Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What parts of a PE file are mapped into memory by the MS loader?

What parts of a PE file are mapped into memory by the MS loader?

From the PE documentation, I can deduce the typical format of a PE executable (see below).

I know, by inspection, that all contents of the PE file, up to and including the section headers, gets mapped into memory exactly as stored on disk.

What happens next?

Is the remainder of the file also mapped (here I refer to the Image Pages part in the picture below), so that the whole file is in memory exactly like stored on disk, or is the loader more selective than that?

In the documentation, I've found the following snippet:

Another exception is that attribute certificate and debug information must be placed at the very end of an image file, with the attribute certificate table immediately preceding the debug section, because the loader does not map these into memory. The rule about attribute certificate and debug information does not apply to object files, however.

This is really all I can find about loader behavior; it just says that these two parts must be placed last in the file, since they don't go into memory.

But, if the loader loads everything except these two parts, and I set the section RVA's suffiently high, then section data will actually be duplicated in memory (once in the mapped file and once for the position specified by the RVA)?

If possible, link to places where I can read further about loading specific to MS Windows.

enter image description here

like image 468
Shuzheng Avatar asked Nov 09 '22 09:11

Shuzheng


1 Answers

Finding this information is like an egg hunt, because MS always insists on using its own terminology when the COFF description uses AT&T terms.

What parts of a PE file are mapped into memory by the MS loader?

It depends.
All sections covered by a section header are mapped into the run-time address space.
However sections that have an RVA of 0 are not mapped and thus never loaded.

Each debug directory entry identifies the location and size of a block of debug information. The RVA specified may be 0 if the debug information is not covered by a section header (i.e., it resides in the image file and is not mapped into the run-time address space). If it is mapped, the RVA is its address.

Memory contains an exact replica of the file on disk.
Note that executables and dll's are mapped into virtual memory, not physical!
As you access the executable parts of it are swapped into RAM as needed.

If a section is not accessed then it obviously does not get swapped into physical RAM, it is however still mapped into virtual memory.

You can read up on everything you might ever want to know about PE files (and more) on MSDN.

Your quote is lifted from the documentation of the COFF file format.
The critical part is:

The rule on attribute certificate and debug information does not apply to object files.

From: https://support.microsoft.com/en-us/kb/121460

Size: Size of the optional header, which is included for executable files but not object files. An object file should have a value of 0 here.

Ergo: executable files or not object files, they are image files.
as such the exception to the rule does not apply to them.

like image 92
Johan Avatar answered Nov 14 '22 23:11

Johan