Timeline for DLL entry point in memory
Current License: CC BY-SA 3.0
15 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 28, 2015 at 11:18 | vote | accept | CommunityBot | ||
| May 26, 2015 at 22:11 | answer | added | Jason Geffner | timeline score: 2 | |
| May 26, 2015 at 18:08 | comment | added | user12522 | @JasonGeffner Sure, not in IDA - anyway here. I also just noticed all the export function addresses are off, but they all reside in the same section which must rule out a section alignment issue. | |
| May 26, 2015 at 14:09 | comment | added | Jason Geffner | We can't attempt to reproduce it with just the headers. Please share the entire binary or post screenshots of the mismatch. | |
| May 26, 2015 at 11:44 | comment | added | user12522 | @peterferrie Thanks, I know, the question wasn't how to get the file offset but how does IDA gets the logical address for memory? | |
| May 26, 2015 at 11:42 | comment | added | user12522 | @JasonGeffner pastebin.com/biJ95vMD imgur.com/8HnvbfH The pastebin only contains the headers and data directory, think that should be enough. | |
| May 26, 2015 at 4:11 | comment | added | peter ferrie | there's no requirement that Entrypoint is in the .text section. You need to find the section whose VirtualAddress is closest but less than AddressOfEntryPoint, and then subtract that. There's also the case of file offset rounding to take into account, based on the value of the FileAlignment. | |
| May 25, 2015 at 16:32 | comment | added | Jason Geffner | Please post screenshots of the mismatch and/or share a link to the binary. | |
| May 24, 2015 at 21:40 | comment | added | user12522 | @JasonGeffner The image base is the same in the headers as in IDA, 0x10000000, which is a bit off from the default 0x400000 but I guess that's to save relocating. | |
| May 24, 2015 at 17:28 | comment | added | Jason Geffner | What is the Image Base according to the PE headers? And when you scroll up to the very top of IDA's disassembly, what does IDA report as the "Imagebase"? (should be right after the line "Format : Portable executable for 80386 (PE)") | |
| May 23, 2015 at 15:57 | history | edited | user12522 | CC BY-SA 3.0 | added 28 characters in body |
| May 23, 2015 at 15:56 | comment | added | user12522 | @JasonGeffner the static DLL entry point, which should, AFAIK, be the same at runtime if it wasn't relocated. | |
| May 23, 2015 at 15:45 | comment | added | Jason Geffner | "it doesn't match the entry point IDA gives" -- Are you referring to the entry point IDA shows you when you're statically disassembling the DLL, or the entry point you see at runtime when debugging the DLL with IDA? | |
| May 23, 2015 at 1:35 | review | First posts | |||
| May 23, 2015 at 4:27 | |||||
| May 23, 2015 at 1:32 | history | asked | user12522 | CC BY-SA 3.0 |