rever_ser Posted December 24, 2014 Posted December 24, 2014 (edited) hi everyone! as you know after dumping from a process we must rebuild import table to execute the dump file but why? another questions related to this: is address of system dlls (e.g kernell32.dll) changes after each execution of program or after each system reboot? (if the anwer is "yes" is loader reconstruct import table after each execution?)is system dlls loads in the process address range or they have a uniqe address and all of processes access to the dll by that address? i know there are alot of reasons for import reconstruction after dump. but i want to know about in mentioned reason in detail. thanks in advance!!! Edited December 24, 2014 by rever_ser
DMichael Posted December 24, 2014 Posted December 24, 2014 hi everyone! as you know after dumping from a process we must rebuild import table to execute the dump file but why? another questions related to this: is address of system dlls (e.g kernell32.dll) changes after each execution of program or after each system reboot? (if the anwer is "yes" is loader reconstruct import table after each execution?) is system dlls loads in the process address range or they have a uniqe address and all of processes access to the dll by that address? i know there are alot of reasons for import reconstruction after dump. but i want to know about in mentioned reason in detail. thanks in advance!!! because application using imports i order to call various API about other questions: 1.address of import don't change at all only the application it self if ASLR is enabled 2.they have unique adresss but some protections just copies it functional in order to access them internally 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now