I'm trying to understand the basics of the addressing in the PE files, and i made a simple application with a couple of functions that call malloc
linked statically against msvcr110 library. So i took my produced executable opened it in the ida pro, and found the offset of the malloc
function which is not imported, added the base address and tried to call it like so:
HMODULE hCurrentModule = GetModuleHandle(NULL); // get current module base addres
DWORD_PTR hMallocAddr = (0x0048AD60 + (DWORD_PTR)hCurrentModule);
char *pointer;
__asm //calling malloc
{
push 80
mov eax,dword ptr[static_addr]
call eax
add esp,2
mov [pointer],eax
}
I then checked re-builded programm in IDA pro to make sure that the malloc offset remains the same and it's still the 0x0048AD60
. So the problem is the offset+hCurrentModule gives me incorrect address, and crash after i call this address. For example the result of mine hMallocAddr
is 0x0186AD60
but in the MSVC debug session in the disassembly window malloc address is at 0x0146AD60
. What is wrong here?
0x0048AD60
is not the offset of malloc but the actual address of the function when the EXE is loaded at its default load address of 0x00400000. Subtract this value to get the offset from the start of the image.