{$IMAGEBASE $5a800000}
Thanks!
Shannon
HookProcessTermination demo question
HookProcessTermination demo question
Could anyone tell me what does the following statement mean? And why we need that in MadCodeHook Dll?
{$IMAGEBASE $5a800000}
Thanks!
Shannon
{$IMAGEBASE $5a800000}
Thanks!
Shannon
Check out the module (dll) list of a process (e.g. by using sysinternals' process monitor). You'll see that each dll is loaded to a differerent address in memory. It's not possible to load 2 dlls to the same address.
Now if you compile a hook dll and don't tell Delphi to which address it should be loaded, Delphi uses the default value of $400000. The problem is that this address is usually used by the executable already. That means, when such a dll is loaded, Windows first tries to load it at $400000, but that fails. So Windows has to search for a different address where it can load the dll. Then Windows has to work on your dll, relocate some thing, to make it work at the different address. That costs performance.
Using {$IMAGEBASE xxxxxxxx} tells Delphi to which address the dll shall be loaded by default. If the address is not in use yet, loading of the dll is a whole lot faster. You can also configure this option in the project options, btw.
Now if you compile a hook dll and don't tell Delphi to which address it should be loaded, Delphi uses the default value of $400000. The problem is that this address is usually used by the executable already. That means, when such a dll is loaded, Windows first tries to load it at $400000, but that fails. So Windows has to search for a different address where it can load the dll. Then Windows has to work on your dll, relocate some thing, to make it work at the different address. That costs performance.
Using {$IMAGEBASE xxxxxxxx} tells Delphi to which address the dll shall be loaded by default. If the address is not in use yet, loading of the dll is a whole lot faster. You can also configure this option in the project options, btw.
Thanks! this means, I can use IMAGEBASE of any value? is there any rules of using imagebase directive (say, it must > 4000000)?madshi wrote: Using {$IMAGEBASE xxxxxxxx} tells Delphi to which address the dll shall be loaded by default. If the address is not in use yet, loading of the dll is a whole lot faster. You can also configure this option in the project options, btw.
You should use a value lower than $80000000, because the upper half of the address range is reserved for the OS. Usually you should use a value higher than $400000, because that is the address usually used by exe modules.
I'd suggest that you use a tool like the Process Monitor from sysinternals to look for an area that is usually unused in most processes. That is what I've done for the madCodeHook demos, too.
I'd suggest that you use a tool like the Process Monitor from sysinternals to look for an area that is usually unused in most processes. That is what I've done for the madCodeHook demos, too.