Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

is it possible for function address in DLL to change if it loaded to application?

I disassembled a DLL and see there some functions. I found the function that I need and it's address is 0x10001340.

Would this address stay the same, if I load this dll into my application? So would it be possible for me to call that function by it's address from my application?

I am asking because I am not sure: what if when this dll loaded, some function in the main application already has the same address? So maybe the functions inside a dll can change addresses when loading or etc.

like image 735
Kosmo零 Avatar asked Jun 10 '12 16:06

Kosmo零


People also ask

How can I see what function is in a DLL?

If a DLL is written in one of the . NET languages and if you only want to view what functions, there is a reference to this DLL in the project. Then doubleclick the DLL in the references folder and then you will see what functions it has in the OBJECT EXPLORER window.

Can a DLL load another DLL?

You can use load-time dynamic linking or run-time dynamic linking in your DLL in the same way as in the executable. The only restriction is not to call LoadLibrary from your DllMain function to avoid deadlocks.

Are DLLs loaded into memory?

The pages are only loaded into physical memory once for all processes, even though they may have the page mapped to different address in their virtual address space.

How do I find DLL address?

A better way to do it is to use GetModuleInformation(). The first field of the MODULEINFO structure you pass will contain the base address of the DLL. Though according to the documentation of MODULEINFO: The load address of a module is the same as the HMODULE value.


2 Answers

On Windows dlls have a preferential load address, but the loader is able to change all those references if it notices that such portion of the virtual address space is already used. This process is called "rebasing".

The "default" base address is specified at linking time (/BASE with the Microsoft linker), and it can be useful to set it to something different than the default if you plan to use the dll alongside with another one with the same base address; this speeds up the loading process, since the loader doesn't have to rebase one of the dlls at each load. (IIRC there are also tools that are able to rebase an existing dll and save the result on disk)

It's good to keep in mind that, from Windows Vista onwards, dlls compiled with a specified flag are loaded always at a random base address to avoid some kind of exploits.

like image 151
Matteo Italia Avatar answered Sep 28 '22 06:09

Matteo Italia


It is extremely unlikely that you'll end up with the same address. The default /BASE argument for the linker for DLLs is 0x10000000, that's how your entrypoint ended up at that address. But there are many DLLs that are linked using the default setting, only one can actually get loaded at that address. All the other ones that get loaded later need to be re-based.

You could come up with a better value for /BASE, it is however never a guarantee that you get the load address you ask for.

like image 28
Hans Passant Avatar answered Sep 28 '22 08:09

Hans Passant