Computing virtual addresses in portable executables
I'm trying to understand the basics of addressing in PE files, and I've made a simple application with a few functions that are called malloc
, statically linked to the msvcr110 library. So I took my executable, which opened it in ida pro, and found the offset of the function malloc
that was not imported, added the base address and tried to call it like this:
HMODULE hCurrentModule = GetModuleHandle(NULL); // get current module base addres
DWORD_PTR hMallocAddr = (0x0048AD60 + (DWORD_PTR)hCurrentModule);
char *pointer;
__asm //calling malloc
{
push 80
mov eax,dword ptr[static_addr]
call eax
add esp,2
mov [pointer],eax
}
Then I checked the re-built program in IDA pro to make sure the malloc offset stays the same and it doesn't matter 0x0048AD60
. So the problem is offset + hCurrentModule giving me the wrong address and crashing after calling that address. For example, the result of my hMallocAddr
is 0x0186AD60
, but in an MSVC debug session in the disassembly window, the malloc address is at 0x0146AD60
. What's wrong here?
source to share
I see one thing I don't understand, the first instruction; you push the value but never pop out. When you add 2 to esp
, are you trying to fix the stack? Can the compiler "help" you optimize this as an 8-bit value?
No guarantee, but this is what I see at first sight; but again, I am not there and the debug screen is not visible
{
push 80 ;Where do you pop this ?
mov eax,dword ptr[static_addr]
call eax
add esp,2 ;Is this the "pop" ? Possible bug, is "80" a 16 bit value ?
mov [pointer],eax
}
Along this same line, I'm not entirely sure how your application is structured, but are you safe to use Eax
without clicking before and not showing up afterwards? There is no clue if it matters, it's just a quick glance at the code.
source to share