Offset between 32-bit base address and 64-bit Windows 7

[LiaoMi]

Hallo,

how I can calculate the offset between the loaded modules in Windows 7 64bit, when ntdll library base address is 32-bit address? Сalculation must be within its own dll ...

The example below

0000000077900000 0000000000001000 ntdll.dll
000007FEF3830000 0000000000001000 example.dll

Code Select Expand

0000000077900000 0000000000001000 ntdll.dll                                           IMG -R--- ERWC-
0000000077901000 00000000000FC000  ".text"                                            IMG ER--- ERWC-
00000000779FD000 0000000000001000  "RT"                                               IMG ER--- ERWC-
00000000779FE000 000000000002F000  ".rdata"                                           IMG -R--- ERWC-
0000000077A2D000 000000000000E000  ".data"                                            IMG -RW-- ERWC-
0000000077A3B000 0000000000013000  ".pdata"                                           IMG -R--- ERWC-
0000000077A4E000 000000000005B000  ".rsrc"                                            IMG -R--- ERWC-
0000000077AA9000 0000000000001000  ".reloc"                                           IMG -R--- ERWC-
000000007EFE0000 0000000000005000                                                     MAP -R--- -R---
000000007EFE5000 00000000000FB000 Reserved (000000007EFE0000)                         MAP       -R---
000000007F0E0000 0000000000F00000 Reserved                                            PRV       -R---
000000007FFE0000 0000000000001000 KUSER_SHARED_DATA                                   PRV -R--- -R---
000000007FFE1000 000000000000F000 Reserved (000000007FFE0000)                         PRV       -R---
000000013FCA0000 0000000000001000 dllloader64_27ab.exe                                IMG -R--- ERWC-
000000013FCA1000 0000000000005000  ".text"                                            IMG ER--- ERWC-
000000013FCA6000 0000000000003000  ".rdata"                                           IMG -R--- ERWC-
000000013FCA9000 0000000000003000  ".data"                                            IMG -RW-- ERWC-
000000013FCAC000 0000000000001000  ".pdata"                                           IMG -R--- ERWC-
000000013FCAD000 0000000000001000  ".reloc"                                           IMG -R--- ERWC-
000007FEF3830000 0000000000001000 example.dll                                    IMG -R--- ERWC-
000007FEF3831000 0000000000001000  ".text"                                            IMG ER--- ERWC-
000007FEF3832000 0000000000001000  ".rdata"                                           IMG -R--- ERWC-
000007FEF3833000 0000000000003000  ".data"                                            IMG -RWC- ERWC-
000007FEF3836000 0000000000001000  ".pdata"                                           IMG -R--- ERWC-
000007FEF3837000 0000000000001000  ".rsrc"                                            IMG -R--- ERWC-

Thanks in advance!

[LiaoMi]

I tried to come up with the other hand, with parameters

Code Select Expand

@echo off
set INCLUDE=C:\masm32\jWasm\sdkrc100\um;C:\masm32\jWasm\sdkrc100\shared;C:\masm32\jWasm\sdkrc100\VC
@if not exist Example.dll goto comp
@del Example.dll
:comp

@\masm32\jWasm\bin\RC /r  appinit.rc
@\masm32\jWasm\bin\HJWasm64 /c -win64 -Zp8 /Zi /win64 /D_WIN64 /Cp /nologo /W2 appinit.asm
@\masm32\jWasm\bin\link /SUBSYSTEM:WINDOWS /LARGEADDRESSAWARE:NO /RELEASE /DLL /DEF:appinit.def appinit.obj appinit.res
@\masm32\jWasm\bin\CVTRES.EXE /machine:x64 appinit.res
@if not exist Example.dll goto end
@del *.lst
@del *.obj
@del *.res
:end
@pause

I get a message - LINK : warning LNK4075: ignoring '/LARGEADDRESSAWARE:NO' due to '/DLL' specification

found only a discussion ... none of the tips does not fall within this example

https://social.msdn.microsoft.com/Forums/vstudio/en-US/295bb9d5-6095-4796-bd14-ee66d3bf0bd5/error-lnk2017-addr32-relocation-to-cbcmlpsstate-invalid-without-largeaddressawareno?forum=vclanguage

[Zen]

LIAOMI,
Really good question. Are you writing a 32-bit application, or a 64-bit application ???
The code would indicate a 64-bit application,...

[LiaoMi]

LIAOMI,
Really good question. Are you writing a 32-bit application, or a 64-bit application ???
The code would indicate a 64-bit application,...

Hallo Zen,

this library is 64 bit dll used also in 64 bit application, through the trick with the base, I would like to calculate the offset to kernel.dll or ntdll.dll, with a simple subtraction. Although both solutions are interesting in their own way  ::)