Home > Back-end >  What is there before ImageBase address in Virtual Address?
What is there before ImageBase address in Virtual Address?

Time:10-28

I know from the Microsoft documentation that the image base is set to 0x140000000 for 64-bit images and it is the base address where the executable file is first loaded into the memory.

So my questions are as follows

  1. What comes before 0x140000000 address and starting of virtual address first page (0x0000000)
  2. What does it mean by executable first loaded? Is it the entry point of the program (which is of course not the main function) or something else

CodePudding user response:

I don't know the technical reason why the 64-bit default is so high, perhaps just to make sure your app does not have 32-bit pointer truncation bugs with data/code in the module? And it is important to note that this default comes from the Microsoft compiler, Windows itself will accept a lower value. The default for 32-bit applications is 0x00400000 and there are actual hardware and technical reasons for that.

The first page starting at 0 is off limits in most operating systems to prevent issues with de-referencing a NULL pointer. The first couple of megabytes might have BIOS/firmware or other legacy things mapped there.

By first loaded, it means the loader will map the file into memory starting at that address. First the MZ part (DOS header and stub code) and the PE header. After this comes the various sections listed in the PE header.

Most applications are using ASLR these days so the base address will be random and not the preferred address listed in the PE. ntdll and kernel32 are mapped before the exe so if you choose their base address you will also be relocated.

CodePudding user response:

What comes before 0x140000000 address and starting of virtual address first page (0x0000000)

Whatever happens to allocate there, like DLLs, file mappings, heap memory, or this memory can be free. The first page is always inaccessible.

What does it mean by executable first loaded? Is it the entry point of the program (which is of course not the main function) or something else

Loaded means mapped into memory. After it is mapped into memory, its imports are resolved, statically linked DLLs are mapped into memory, their entry points are executed, and only then it comes to the executable entry point. Executable entry point is not really the first function to execute from the executable if it has TLS callbacks.

  • Related