So most of the binary is composed of reloc table?
I just used objdump -x ...
to check the sections of a PE file.
There's about 90,000 lines of reloc entries:
reloc 92 offset bc0 [524bc0] HIGHLOW
reloc 93 offset bc4 [524bc4] HIGHLOW
....
Does it hold true that the m开发者_Python百科ajority space of most PE files are composed of the reloc entries like above?
What are those entries for?
UPDATE
Anyone can explain how the relocation entries work like above?
Relocations are needed when there is a base conflict in the memory. If a dynamic-link-library wants to load its code section in a certain memory space but when it has already been accupied by another module, it must be loaded in a different place. However, by loading it in a different address space, it messes up all the absolute reference that the library referred to. For example, let's say that the executable has a global variable called int dummy;
and the variable is located in 0x602315. Whenever this variable is accessed/written, the program executes the following opcode (assuming that the code is located in 0x524BBE, same as the entry that you mentioned):
0x524BBE: MOV EAX, DWORD PTR DS:[0x602315];//move dummy to eax register to do stuff
When the library is loaded in the different space, 0x602315 will not point to the variable since the address space 0x602315 has already been taken by some other module. Therefore to workaround this problem, you must tell the PE loader to add/subtract the displacement (|new base address-expected base address|
) to this value(0x602315). To do this each PE contains a table called relocation table and this table contains all the offsets in your code refers to to this variable.
So, let's say instead of 0x524000(expected base offset), the library was loaded at 0x700000. Then, what PE loader will do is look up the entries in the table and add the displacement(0x700000-0x524000=0x1DC000) to the offset (0x602315) such that your loaded code will look like this:
0x700BBE: MOV EAX, DWORD PTR DS:[0x7DE315];//move dummy to eax register to do stuff
which will run fine because it's point to the correct location of the variable dummy
.
Going back to your question, the output of objdump is showing each entry of this table. 92 probably means the index of the entry, BC0 is the relative address of the code where you access the variable, [524BC0] would be the result of relative address + expected base offset. and HIGHLOW is just a type of relocation(This is essentially reserved for future use. Currently, there's only one type of relocation(HIGHLOW) that is being used so you don't have to worry about other types). When the loader reads this entry, it will change the value of 0x524BC0 to reflect this change.
With respect to your question about majority space of PE composed of .reloc
table, the answer is it depends. If your program makes a frequent access to global variables and constants, it will have a huge relocation table because theres so much places that the loader has to update.
精彩评论