DLL preferred load address
-
Hello everyone, How to get the preferred load address for a DLL? Suppose I just have the binary DLL and no source code? thanks in advance, George
On my system at least, dumpbin /headers iain.dll then look at the image base value. That's with VS6 - no idea if the utility is still around for later versions. Iain.
-
Hello everyone, How to get the preferred load address for a DLL? Suppose I just have the binary DLL and no source code? thanks in advance, George
-
You can use ListDLLs[^] to list currently loaded dlls. If you use the -r switch it will flag up any dlls that have been relocated, and give you their preferred base. Or Process explorer[^] has a dlls window which lists all the dlls loaded for each process, their base address, their preferred base address, and colours them yellow if they have been relocated.
Simon
Hi Simon, Which Window in Process Explorer lists loaded DLLs for a process? I can not find out. :-) regards, George
-
On my system at least, dumpbin /headers iain.dll then look at the image base value. That's with VS6 - no idea if the utility is still around for later versions. Iain.
Hi Iain, Here is my output, which item do you think is the preferred load address? :-)
Microsoft (R) COFF/PE Dumper Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.Dump of file TestDll2.dll
PE signature found
File Type: DLL
FILE HEADER VALUES
8664 machine (x64)
7 number of sections
48FF2B43 time date stamp Wed Oct 22 21:31:47 2008
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
2022 characteristics
Executable
Application can handle large (>2GB) addresses
DLLOPTIONAL HEADER VALUES
20B magic # (PE32+)
9.00 linker version
4800 size of code
3600 size of initialized data
0 size of uninitialized data
1520 entry point (0000000180001520) _DllMainCRTStartup
1000 base of code
180000000 image base (0000000180000000 to 000000018000CFFF)
1000 section alignment
200 file alignment
5.02 operating system version
0.00 image version
5.02 subsystem version
0 Win32 version
D000 size of image
400 size of headers
F212 checksum
2 subsystem (Windows GUI)
140 DLL characteristics
Dynamic base
NX compatible
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
7DB0 [ 16A] RVA [size] of Export Directory
A000 [ 3C] RVA [size] of Import Directory
B000 [ 2B8] RVA [size] of Resource Directory
9000 [ 288] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
C000 [ 3C] RVA [size] of Base Relocation Directory
6550 [ 1C] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory -
HMODULE hModule=LoadLibrary("Drive:\\folder\\sth.dll"); if(!hModule) { MessageBox("Load sth.dll failed!); return; } FARPROC address= GetProcAddress(hModule, ("Drive:\\folder\\sth.dll"); if(!address) { MessageBox("GetProcAddress failed!); return; }
Hi anminxin, Sorry I disagree with your code. I am asking how to get the preferred load address, but you get the actual load address. Any comments? regards, George
-
Hi Simon, Which Window in Process Explorer lists loaded DLLs for a process? I can not find out. :-) regards, George
-
From the view menus, select the "Show lower pane options" Then again from the view menu select "view->Lower pane view->dll"
Thanks nave, DLL is displayed, but the DLL properties only display load address, no preferred load address. Any comments? regards, George
-
Thanks nave, DLL is displayed, but the DLL properties only display load address, no preferred load address. Any comments? regards, George
You can select that column also. take the select column option by right clicking on the header of the lower pane. Select the "Base" and "Image Base" from the list. The "base" is the address at which the dll has actually loaded and "Image base" is the prefered base address. You can also use the dependency walker to find the prefered base address.
-
You can select that column also. take the select column option by right clicking on the header of the lower pane. Select the "Base" and "Image Base" from the list. The "base" is the address at which the dll has actually loaded and "Image base" is the prefered base address. You can also use the dependency walker to find the prefered base address.
Thanks nave! I have found out, very good tool! :-) regards, George
-
Hi Iain, Here is my output, which item do you think is the preferred load address? :-)
Microsoft (R) COFF/PE Dumper Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.Dump of file TestDll2.dll
PE signature found
File Type: DLL
FILE HEADER VALUES
8664 machine (x64)
7 number of sections
48FF2B43 time date stamp Wed Oct 22 21:31:47 2008
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
2022 characteristics
Executable
Application can handle large (>2GB) addresses
DLLOPTIONAL HEADER VALUES
20B magic # (PE32+)
9.00 linker version
4800 size of code
3600 size of initialized data
0 size of uninitialized data
1520 entry point (0000000180001520) _DllMainCRTStartup
1000 base of code
180000000 image base (0000000180000000 to 000000018000CFFF)
1000 section alignment
200 file alignment
5.02 operating system version
0.00 image version
5.02 subsystem version
0 Win32 version
D000 size of image
400 size of headers
F212 checksum
2 subsystem (Windows GUI)
140 DLL characteristics
Dynamic base
NX compatible
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
7DB0 [ 16A] RVA [size] of Export Directory
A000 [ 3C] RVA [size] of Import Directory
B000 [ 2B8] RVA [size] of Resource Directory
9000 [ 288] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
C000 [ 3C] RVA [size] of Base Relocation Directory
6550 [ 1C] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import DirectoryThis one:
180000000 image base (0000000180000000 to 000000018000CFFF)Simon
-
Hi Iain, Here is my output, which item do you think is the preferred load address? :-)
Microsoft (R) COFF/PE Dumper Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.Dump of file TestDll2.dll
PE signature found
File Type: DLL
FILE HEADER VALUES
8664 machine (x64)
7 number of sections
48FF2B43 time date stamp Wed Oct 22 21:31:47 2008
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
2022 characteristics
Executable
Application can handle large (>2GB) addresses
DLLOPTIONAL HEADER VALUES
20B magic # (PE32+)
9.00 linker version
4800 size of code
3600 size of initialized data
0 size of uninitialized data
1520 entry point (0000000180001520) _DllMainCRTStartup
1000 base of code
180000000 image base (0000000180000000 to 000000018000CFFF)
1000 section alignment
200 file alignment
5.02 operating system version
0.00 image version
5.02 subsystem version
0 Win32 version
D000 size of image
400 size of headers
F212 checksum
2 subsystem (Windows GUI)
140 DLL characteristics
Dynamic base
NX compatible
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
7DB0 [ 16A] RVA [size] of Export Directory
A000 [ 3C] RVA [size] of Import Directory
B000 [ 2B8] RVA [size] of Resource Directory
9000 [ 288] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
C000 [ 3C] RVA [size] of Base Relocation Directory
6550 [ 1C] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import DirectoryGeorge_George wrote:
Here is my output, which item do you think is the preferred load address?
In the middle of the first "Lump":
180000000 image base (0000000180000000 to 000000018000CFFF)
Though I'd look at the sysinternals tool, as they're more digestible! Iain.
-
This one:
180000000 image base (0000000180000000 to 000000018000CFFF)Simon
Thanks for your clarification, Simon! regards, George
-
George_George wrote:
Here is my output, which item do you think is the preferred load address?
In the middle of the first "Lump":
180000000 image base (0000000180000000 to 000000018000CFFF)
Though I'd look at the sysinternals tool, as they're more digestible! Iain.
Thanks for sharing your perspective, Iain! regards, George