1

This post (Find an instruction in an executable file, given its address in a running process?) contains detailed instructions how to calculate an address within an executable file from a memory address of a running process.

How do I determine the base address to use if I want to apply the formula to an x64 executable?

For x86 it is 0x400000. My assumption was that this comes from the IMAGE_BASE field of the optional PE header. However, this field contains the value 0x140000000 for x64. The used addresses in the x64 binary are actually much smaller than the ones in the x86 binary.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
StefanFFM
  • 1,526
  • 1
  • 14
  • 25
  • *For x86 it is 0x400000* - this is of course not true. can be any address. if you ask this for windows - you can use `[K32]EnumProcessModules` for example. of more efficient(but undocumented) read image base of *exe* (if you need *exe* only) from process `PEB` – RbMm Apr 08 '18 at 10:09
  • https://stackoverflow.com/questions/26572459/c-get-module-base-address-for-64bit-application – Hans Passant Apr 08 '18 at 11:24
  • @HansPassant Thanks. However I try to determine the base address without actually running the exe. – StefanFFM Apr 08 '18 at 17:30
  • 1
    https://en.wikipedia.org/wiki/Address_space_layout_randomization – Hans Passant Apr 08 '18 at 17:40
  • Maybe I should be clearer on what I am looking to do. Given a disassembled windows executable, I am trying to find referenced strings and imported functions (via the import address table). This requires to calculate the file location from the RVA. It works for x86 machine code by using the calculation in the linked post. Surely there is a way to get it to work for x64 as well? – StefanFFM Apr 09 '18 at 08:30

1 Answers1

1

I try to determine the base address without actually running the exe.

If the exe does not have Address Space Layout Randomization enabled then the exe will always be loaded into the preferred image base, this is the address defined by ImageBase in the Optional Header.

This is not true of dynamic link libraries. They have a ImageBase but if that position is already taken, it will be loaded dynamically somewhere else at run time.

For this reason if you're talking about a process with ASLR enabled or a DLL, what you're asking is not possible.

GuidedHacking
  • 3,628
  • 1
  • 9
  • 59