File Type: DLL FILE HEADER VALUES 14C machine (i386) 4 number of sections 4D00F2A7 time date stamp Thu Dec 09 23:15:51 2010
0 file pointer to symbol table 0 number of symbols E0 size of optional header 210E characteristics Executable Line numbers stripped Symbols stripped 32 bit word machine DLL
OPTIONAL HEADER VALUES 10B magic # 7.10 linker version 7D000 size of code 15A00 size of initialized data 0 size of uninitialized data 12AFC address of entry point 1000 base of code ----- new ----- 7c920000 image base 1000 section alignment 200 file alignment 3 subsystem (Windows CUI) 5.01 operating system version 5.01 image version 4.10 subsystem version 96000 size of image 400 size of headers 9A8E1 checksum 00040000 size of stack reserve 00001000 size of stack commit 00100000 size of heap reserve 00001000 size of heap commit 0 DLL characteristics 3400 [ 9A5E] address [size] of Export Directory 0 [ 0] address [size] of Import Directory 83000 [ F7E4] address [size] of Resource Directory 0 [ 0] address [size] of Exception Directory 0 [ 0] address [size] of Security Directory 93000 [ 2EEC] address [size] of Base Relocation Directory 7DED4 [ 38] address [size] of Debug Directory 0 [ 0] address [size] of Description Directory 0 [ 0] address [size] of Special Directory 0 [ 0] address [size] of Thread Storage Directory 512D0 [ 40] address [size] of Load Configuration Directory 0 [ 0] address [size] of Bound Import Directory 0 [ 0] address [size] of Import Address Table Directory 0 [ 0] address [size] of Delay Import Directory 0 [ 0] address [size] of COR20 Header Directory 0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1 .text name 7CF32 virtual size 1000 virtual address 7D000 size of raw data 400 file pointer to raw data 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 60000020 flags Code (no align specified) Execute Read
Debug Directories(2) Type Size Address Pointer Can not read debug dir
SECTION HEADER #2 .data name 4A20 virtual size 7E000 virtual address 3200 size of raw data 7D400 file pointer to raw data 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers C0000040 flags Initialized Data (no align specified) Read Write
SECTION HEADER #3 .rsrc name F7E4 virtual size 83000 virtual address F800 size of raw data 80600 file pointer to raw data 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 40000040 flags Initialized Data (no align specified) Read Only
SECTION HEADER #4 .reloc name 2EEC virtual size 93000 virtual address 3000 size of raw data 8FE00 file pointer to raw data 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 42000040 flags Initialized Data Discardable (no align specified) Read Only
Indeed, it’s NTDLL.DLL.
This means:
1 2 3
nt!PsSystemDllBase is the address where NTDLL.DLL is loaded into memory.