开发者

So most of the binary is composed of reloc table?

I just used objdump -x ... to check the sections of a PE file.

There's about 90,000 lines of reloc entries:

reloc   92 offset  bc0 [524bc0] HIGHLOW
reloc   93 offset  bc4 [524bc4] HIGHLOW
    ....

Does it hold true that the m开发者_Python百科ajority space of most PE files are composed of the reloc entries like above?

What are those entries for?

UPDATE

Anyone can explain how the relocation entries work like above?


Relocations are needed when there is a base conflict in the memory. If a dynamic-link-library wants to load its code section in a certain memory space but when it has already been accupied by another module, it must be loaded in a different place. However, by loading it in a different address space, it messes up all the absolute reference that the library referred to. For example, let's say that the executable has a global variable called int dummy; and the variable is located in 0x602315. Whenever this variable is accessed/written, the program executes the following opcode (assuming that the code is located in 0x524BBE, same as the entry that you mentioned):

0x524BBE: MOV EAX, DWORD PTR DS:[0x602315];//move dummy to eax register to do stuff

When the library is loaded in the different space, 0x602315 will not point to the variable since the address space 0x602315 has already been taken by some other module. Therefore to workaround this problem, you must tell the PE loader to add/subtract the displacement (|new base address-expected base address|) to this value(0x602315). To do this each PE contains a table called relocation table and this table contains all the offsets in your code refers to to this variable.

So, let's say instead of 0x524000(expected base offset), the library was loaded at 0x700000. Then, what PE loader will do is look up the entries in the table and add the displacement(0x700000-0x524000=0x1DC000) to the offset (0x602315) such that your loaded code will look like this:

0x700BBE: MOV EAX, DWORD PTR DS:[0x7DE315];//move dummy to eax register to do stuff

which will run fine because it's point to the correct location of the variable dummy.

Going back to your question, the output of objdump is showing each entry of this table. 92 probably means the index of the entry, BC0 is the relative address of the code where you access the variable, [524BC0] would be the result of relative address + expected base offset. and HIGHLOW is just a type of relocation(This is essentially reserved for future use. Currently, there's only one type of relocation(HIGHLOW) that is being used so you don't have to worry about other types). When the loader reads this entry, it will change the value of 0x524BC0 to reflect this change.

With respect to your question about majority space of PE composed of .reloc table, the answer is it depends. If your program makes a frequent access to global variables and constants, it will have a huge relocation table because theres so much places that the loader has to update.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜