Question About PE Relocation

[ghost]

Hello i'm stugying about PE Relocation process, especially Optional Header's "Image Base" value

1. I'm Wondering if it is "Original Image base" (for the PE file which is loaded by PE loader) or "Image Base" (for the PE file which is loaded by dynamic linker)

2. Is it possible for the 'Image Base' value in the Optional Header to refer to both the 'Original Image Base' and the 'Image Base' simultaneously?

3. Supposing that Optional Header's "Image Base" value is not 0 and that "Image Base" means "Origianl Image Base" is that means "preferred Image Base" mismatches "Original Image Base" and it also means it can relocate PE file?

4. If Optional Header's "Image Base" means "Original Image Base" i guess PE BEAR can't show "Image Base"(The "Image Base" value of a PE file loaded by the dynamic linker) so i think i must check that "Image Base" value with debuggers am i right?
   
   

[hasherezade]

Hi @S3xyG4y !

1. First of all, PE-bear doesn't' load the executable, just parses it as it is on the disk (in the raw format). So, the value of the Image Base presented here is just the value from the PE header, the original Image Base.
2. Yes it is possible
3. Yes, the original Image Base is the default base at which the PE is going to be loaded under specific circumstances, i.e. in case if ASLR is disabled - globally in the system, or per file, by removing the flag "Dll can move", or if the PE doesn't have relocation table. In case if the PE is loaded at a different base than the one in the header, it will be relocated.
4. The dynamic Image Base that you are looking for, is assigned by the operating system on the file execution, so it will be different each time. If you want to check the Image Base assigned at the particular execution that you are observing, you can indeed use a debugger.

I hope it answers your questions!

[ghost]

Hello, I am very grateful for your quick reply
Looking at your answer, I think my curiosity is almost solved.

About your answer (i am talking about my question number 2)that PE Optional Header's "Image Base" option can simultaneously points both of them (of course in specific situation basically it points only "Original Image Base")
I've been thinking about the case, and the below thing I'm guessing is the situation. so plz tell me my guess is correct or can you provide example situation?

My Guess is when a PE file loaded on memory by PE loader and that Memory location matches with preferred Image base
So this situation is preferred Image Base = Original Image Base and that means PE Bear will show Optional Header's Image Base is 0
Then this also means this PE file does not need to be Relocated by considering this situation
So the Conclusion for this case is "Preferred Image Base" = "Original Image Base" = "Image Base"

Do you think I'm right?

[hasherezade]

@S3xyG4y - so, the thing is, Image Base in the Optional Header is the base to which currently PE is relocated (when it is in the raw format, on the disk): meaning, every relative address in the PE is added to this default base. This base is never 0, because 0 is not a valid base at which a PE can ever be loaded. It is some valid base, which may or may not be used as an effective base on the load.
PE does not need to be relocated if it happens to be load at the same base that is set in the Optional Header.

On modern Windows, with ASLR enabled, it is proffered to use a randomized Image Base, instead of the hardcoded one (from the header). So, the base from the header won't really be used as preferred. It will be used only in cases when for some reason (that I described in the point 3) using a dynamic base was not possible/disabled.

Please have a look at below examples.

1. A demo application with ASLR enabled (default) - view from PE-bear (raw format) + view from Process Hacker (in memory):

2. The same demo application, but now with ASLR disabled - view from PE-bear (raw format) + view from Process Hacker (in memory):

As you can see, in the second case the PE got loaded at the base that was set in the Optional Header, that is 0x140000000.

[ghost]

I really appreciate you showing a great example, but now I see that the picture looks a bit strange

Why doesn't PE BEAR show a value of 20? (I'm talking about aslr disabled example - PE BEAR)
Now that I look, the picture shows that the DLL Characteristics is 8120,
It explains what 8100 is, but 20 is not separately displayed.

[hasherezade]

@S3xyG4y - this is an unrelated bug that I am aware of and will be fixed in a new release (well, not really a bug but a missing feature - this flag is relatively new, and the PE-bear's parser was written before this flag was added, and I forgot to add it later).

[hasherezade]

@S3xyG4y - this is an unrelated bug that I am aware of and will be fixed in a new release (well, not really a bug but a missing feature - this flag is relatively new, and the PE-bear's parser was written before this flag was added, and I forgot to add it later).

In the new (upcoming) version: