No .BSS in PE file
Question
Here is short console application example
static char buffer[4096];
int main() {
for(int i=0;i<4096;i++) {
buffer[i] = 1234;
}
return 0;
}
As I understand, 'exe' file produced by the compiler should contain .bss section to store 'buffer' variable.
I'm using Tiny C Compiler and resulting file does not contain any reference to .bss.
DOS Header
Magic number: 0x5a4d (MZ)
Bytes in last page: 144
Pages in file: 3
Relocations: 0
Size of header in paragraphs: 4
Minimum extra paragraphs: 0
Maximum extra paragraphs: 65535
Initial (relative) SS value: 0
Initial SP value: 0xb8
Initial IP value: 0
Initial (relative) CS value: 0
Address of relocation table: 0x40
Overlay number: 0
OEM identifier: 0
OEM information: 0
PE header offset: 0x80
COFF/File header
Machine: 0x14c IMAGE_FILE_MACHINE_I386
Number of sections: 2
Date/time stamp: 0 (Thu, 01 Jan 1970 00:00:00 UTC)
Symbol Table offset: 0
Number of symbols: 0
Size of optional header: 0xe0
Characteristics: 0x30f
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
Optional/Image header
Magic number: 0x10b (PE32)
Linker major version: 6
Linker minor version: 0
Size of .text section: 0
Size of .data section: 0
Size of .bss section: 0
Entrypoint: 0x1060
Address of .text section: 0x1000
Address of .data section: 0x2000
ImageBase: 0x400000
Alignment of sections: 0x1000
Alignment factor: 0x200
Major version of required OS: 4
Minor version of required OS: 0
Major version of image: 0
Minor version of image: 0
Major version of subsystem: 4
Minor version of subsystem: 0
Size of image: 0x4000
Size of headers: 0x200
Checksum: 0x95d5
Subsystem required: 0x3 (IMAGE_SUBSYSTEM_WINDOWS_CUI)
DLL characteristics: 0
Size of stack to reserve: 0x100000
Size of stack to commit: 0x1000
Size of heap space to reserve: 0x100000
Size of heap space to commit: 0x1000
Data directories
IMAGE_DIRECTORY_ENTRY_IMPORT: 0x2000 (40 bytes)
IMAGE_DIRECTORY_ENTRY_IAT: 0x2028 (32 bytes)
Imported functions
msvcrt.dll
_controlfp
__set_app_type
__getmainargs
exit
_XcptFilter
_exit
_except_handler3
export directory not found
Sections
Name: .text
Virtual Address: 0x1000
Physical Address: 0x1e8
Size: 0x200 (512 bytes)
Pointer To Data: 0x200
Relocations: 0
Characteristics: 0x60000020
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Name: .data
Virtual Address: 0x2000
Physical Address: 0x10e0
Size: 0x200 (512 bytes)
Pointer To Data: 0x400
Relocations: 0
Characteristics: 0xc0000040
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Disassembled version of executable references 'buffer' variable as if it was positioned right after .data section. How it works ? How PE loader knows that it should reserve particular area after .data section ?
Executable: https://www.dropbox.com/s/99bpil11j7396ej/test-bss.exe?dl=0
PEDUMP online: http://pedump.me/40c40172cf08c89c3d97bd6840dbd3a0/
2 answers
solution1
6 ACCPTED 2015-05-04 10:03:38
With the actual in memory and on disk size of the .data section now known I think it's possible to explain where buffer is located and how it got there.
For the sake of consistency I'm using terms from the Microsoft Portable Executable and Common Object File Format Specification .
So this is what we know about the .data section, it's VirtualSize is 4320 (0x10E0) and it's SizeOfRawData is 512 (0x200). This means that the .data section 512 bytes on disk, but gets zero padded to a size of 4320 bytes in memory. The SizeOfRawData value is the size of initialized data in the executable, and when you subtract that from VirtualSize and you get the size of uninitialized data. As noted in the comments, this means the .data section has 3808 bytes of uninitialized data, which isn't enough space to contain the 4096 byte array named buffer .
So where is buffer ? It must start somewhere in the initialized part of the .data section and continue into the uninitialized part. PECOFF requires that SizeOfRawData value be rounded up to the next multiple of FileAlignment (512). This means that when the linker created the executable's .data section it padded out the initialized data on disk with uninitialized data so that SizeOfRawData ends up being a multiple of 512. In other words the actual amount of initialized data in the executable is less than 512 bytes and the actual amount of uninitialized data is greater than 3808.
This diagram attempts to show how the linker would have laid out the .data section. The top part represents where in memory, relative to the start of the .data section, the linker put all the initialized variables and uninitialized variables used in the executable. The middle part shows where buffer was placed. The bottom section shows the part of the .data section that exists as initialized data in the executable.
+------------------+----------------------------------------+
| Initialized Vars | Uninitialized Variables |
+--------------------+-----------------------------------+--+
| | buffer[4096] | |
+--------------------+---+-------------------------------+--+
| Initialized on Disk | 4320
+------------------------+
0 512
solution2
1 2015-05-04 09:38:36
There is no need to store a BSS section in the exe file because it contains only uninitialised data. It is allocated by the startup code -- that is the code executed before you get to main. The BSS section is normally allocated after the DATA section from RAM, and is NORMALLY (not always) cleared to zero by the startup code. Conversely DATA section IS initialised (with the values to specify in the source) so it must be store in the exe file image.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.