hello everybody,
I think there must be some guys familiar with window PE file format very much. I am currently working on it, but find something weird:
the field of "size of image" in the pe optional header is always larger than the actual size of the file~and the delta always seems to be the size of file alignment of this file.
have you ever noticed this ? and do you know why ?

thx in advance
Posted on 2003-11-25 11:01:27 by FredLiu
size of image = size of all sections virtual size added together, say for example an exe had uninitialised data of 1mb but that section had 0 physical size that section wouldnt be present in the file, however it would be in the memory image when the exe is loaded ... get the picture?, and its all documented in the pe docs
Posted on 2003-11-25 11:36:49 by evlncrn8
cut this out from one of of my old programs, it should calc a correct size of image.




; ( edi points to IMAGE_OPTIONAL_HEADER32, esi points to IMAGE_NT_HEADERS )

mov eax,[edi].SizeOfHeaders
mov ecx,[edi].SectionAlignment
call AlignTo

movzx ecx, word ptr [esi+6h] ;
mov edx,esi
add edx,SIZEOF IMAGE_NT_HEADERS
assume edx:ptr IMAGE_SECTION_HEADER
@@:
add eax,[edx].Misc.VirtualSize
push ecx
mov ecx,[edi].SectionAlignment
call AlignTo
pop ecx
add edx,SIZEOF IMAGE_SECTION_HEADER
dec ecx
jnz @B

assume edx:nothing

mov [edi].SizeOfImage,eax ; SizeOfImage stored.

; .....etc..etc..

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; Align eax to value in ecx

; params: ECX= value to align to
; EAX= value to align
; returns: aligned value in EAX
; destroys: EAX,ECX

AlignTo:
push edx
xor edx,edx
push eax
div ecx
test edx,edx
jz @F ; if modulus returns 0, number is already aligned
sub ecx,edx
pop eax ; eax=total size of sections calced above
add eax,ecx
pop edx
ret

@@:
pop eax
pop edx
ret
Posted on 2003-11-25 14:47:49 by david