Greetings fellow asm coders, this is my first post to your board.

I am coding a program to access a certain section in a PE file. However, I'm mapping PE files straight from disk, rather than accessing a process that has already been loaded by the OS.

Would I be right in saying that the diskimage of the file is different from its memory image (when loaded by the OS) ? I say this because when I try and navigate through the diskimage by reading section VAs from the data directory and aligning them to the imagebase(mapping view), the addresses I get are invalid. However, these same addresses are valid once that file has been loaded by the OS itself.

If this is the case and the diskimage is different from the memoryimage, how can I find the location of the import section in the diskimage ?

Binary construct
Posted on 2003-06-05 16:34:48 by Binary construct
Yes. To get file offset from VA, scan all sections, see which in which section VA is, then take relative offset to VA, and add section file offset.
Posted on 2003-06-05 16:52:30 by comrade
Check Iczelions PE-tutorials, part 6 has a function in the source called RVAToOffset that does just that ( what comrade mentions )
Posted on 2003-06-05 16:59:15 by david

mov esi,[esp+4];pPE
assume esi:ptr IMAGE_DOS_HEADER
add esi,[esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
mov edi,[esp+8] ; edi == RVA
mov edx,esi
add edx,sizeof IMAGE_NT_HEADERS
movzx ecx,WORD PTR[esi].FileHeader.NumberOfSections
.while ecx>0 ; check all sections
.if edi>=[edx].VirtualAddress
mov eax,[edx].VirtualAddress
add eax,[edx].SizeOfRawData
.if edi<eax ; The address is in this section
mov eax,[edx].VirtualAddress
sub edi,eax ; edi == difference between the specified RVA and the section's RVA
mov eax,[edx].PointerToRawData
add eax,edi ; eax == file offset
add eax,[esp+4]
ret 2*4
dec ecx
mov eax,edi
ret 2*4
RVAToOffset endp

Ripped off from my code. Careful when using this since I did not preserve edi and esi.
Posted on 2003-06-06 01:15:23 by roticv
Thanks for your replies. I've got the code working and can now find the import section inside the file.

However, there's something that I don't understand. Roticv's code searches the section headers to see if the target RVA falls between the RVA for the section and its end. Why would the RVA for the import section (read from the data directory) not match exactly the RVA from the respective section header ?

Thanks again,
Binary construct
Posted on 2003-06-08 08:32:35 by Binary construct
It is a generic code to find fileoffset from RVA. It could be applied to finding the fileoffset of the entrypoint or import table and so on.

Anyway the code is just something I have extracted from icezlion's tutorial and reused it to my needs, thus it could not be considered my work.
Posted on 2003-06-08 08:44:47 by roticv
Posted on 2003-06-08 19:44:16 by SFP