Dynamic file mapping
In this section, we will discuss how the PE static file is created as a new process and how the program file is mapped and mounted into its dynamic memory. Figure 2.6 shows a simplified process for mapping a static PE program into memory:
Figure 2.6 – File mapping process
The left-hand side of Figure 2.6 shows a container for memory contents, while the right-hand side shows a static PE file that has not been executed yet and is located in a disk. The following is a systematic explanation of the process by which the operating system mounts its static files into dynamic ones:
- First, the system checks the
ImageBaseaddress of the Optional Header entry in NT Headers (currently0x400000), which is the address expected to be sprayed in the dynamic during compiling a program. Note that if ASLR protection and the relocation function are enabled at the same time, it may be a randomImageBase. - Next, the system checks
SizeOfImage...
