PE file section RVA calculation
Question
I'm currently looking through a PE file's section table, both from the raw data on the disk, and through a couple of PE analysers. I'm a little confused over how some addresses are being interpreted.
For example. From the raw PE image on disk, I see this:
.text virtualSize: 0x1A0F71 virtualAddress: 0x1000 rawSize: 0x1A1000
However, when using some PE analysers (LordPE, pedump.me), I see this:
.text virtualSize: 0x114d41 virtualAddress: 0x1000 rawSize: 0x114e00
I'm not sure how these values are being interpreted. It is something to do with alignment, and the image's base address?
Any input would be appreciated.
Thanks
2 answers
solution1
4 2013-10-26 11:33:40
Maybe this would help you to solve the problem:
solution2
2 ACCPTED 2013-10-26 12:44:00
This requires psychic debugging, the size of a section isn't affected by RVA. The crystal ball says that you are actually looking at two different files. And your PE dumper utilities are 32-bit programs that you run on a 64-bit operating system.
You have to understand the File System Redirector . A 32-bit process will be redirected from c:\\windows\\system32 to c:\\windows\\syswow64 and from c:\\program files to c:\\program files (x86). So your PE dumper utilities could well be opening the 32-bit version of an executable instead. And yes, the .text section will be substantially smaller.
Copy the file to a directory that's not affected by redirection, like your Documents folder.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.