All,
when you look at the PE of Win32k.sys it says that the ImageBase is
0xBF800000, but when I see it’s actual load addess 9through
psLoadedmoduleList) I find it to be different. So isn’t this
‘honoured’ any more in win7? In xp, I find the DLL to be loaded at the
address specified by Imagebase field. Was just curious.
I foound a thread discussing a similar topic, but was not sure which
Os they are talking of…
http://stackoverflow.com/questions/6321677/win32k-sys-mapping-address-in-the-session-space
thanks
Ami
That is what .reloc section is for, isn’t it? What if some one already is at that address. That value is just a indication/request to loader that give me that if available.
Not sure if ASLR plays in the case of kernel modules, if yes than that is one more thing to worry about.
IIRC, there is no ASLR for KM drivers b/c drivers could never rely on fixed offsets for anything, they were always ASLR ready so to speak.
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, August 16, 2011 11:02 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] win32k and it’s Imagebase
That is what .reloc section is for, isn’t it? What if some one already is at that address. That value is just a indication/request to loader that give me that if available.
Not sure if ASLR plays in the case of kernel modules, if yes than that is one more thing to worry about.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer