assemblymemoryollydbg

Memory map in Debuggers

I opened an exe file compiled by Nasm in a debugger(x32dbg). In the memory map it shows where the program section .text and section .data starts.

  1. How does it know.

Here is the code:

; ----------------------------------------------------------------------------
; helloworld.asm
;
; This is a Win32 console program that writes "Hello, World" on one line and
; then exits.  It needs to be linked with a C library.
; ----------------------------------------------------------------------------

        global  _main
        extern  _printf

        section .text
_main:
        push    message
        call    _printf
        add     esp, 4
        ret
message:
        db      'Hello, World', 10, 0
Solution

  • Debugger can find virtual address of program sections in portable-executable (PE) file. Its structure is described in https://msdn.microsoft.com/library/windows/desktop/ms680547%28v=vs.85%29.aspx?id=19509 You may inspect executables with some specialized tool, such as PEview.exe from http://wjradburn.com/software/ , or look at the hexadecimal dump of your "helloworld.exe".

    At file address (FA) 0x3C you will find DWORD with FA of PE Header, for instance 0x00000090=144. Skip 144 bytes from the start of file and you should see DWORD PEsignature followed with 20 bytes of CoffFileHeader. At 16.byte of CoffFileHeader there is WORD SizeOfOptionalHeader, with value 0x00E0=224. This many bytes of OptionalHeader immediately follow the CoffFileHeader. At offset 0xC4=196 in OptionalHeader there is DWORD field called ImageBase with VA where is the image mapped in memory. Most linkers use ImageBase=0x00400000.

    OptionaHeader is followed with SectionHeaders, one for each section used in the program. Each SectionHeader is 40 bytes long, it contains SectionName in its first eight bytes, followed with section size rounded up to SectionAlignment, and followed with Relative Virtual Address (RVA) where the section starts. Usually the first section is the code section with Name=.text, Size=0x00001000 and RVA=0x00001000. RVA of each section is related to the ImageBase, so the .text section will be mapped at address ImageBase+RVA=0x00401000. Which is the answer to your question.