PE loader && image base

I was recently reading Matt Pietrek’s excellent articles on the PE format, and I decided to play around with it on a file I had laying around. I altered a kernel driver to change the ImageBase to an address I could see was listed as unused in WinDbg, but it didn’t show up there when loaded. So my question is, I can see various discussions on MS pages about rebasing DLLs to make them not collide, but does the same thing not work for .sys files? Does the OS loader not even care what their preferred base is, and just loads them wherever?

Thanks much

Gennady Dean
Sr. Software Engineer
Transcorp Inc.

I haven’t checked lately but for older systems the base was ignored ion
the kernel.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

xxxxx@Live.com” wrote in message
news:xxxxx@ntdev:

> I was recently reading Matt Pietrek’s excellent articles on the PE format, and I decided to play around with it on a file I had laying around. I altered a kernel driver to change the ImageBase to an address I could see was listed as unused in WinDbg, but it didn’t show up there when loaded. So my question is, I can see various discussions on MS pages about rebasing DLLs to make them not collide, but does the same thing not work for .sys files? Does the OS loader not even care what their preferred base is, and just loads them wherever?
>
> Thanks much
>
> Gennady Dean
> Sr. Software Engineer
> Transcorp Inc.

Right, no one cares for drivers (the Mm just finds a free range of system
PTEs to use to map the image). If you look at a few drivers you’ll actually
see that the preferred base address is a user mode address.

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@ntdev…
> I was recently reading Matt Pietrek’s excellent articles on the PE format,
> and I decided to play around with it on a file I had laying around. I
> altered a kernel driver to change the ImageBase to an address I could see
> was listed as unused in WinDbg, but it didn’t show up there when loaded.
> So my question is, I can see various discussions on MS pages about
> rebasing DLLs to make them not collide, but does the same thing not work
> for .sys files? Does the OS loader not even care what their preferred base
> is, and just loads them wherever?
>
> Thanks much
>
> Gennady Dean
> Sr. Software Engineer
> Transcorp Inc.
>
>

>I can see various discussions on MS pages about rebasing DLLs to make them not collide

This is done to allow the possibility of mapping the DLL without relocations, in which case it will only use .DLL-file-backed-pages and never the pagefile-backed pages, thus reducing the commit charge on the OS.

For driver, this is useless, since the driver is loaded only to pagefile-backed pages, after which the .sys file on disk is closed, so the file-mapped pages in the loaded driver are impossible anyway.

Also note that the number of drivers in the OS is many times lesser then the number of DLLs.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com