I have an exe file. This runs well in Windows XP, but not in Windows 7 x86. I analyzed this with IDA pro.
In XP, this accesses an address (0x7C80003C) and here it is in the first section of the kernel32.dll (0x7C800000~0x7C801000).
But in Windows 7, this accesses the same address, but there, it is a non-allocated range.
I hope to manually set the base address of kernel32.dll and have it also run well in Win7. How can I do this?
What you're looking for is a flag in the
DllCharacteristicsfield of the PE header (not to be confused with theCharacteristicsfield).Microsoft calls this flag
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE, and it's defined as0x40. As you could guess, it states whether the image should be loaded at an address other than its preferred base address (set in the 'ImageBase' field of the PE header).If you mask out that flag in the
DllCharacteristics, double-check that theImageBaseis correct, and you should get the DLL loading exactly where you need it. If that doesn't work, you may also need to add theIMAGE_FILE_RELOCS_STRIPPED(0x1) flag to theCharacteristicsfield.Complications may arise. I've never tested this technique with any system DLLs, so don't be surprised if recent Windows versions are reluctant to load the patched image. For starters, you may need to correct the
CheckSumfield in the header to reflect the patch, and you may also need to strip off any digital signatures that are invalidated. I don't know exactly how fussy the module loader is nowadays, but those are the kind of issues I anticipate.Official documentation for the PE header can be found here: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339%28v=vs.85%29.aspx (it's pretty brief though).