Hi,
I have read a tutorial which says that the offset to PE header is contained in the e_Ifanew member of IMAGE_DOS_HEADER. So plz tell me how to find the e_Ifanew member in the exe file.What is the offset of that member.
Thanks a lot,
Chamal.
I have read a tutorial which says that the offset to PE header is contained in the e_Ifanew member of IMAGE_DOS_HEADER. So plz tell me how to find the e_Ifanew member in the exe file.What is the offset of that member.
Thanks a lot,
Chamal.
3ch if I remember correctly.
Use it like
Where eax points to the memory containing the pe file.
Use it like
add eax,[eax+3ch];.e_lfanew
Where eax points to the memory containing the pe file.
http://spiff.tripnet.se/~iczelion/pe-tut2.html maybe can help you. if you take a look at this codesnippet:
after that code edi contains offset of the PE header i think
hope this help :notsure:
assume edi:ptr IMAGE_DOS_HEADER
.if [edi].e_magic==IMAGE_DOS_SIGNATURE
add edi, [edi].e_lfanew
after that code edi contains offset of the PE header i think
hope this help :notsure: