COFF Loader · GitBook (otterhacker.github.io)

COFF structure

Similar to PE, but slight differences

• Header
• N Sections. First one immediately follows the COFF header. There will be N section headers (check Header for count), followed by the sections (check the offsets in each section header)
• Relocation Table (different from .reloc, there is none in a COFF)
• Symbols
• Symbol names (strings)

Difference from PE Loading

• A PE has all the object files and external libraries linked together
  • Symbols (variables, function definitions, etc.) defined in one object file and referred from another object file will be linked during compilation so all is good
• An object file does not have the addresses of its symbols linked, since the linker is supposed to do that.
  • An object file will have all the symbols, but no memory addresses attached. So trying to execute one will fail.

As it can be seen the object file contains all the symbols, but if the raw bytes are analyzed, the address that should point to the symbol is empty (0x000000). Thus, the object file cannot be executed as a PE.

// file1.c
char myVariable[16] = "Hello World !\\n";

// file2.c 
extern char myVariable[16];
int main void(){
    printf("%s", myVariable);
}

000000000000001B: 48 8D 15 00 00 00 00  lea         rdx,[myVariable]
0000000000000022: 48 8D 0D 00 00 00 00  lea         rcx,[??_C@_02DKCKIIND@?$CFs@]
0000000000000029: E8 00 00 00 00        call        __imp_printf

• Above is line 1 disassembled. Note how its attempting to read the symbol (lea ⇒ load effective address), but the address of the symbol isn’t resolved; it will try to read 0x000000 and die.

A COFF Loader is a program that will take an object file as input, will resolve all symbols to make it executable by the OS, store the symbols in memory and run the program described by the object file in-memory.

Thus a COFF Loader is more or less a mini-linker that will perform in-memory linking and execution.