COFF Loader · GitBook (otterhacker.github.io)
Similar to PE, but slight differences
N
Sections. First one immediately follows the COFF header. There will be N
section headers (check Header
for count), followed by the sections (check the offsets in each section header)As it can be seen the object file contains all the symbols, but if the raw bytes are analyzed, the address that should point to the symbol is empty (
0x000000
). Thus, the object file cannot be executed as aPE
.
// file1.c
char myVariable[16] = "Hello World !\\n";
// file2.c
extern char myVariable[16];
int main void(){
printf("%s", myVariable);
}
000000000000001B: 48 8D 15 00 00 00 00 lea rdx,[myVariable]
0000000000000022: 48 8D 0D 00 00 00 00 lea rcx,[??_C@_02DKCKIIND@?$CFs@]
0000000000000029: E8 00 00 00 00 call __imp_printf
lea
⇒ load effective address), but the address of the symbol isn’t resolved; it will try to read 0x000000 and die.A
COFF Loader
is a program that will take an object file as input, will resolve all symbols to make it executable by theOS
, store the symbols in memory and run the program described by the object file in-memory.Thus a
COFF Loader
is more or less a mini-linker that will perform in-memory linking and execution.