tags:

views:

20

answers:

1
Q: 

What causes the differences between a driver on disk and a driver mapped to memory?

Hey, Today I tried to do a binary diffing of NDIS.sys, and I noticed something weird. I took a function, and began to diff it. The first 30 bytes were the same on the disk(using IDA) and on memory(using WinDbg). Then, something have changed. I saw something like "jmp _imp_XXXXX". the JMP bytes were the same, but the address was different.

My question is - what makes the difference? I think it has something to do with relocations. Altough the jump is to address in the same module, it's a long jump, which makes it relative to the module base address. If relocation occured, it needs to relocate this address too, altough its on the same module.

Am I right or totally wrong? :-) Thanks.

+2  A: 

Yes, jump targets get re-written during relocation when a module is not loaded at it's preferred base address in memory. Actually, developers are advised to provide a non-default base address for their modules to avoid relocation cost, but many never do, so some modules will always get relocated and the loader has to re-write jump targets.

Jim Brissom  2010-10-21 21:54:07
Note that for device drivers the preferred base address is entirely ignored
snoone  2010-10-22 14:41:24
Yup, but - why the jump needed to get rebased? The jump destination lies in the same module..
MindBlower  2010-10-22 19:20:33
Can you show what you see in the debugger?
snoone  2010-10-25 17:59:39

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)