26

Re: The program to entry point, at a loading stage

Hello, CaptainFlint, you wrote: CF> Theoretically, yes, should not be necessary. But, probably, it is any bug in the loader which cannot correctly process entry point offset at absence . Anyway, other hypotheses explaining the stored facts, was not yet. More similar on a bug in what-thread . CF> Nevertheless when I collect with CRT, the table  appears. You though threw off the link on itself  without CRT.

27

Re: The program to entry point, at a loading stage

Hello, okman, you wrote: O> O> OPTIONAL HEADER VALUES O> 8160 DLL characteristics O> High entropy VA supported O> Dynamic base O> NX compatible O> Terminal server aware O> O> Also it is important that in title the flag ' Relocations stripped ' (see an option/FIXED the linker) on which O> the system could understand precisely is not specified that application should boot to strictly fixed address: As far as I know ' Relocations stripped ' generally does not influence in any way loading  to different addresses. Influences only ' Dynamic base'

28

Re: The program to entry point, at a loading stage

Hello, drVan, you wrote: CF>> Theoretically, yes, should not be necessary. But, probably, it is any bug in the loader which cannot correctly process entry point offset at absence . Anyway, other hypotheses explaining the stored facts, was not yet. V> it is more similar to a bug in what-thread . It is shown equally by two machines. On one KAV, on another only preinstalled Defender. Both tried to disconnect, it is ineffectual (though I understand that without an uninstallation it is incomplete check). CF>> Nevertheless when I collect with CRT, the table  appears. V> you though threw off the link on itself  without CRT. Here a problematic variant (/DINAMICBASE, without CRT): https://yadi.sk/d/XTeelPX33T3g5K Just in case, I spread other test variants: with CRT: https://yadi.sk/d/g-PEPVaO3T3g55 without CRT,/DYNAMICBASE:NO/FIXED:NO: https://yadi.sk/d/4rDSscRR3T3g5B without CRT,/DYNAMICBASE:NO/FIXED: https://yadi.sk/d/ZGUM0H-f3T3g5D On titles it is visible that though  is not present at one of a demon-CRT-shnyh of variants, flag IMAGE_FILE_RELOCS_STRIPPED is available only at/FIXED. I now use this variant as the main, and it while never fell.

29

Re: The program to entry point, at a loading stage

Hello, CaptainFlint, you wrote: CF> Just in case, I spread other test variants: CF> with CRT: https://yadi.sk/d/g-PEPVaO3T3g55 CF> without CRT,/DYNAMICBASE:NO/FIXED:NO: https://yadi.sk/d/4rDSscRR3T3g5B CF> without CRT,/DYNAMICBASE:NO/FIXED: https://yadi.sk/d/ZGUM0H-f3T3g5D CF> On titles it is visible that though  is not present at one of a demon-CRT-shnyh of variants, flag IMAGE_FILE_RELOCS_STRIPPED is available only at/FIXED. I now use this variant as the main, and it while never fell. Certainly they are not present at "/DYNAMICBASE:NO"

30

Re: The program to entry point, at a loading stage

Hello, , you wrote: > It seems, a trifle one forgot to look. When falls - to the specified address storage is not selected (in a debugger question marks). But in this case on set ENTRY POINT to the address all is normal? > there it is valid the address first command? If to take the address on which the unit (from the point of view of a debugger is loaded), and to pass to this +1000 address, yes, there my code.

31

Re: The program to entry point, at a loading stage

When not , be launched on windbg and execute in it a command: sxe ld. Also trace what units will be  in your process. All is very similar on    who from the outside  a couple tries. The first suspicion - on security