write a program to analyse Windows executables. I was assuming that sections in executable file are directly copied to memory. I have noticed strange behaviour in several programs.

One example is crackme12.exe. When I check with debugger .rdata section loaded into memory, I can see that for some reason 96 bytes have been added at the beginning of a section loaded into memory that was not there in the executable file. I have spent 2 days trying to read Windows executable documentation, but I can't find explanation why is it happening.

Additional Info

I'm trying to load this file on Linux under Wine. Debugger I use is called OllyDbg. File download link: http://www.reversing.be/easyfile/file.php?show=20080602192337264

I'm trying to write the program in Common Lisp. This is the link to the test file: https://github.com/bigos/discompiler/blob/master/test/lisp-unit.lisp

I have tried to load the same crackme under Windows and got another surprise. Screen-shot at https://github.com/bigos/discompiler/blob/fc3d8432f10c8bd5dfd14a8b5e2b113331db15df/my-reference/images/differences%20between%20lin%20and%20win.png shows Windows and Wine side by side.

From address x402060, highlighted in the screen-shot in red shows data copied from section on the file. On loading operating system inserted 96 bytes. To my surprise Wine loader has inserted different data. When you compare differences between Wine and Windows you will see that first two lines differ. Can somebody enlighten me what is happening?

Conclusion

It turns out that Import Table RVA and IAT RVA were placed at addresses between x402000 and x402060. So it looks like loader copies section to memory after those tables.

I have added some code to my little program and got following output:

RVAs: (((320 "Import Table RVA" 8228) (324 "Import Table Size" 60) "in memory from" "402024" "to" "402060") ((328 "Resource Table RVA" 16384) (332 "Resource Table Size" 1792) "in memory from" "404000" "to" "404700") ((408 "IAT RVA" 8192) (412 "IAT Size" 36) "in memory from" "402000" "to" "402024"))

Improve this question
1
  • 1
    It might be related with the loading process: relocations, imports, exports... we need the sample, or a more accurate description.
    – Ange
    Commented Nov 28, 2013 at 18:56

1 Answer 1

Reset to default
4

This is the Import Address Table, which contains the virtual addresses for the imported functions.

Since the DLLs have been loaded at different addresses (7bxxxxxx in one case, 76xxxxxx in the other), the Import Address Table is filled with different DWORD values.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.