about relocations

realcr · September 01, 2007, 12:05:06 AM

Hey everyone.

I was recently trying to implement a linker and a loader for some virtual machine I wrote.
It has reduced instruction set of x86 as base operations.

It made me wonder if it is actually possible to take a piece of x86 working code , change its location in memory
and make it still work , and I mean to do it automatically , without having to think myself about every jump and call inside.
I heard about relocations table inside PE , however it seems to be like something that is prepared before creating the code , by the compiler.
I want to know if it is possible in the assembly level.

realcr.

MichaelW · September 01, 2007, 08:06:55 AM

AFAIK at least most jumps and calls are encoded as displacements, so for code where this is so, the load address should not matter. And the load address for local data also should not matter. And if "relocations table" refers to image base relocation, AFAIK most EXEs don't have one.

Vortex · September 01, 2007, 08:32:54 AM

Hi realcr,

If you have a relocation table in your EXE, everything is easy. It's possible to code a simple PE loader taking care of the relocation job. To create the relocation section, link your object file with the /FIXED:NO switch. Have look in my project loading and running EXEs and DLLs from memory :

http://www.masm32.com/board/index.php?topic=3150.0

realcr · September 01, 2007, 10:28:51 AM

Thanks for your help MichaelW and Vortex.

I have to admit I still don't understand a few things.. I know that there might be relative and absolute jumps inside an executable.
However , I don't think the linker / loader can recognize if I'm actually jump relative or absolute , as I can do:

Code Select


call l1
l1:
pop eax

and so I know the current address of execution. I can use relative jumps to actually jump to an absolute place,
like jumping relatively to (wanted_addr - eax) will put me in wanted_addr.
I can also use an absolute jump in order to jump to a relative address , for example , if I want to jump 10h bytes forward , I can do it by jumping
absolutely to (eax + 10h).

So I wonder ,does the linker assume I don't do those things , or he is smarter than me?
realcr.

MichaelW · September 01, 2007, 09:19:56 PM

Based on my examination of one relatively small EXE (and I'm not sure that my decoding of the instructions is correct):

All of the call instructions were opcode E8h, CALL rel32.

All of the unconditional jumps were opcode EBh, JMP rel8, or E9H, JMP rel32.

All of the jump instructions in the jump table at the end were opcode FFh, ModR/M 25h, JMP r/m32, near indirect. The ModR/M byte is followed by a 32-bit displacement, which determines the relative address of the memory location from which the absolute address of the jump destination is fetched. ?

So it looks to me like all of the code, with the possible exception of the jump table, could be relocated without modification.

tenkey · September 05, 2007, 07:23:39 AM

References to global data also require relocation. So a MOV EAX,DATABUFFER, where DATABUFFER is located in .DATA, will require adjustment of the address field.

Vortex · September 05, 2007, 04:57:00 PM

Matt Pietrek's article explains the structure of PE File Base Relocations.

Peering Inside the PE: A Tour of the Win32 Portable Executable File Format :

http://msdn2.microsoft.com/en-us/library/ms809762.aspx

News:

about relocations

realcr

MichaelW

Vortex

realcr

MichaelW

tenkey

Vortex