PE: Difference between revisions
Jump to navigation
Jump to search
| [unchecked revision] | [unchecked revision] |
Content deleted Content added
→Inside the PE file: There's no such thing as most/least significant bits first. |
|||
| Line 86: | Line 86: | ||
The Relative Virtual Base is a phrase that comes up a lot in PE documentation. The RVA is the address at where something exists once it's loaded into memory, rather than an offset into the file. To calculate the file's address from an RVA without actually loading the sections into memory, you can use the table of section entries. By using the virtual address and size of each section you can find which section the RVA belongs to, then subtract the difference between the section's virtual address and file offset. |
The Relative Virtual Base is a phrase that comes up a lot in PE documentation. The RVA is the address at where something exists once it's loaded into memory, rather than an offset into the file. To calculate the file's address from an RVA without actually loading the sections into memory, you can use the table of section entries. By using the virtual address and size of each section you can find which section the RVA belongs to, then subtract the difference between the section's virtual address and file offset. |
||
=== Secion header === |
|||
Each section has an entry in section header table. |
|||
<source lang="c"> |
|||
struct IMAGE_SECTION_HEADER { // size 40 bytes |
|||
char[8] mName; |
|||
uint32_t mVirtualSize; |
|||
uint32_t mVirtualAddress; |
|||
uint32_t mSizeOfRawData; |
|||
uint32_t mPointerToRawData; |
|||
uint32_t mPointerToRawData; |
|||
uint32_t mPointerToRealocations; |
|||
uint32_t mPointerToLinenumbers; |
|||
uint16_t mNumberOfRealocations; |
|||
uint16_t mNumberOfLinenumbers; |
|||
uint32_t mCharacteristics; |
|||
}; |
|||
</source> |
|||
===In asm linkage=== |
===In asm linkage=== |
||