Calculating the file offset of a entry point in a PE file
Question
In
http://en.redinskala.com/finding-the-ep/
there is information about how to find the file offset of the entry point in a exe-file.
Here I can read that
EP (File) = AddressOfEntryPoint – BaseOfCode + .text[PointerToRawData] + FileAlignment
However, when I have been calculating this myself (I used a couple of different exe files) I have came to the conclusion that
Offset of entry point in EXE file = AddressOfEntryPoint + .text[PointerToRawData] - .text[VirtualAddress]
Where AddressOfEntryPoint is fetched from IMAGE_OPTIONAL_HEADER and the other two values from the IMAGE_SECTION_HEADER.
Is the information on that web page false? Adding FileAlignment like they do just seems wrong, it does not make sense. Or does it? A file alignment suggests that I should use modulo or something to compute a value. If BaseOfCode and FileAlignment is the same value (mostly they are), it would not disturb adding them to the calculation, but how would it make sense?
1 answers
solution1
2 ACCPTED 2015-11-16 14:18:26
Correct, you don't need to use the FileAlignment value at all.
The algorithm should be something like as follow (very similar to yours):
- Get
AddressOfEntryPointfrom IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint (this is a VA) - Search in which section header this VA resides (usually the 1st one, but you should really search in all section headers).
- Once you have the right section header, get its
VirtualAddressandPointerToRawDatafields. - Subtract
VirtualAddressfromAddressOfEntryPoint: you now have a "delta" - As the exactly same delta applies to offsets, then: add "delta" to
PointerToRawData.
You simply don't need FileAlignment because the section in which the entry point lies is already aligned on that value.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.