Reputation: 65
What causes the differences between a driver on disk and a driver mapped to memory?
Hey, Today I tried to do a binary diffing of NDIS.sys, and I noticed something weird. I took a function, and began to diff it. The first 30 bytes were the same on the disk(using IDA) and on memory(using WinDbg). Then, something have changed. I saw something like "jmp _imp_XXXXX". the JMP bytes were the same, but the address was different.
My question is - what makes the difference? I think it has something to do with relocations. Altough the jump is to address in the same module, it's a long jump, which makes it relative to the module base address. If relocation occured, it needs to relocate this address too, altough its on the same module.
Am I right or totally wrong? :-) Thanks.
Upvotes: 1
Views: 97
Answers (1)
Reputation: 32969
Yes, jump targets get re-written during relocation when a module is not loaded at it's preferred base address in memory. Actually, developers are advised to provide a non-default base address for their modules to avoid relocation cost, but many never do, so some modules will always get relocated and the loader has to re-write jump targets.
Upvotes: 2
Related Questions
- How do WINDOWS func kernel drivers communicate with actual hardware?
- What is a Windows Kernel Driver?
- Why should Windows driver's entry name be "DriverEntry"? (Or WinMain/DllMain too)
- How do drivers become a part of the kernel?
- what is difference between kernel and driver?
- DriverEntry caller
- WinDbg shows some variables but not others, shows some variables in same location
- DRIVER_OBJECT.DriverSection
- A question about Device drivers & Kernel
- Differences in kernel mode and drivers