memory addressesing
https://stackoverflow.com/questions/4403938
-
25-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
For example we are in Windows XP platform, we have program A on ollydbg and we look on the instruction x. it has the address 0x11111111(for example).if i take the program A and run in ollydbg on a different computer with the same platform the instruction x will have the same address 0x11111111? So my question is : Are memory addresses changing every time the Program A runs? or are them changed in a different computer or platform?
Solution
Depends on the architecture but you should never rely on these addresses being the same. For practical purposes the answer is no.
To answer your comment, exploits have to find out where they are. A simple way for this is to make a call and pop the return address, like this:
call test_eip
test_eip:
pop eax
In this case, you'll have the instruction pointer in eax. This is usefull for determining where the injected code is.
Of course you'll have to get to the point where this is run, mostly using a buffer overflow exploit.
Wikipedia - as always - provides a great explanation and a lot of links to look after: http://en.wikipedia.org/wiki/Stack_buffer_overflow
OTHER TIPS
What you're seeing is a Virtual address. The CPU contains special registers that can only be seen by the operating system; these registers control the mapping of virtual memory to physical memory. Every time the OS switches to a different process, it reprograms these registers so that the program thinks its memory is always in the same place.
On the same OS version with the same executable, you will probably, but not certainly, see the same code addresses. Different OS versions, less likely.
Windows PE binaries are not position independent, this means, they need to assume a fixed address to execute from. Microsoft does this to improve execution performance (at the cost of load time penalties).
Your binary will always execute from where it wants, DLL's however may become relocated if their preferrered address is allready used by some other code.
Relocation is transparent to you, what happens is the Windows binary loader modifies your code and fixes all of the addresses so they work in the new location.
