I've read the Iczelion's PE Tutorial 4: Optional Header
it said if the value of ImageBase is 400000h, the PE loader will try to load the file into the virtual address space starting at 400000h .The word "preferred" means that the PE loader may not load the file at that address if some other module already occupied that address range.

what about the address less then 400000h? Then I will be able to access to other module (or is it a process?) if I make a pointer less then 400000h?
Or those module are all related to that process (ie dll called by that process), while each process will have their own virtual address space?

I am confused
Posted on 2007-10-07 19:00:03 by Y0z2
Processes are each loaded into their own address space, so you can't access other processes' memory without Read/WriteProcessMemory. DLLs are mapped on a per-process basis, too (on NT - 9x is a dirty shared kid).

EXEs generally don't have relocations, so can only be loaded to their preferred location. You _can_ specify a non-0x400000 base address when linking, though - can't make it 100% arbitrary though. And relocations for executables only work partially.
Posted on 2007-10-07 19:06:32 by f0dder

I've read the Iczelion's PE Tutorial 4: Optional Header
it said if the value of ImageBase is 400000h, the PE loader will try to load the file into the virtual address space starting at 400000h .The word "preferred" means that the PE loader may not load the file at that address if some other module already occupied that address range.

what about the address less then 400000h? Then I will be able to access to other module (or is it a process?) if I make a pointer less then 400000h?
Or those module are all related to that process (ie dll called by that process), while each process will have their own virtual address space?

I am confused


On Windows, addresses below the 4MB Mark are reserved for things like the stack, heap and other data not to be touched by userland.

The most obvious reason (to me) is that with standard x86 paging, Page Directories fall on 4MB boundaries. It is easier to just mark that first Page Directory as for use by Ring-0 only.
Posted on 2007-10-07 19:07:04 by SpooK