OSDev.org

The Place to Start for Operating System Developers
It is currently Thu Mar 28, 2024 2:01 am

All times are UTC - 6 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Loading PE Executable - Empty Space Before First Section
PostPosted: Thu Feb 17, 2022 12:46 pm 
Offline
Member
Member

Joined: Thu Sep 27, 2018 5:10 pm
Posts: 28
Location: Turkey
Hi,

I am studying how PE executables are loaded to memory and executed. I am using

Code:
dumpbin.exe /ALL <simple_program.exe>


output, along with online resources. This part of dumpbin output struck me as odd;

Quote:
SECTION HEADER #1
.text name
F23 virtual size
1000 virtual address (00401000 to 00401F22)
1000 size of raw data
400 file pointer to raw data (00000400 to 000013FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read


According to this, first section to load is .text section, and it is put 4KB after the image base. Does that mean, when this exe is loaded to memory, first 4KB of the image is empty? Is it used for something?

Best Regards,


Top
 Profile  
 
 Post subject: Re: Loading PE Executable - Empty Space Before First Section
PostPosted: Thu Feb 17, 2022 2:47 pm 
Offline
Member
Member
User avatar

Joined: Sat Nov 22, 2014 6:33 pm
Posts: 934
Location: USA
As for the file, it has no concern.

However, if your loader marks the first 4k page as non-existent, any NULL pointers in your code will trigger a GPF. Therefore, you can't place any code or data in the first 4k of your app.

This is to keep NULL pointers from writing to wrong memory areas.

Ben
- https://www.fysnet.net/osdesign_book_series.htm


Top
 Profile  
 
 Post subject: Re: Loading PE Executable - Empty Space Before First Section
PostPosted: Thu Feb 17, 2022 4:34 pm 
Offline
Member
Member
User avatar

Joined: Fri Feb 17, 2017 4:01 pm
Posts: 640
Location: Ukraine, Bachmut
nothing odd, it's for headers, you forgot about them? if you don't want to map them, you may skip this and not map that page. nothing inside of your executable itself references that part of the image. if, say, the base is A, then the 1st mapped page would be A + 0x1000 (.text, that is). if you want (need) to keep headers in memory, you place them exactly there, at the page A. the headers mainly are needed for loading, but maybe, depending on the application, you'll need info stored there later. if so, map headers at the image base.

_________________
ANT - NT-like OS for x64 and arm64.
efify - UEFI for a couple of boards (mips and arm). suspended due to lost of all the target park boards (russians destroyed our town).


Top
 Profile  
 
 Post subject: Re: Loading PE Executable - Empty Space Before First Section
PostPosted: Thu Feb 17, 2022 11:55 pm 
Offline
Member
Member

Joined: Thu Sep 27, 2018 5:10 pm
Posts: 28
Location: Turkey
Thanks for the replies.

I took memory dump of a running program and inspected it in a debugger. First page is indeed filled with headers.

I had assumed headers wouldn't be loaded because executable don't need it. But as you hinted, maybe OS needs it to be there.

Best Regards,


Top
 Profile  
 
 Post subject: Re: Loading PE Executable - Empty Space Before First Section
PostPosted: Fri Feb 18, 2022 1:18 am 
Offline
Member
Member

Joined: Tue Mar 04, 2014 5:27 am
Posts: 1108
yasar11732 wrote:
I took memory dump of a running program and inspected it in a debugger. First page is indeed filled with headers.

I had assumed headers wouldn't be loaded because executable don't need it. But as you hinted, maybe OS needs it to be there.


There may be embedded resources within the file (e.g. icons/images) and they can be located through the information contained in the headers.


Top
 Profile  
 
 Post subject: Re: Loading PE Executable - Empty Space Before First Section
PostPosted: Fri Feb 18, 2022 1:24 pm 
Offline
Member
Member

Joined: Tue Feb 18, 2020 3:29 pm
Posts: 1071
alexfru wrote:
There may be embedded resources within the file (e.g. icons/images) and they can be located through the information contained in the headers.

True, but resources, export tables, import tables and so on can all be accessed through sections as well. Resources are in ".rsrc", imports in ".idata", and exports in ".edata". You don't need the data directories per se.

In reality, the first page isn't mapped to a section because of null pointer accesses.

zaval wrote:
nothing odd, it's for headers, you forgot about them? if you don't want to map them, you may skip this and not map that page. nothing inside of your executable itself references that part of the image. if, say, the base is A, then the 1st mapped page would be A + 0x1000 (.text, that is). if you want (need) to keep headers in memory, you place them exactly there, at the page A. the headers mainly are needed for loading, but maybe, depending on the application, you'll need info stored there later. if so, map headers at the image base.

There isn't anything in the headers strictly needed after load time. As I said above, data directories can be accessed through sections. All the other things are only relevant to the loader.

_________________
"How did you do this?"
"It's very simple — you read the protocol and write the code." - Bill Joy
Projects: NexNix | libnex | nnpkg


Top
 Profile  
 
 Post subject: Re: Loading PE Executable - Empty Space Before First Section
PostPosted: Fri Feb 18, 2022 5:19 pm 
Offline
Member
Member
User avatar

Joined: Fri Feb 17, 2017 4:01 pm
Posts: 640
Location: Ukraine, Bachmut
Quote:
True, but resources, export tables, import tables and so on can all be accessed through sections as well. Resources are in ".rsrc", imports in ".idata", and exports in ".edata". You don't need the data directories per se.

okay, then explain, how you are going to find where that .rsrc section resides? for example, for FindResourceEx()/LoadResource()/LockResource() API functions. :) anything like this, that will be processed at the runtime, would need to look into the headers. delayed loading as well.

Quote:
In reality, the first page isn't mapped to a section because of null pointer accesses.

this is purely theoretical, since image base (neither prefered nor resulting) for the main .exe files of user mode programs never is 0. let alone - the kernel image.

_________________
ANT - NT-like OS for x64 and arm64.
efify - UEFI for a couple of boards (mips and arm). suspended due to lost of all the target park boards (russians destroyed our town).


Top
 Profile  
 
 Post subject: Re: Loading PE Executable - Empty Space Before First Section
PostPosted: Wed Feb 23, 2022 10:18 am 
Offline
Member
Member

Joined: Wed Mar 09, 2011 3:55 am
Posts: 509
zaval wrote:
In reality, the first page isn't mapped to a section because of null pointer accesses.

this is purely theoretical, since image base (neither prefered nor resulting) for the main .exe files of user mode programs never is 0. let alone - the kernel image.[/quote]

Indeed: I think NT by policy keeps the entire first 64k unmapped as protection against null pointer accesses, so if the first page after the headers were at 0x1000, it would be in the unmapped region. And even then, the first section of an executable is generally well above whatever null pointer trap the OS has set up.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 29 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group