Feb 222012
 

What’s LARGEADDRESSAWARE?

32 bit processes are by default confined to a 2 GB address space even though a 32 bit address can address up to 4 GB of memory. Remaining 2 GB goes to the Windows Kernel. With LARGEADDRESSAWARE we can bypass this limitation to an extent, this switch will enable a 32 bit process to address up to 3 GB of virtual address space.

The downside of this feature is that Kernel components will be restricted to 1 GB of virtual address space. We advise developers to use this switch only on server machines where just one dedicated application is set to run, for e.g. SQL Server. Its not great to halve kernel memory space on a machine with too many user mode applications or device drivers running in tandem as there will be demand for higher amount of kernel memory.

On Windows XP, some drivers, especially video adapter drivers with onboard RAM, cannot run with the /3GB parameter because they require more address space than the 1 GB kernel address space permits.

While on a 64 bit machine, considering the vast expanse of memory available to us, LARGEADDRESSAWARE flag is turned on by default for a process this way a 32 bit process gets the entire 4 GB address space on a 64 bit machine. Well known desktop 32bit applications like Visual Studio has this switch enabled because most of the new machines we purchase are 64 bit machines and this way Visual Studio benefits automatically. This switch is harmless on a 32 bit machine which doesn’t have /3GB OS switch enabled.

How to enable LARGEADDRESSAWARE?

Application

The command to enable large address aware is as follows…

EditBin /LARGEADDRESSAWARE NotePad.exe

How to check if the above command worked or not? Run the above executable (in our case NotePad.exe) with DumpBin.exe.

C:\> DumpBin /Headers NotePad.exe

FILE HEADER VALUES
14C machine (x86)
4 number of sections
4BA1DC16 time date stamp Thu Mar 18 02:53:58 2010
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
122 characteristics
Executable
Application can handle large (>2GB) addresses
32 bit word machine

See highlighted line.

Changes to boot.ini

Please add /3GB switch as shown below to a boot entry that you’d like to configure…

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect /3GB
Jun 062007
 

Use dumpbin…

Dumpbin /imports SomeDll.dll > APIList.txt

Dumpbin /imports SomeExe.exe > APIList.txt

So next time if you find some application that looks and works cool and you would like to know what all API’s that application is using, go ahead use dumpbin or Dependency walker( The first pane to the right list’s all those API’s ).

Using Dependency walker is much better since you can scroll through the list.

Jun 062007
 

Use dumpbin…

// Disassemble a dll
dumpbin /disasm SomeDll.dll > RedirectToSomeFile.asm

// Disassemble an exe
dumpbin /disasm SomeExe.exe > RedirectToSomeFile.asm

Redirecting to a file, results in faster disassembling.

Help for dumpbin displays the following information!

Microsoft (R) COFF Binary File Dumper Version 6.00.8447
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.

usage: DUMPBIN [options] [files]
   options:
      /ALL
      /ARCH
      /ARCHIVEMEMBERS
      /DEPENDENTS
      /DIRECTIVES
      /DISASM
      /EXPORTS
      /FPO
      /HEADERS
      /IMPORTS
      /LINENUMBERS
      /LINKERMEMBER[:{1|2}]
      /LOADCONFIG
      /OUT:filename
      /PDATA
      /RAWDATA[:{NONE|BYTES|SHORTS|LONGS}[,#]]
      /RELOCATIONS
      /SECTION:name
      /SUMMARY
      /SYMBOLS

Using dumpbin we can also list out the import table and export table of a dll or exe. An e.g.

dumpbin /EXPORTS %systemroot%/system32/user32.dll

Try out all those options 🙂