Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: The OllyDbg Interface
Дальше: Viewing Threads and Stacks
shows the memory map for the Netcat program., the executable is labeled along with its code and data sections. All DLLs and their code and data sections are also viewable. You can double-click any row in the memory map to show a memory dump of that section. Or you can send the data in a memory dump to the disassembler window by right-clicking it and selecting View in Disassembler. shows a typical series of instructions. illustrates DLL relocation using the memory map functionality of OllyDbg for EXE-1. As you can see, we have one executable and two DLLs. DLL-A, with a preferred load address of 0x10000000, is already in memory. EXE-1 has a preferred load address of 0x00400000. When DLL-B was loaded, it also had preferred load address of 0x10000000, so it was relocated to 0x00340000. All of DLL-B’s absolute address memory references are changed to work properly at this new address..
Назад: The OllyDbg Interface
Дальше: Viewing Threads and Stacks
Войти в систему
Войти с помощью соц. сетей:
shows a typical series of instructions. illustrates DLL relocation using the memory map functionality of OllyDbg for EXE-1. As you can see, we have one executable and two DLLs. DLL-A, with a preferred load address of 0x10000000, is already in memory. EXE-1 has a preferred load address of 0x00400000. When DLL-B was loaded, it also had preferred load address of 0x10000000, so it was relocated to 0x00340000. All of DLL-B’s absolute address memory references are changed to work properly at this new address..
.
Назад: The OllyDbg Interface
Дальше: Viewing Threads and Stacks
Войти в систему
Войти с помощью соц. сетей: