I've been doing some research into executable loaders, and one thing that confuses me is how they cope with an executable that requires that it load at a specific virtual address (i.e. does not have a relocation record)
I know UPX has the capability of doing this, but I don't see how this is handled in the UPX source (I'm not even sure exactly what code is responsible for doing the loading...)
I made a loader, but it requires that the application has a relocation record, so that it doesn't matter what virtual address it's loaded to.
UPX's stub has a base address of 0x400000, and when it loads an executable with a base address of 0x400000, it has no problem. How is this possible, as the OS will reject your request to allocate virtual memory at the base address of the current process (at least it seems to me to be this way)
I tried searching the UPX source for VirtualAlloc, which is a function that I think would be required to accomplish this, and it only occurs once in the UPX source (https://github.com/upx/upx/search?utf8=%E2%9C%93&q=VirtualAlloc) in a seemingly unrelated piece of code, so I'm very confused.
UPX's stub has a base address of 0x400000
this is not true. Upx preserve application IMAGE_OPTIONAL_HEADER.ImageBase
- so upx compressed image always loaded at the same base.
UPX create 3 sections:
UPX0 - VirtualSize = OriginalSizeOfImage - UPX0.VirtualAddress; SizeOfRawData = 0 ERW
UPX1 - stub code + packed data
.rsrc - copy of original .rsrc
so UPX0 is place holder for original image - it hold original image base address and size. and zero size on disk. UPX stub code unpack original code/data to UPX0. VirtualAlloc not used for this