views:

20

answers:

1

Hey, Today I tried to do a binary diffing of NDIS.sys, and I noticed something weird. I took a function, and began to diff it. The first 30 bytes were the same on the disk(using IDA) and on memory(using WinDbg). Then, something have changed. I saw something like "jmp _imp_XXXXX". the JMP bytes were the same, but the address was different.

My question is - what makes the difference? I think it has something to do with relocations. Altough the jump is to address in the same module, it's a long jump, which makes it relative to the module base address. If relocation occured, it needs to relocate this address too, altough its on the same module.

Am I right or totally wrong? :-) Thanks.

+2  A: 

Yes, jump targets get re-written during relocation when a module is not loaded at it's preferred base address in memory. Actually, developers are advised to provide a non-default base address for their modules to avoid relocation cost, but many never do, so some modules will always get relocated and the loader has to re-write jump targets.

Jim Brissom
Note that for device drivers the preferred base address is entirely ignored
snoone
Yup, but - why the jump needed to get rebased? The jump destination lies in the same module..
MindBlower
Can you show what you see in the debugger?
snoone