Hello,

I'm writing a bit of code to better understand PE format, but one thing I still can't get is how a file offset (position in the physical file on disk) is obtained from an RVA. I don't need a tool, I'd need to understand. Can anyone explain (or provide the function) it in terms of the members of the C structures used to read the DOS, COFF, PE, Section headers???
Thx.

yaa
Posted on 2004-07-08 18:46:49 by yaa
You can look at the System library from my website, it has an RVAToFilePos function that is used in some of the PE tool functions.
Posted on 2004-07-08 18:55:28 by donkey
yaa,
i assume it regard to a section in the PE header (for example the .code section)


scan all of the sections, and locate the section that it's VirtualAddress falls or equal to the RVA you want.
*note: don't forget to remove ImageBase if RVA is something like 00402040.
so RVA is: 00402040-00400000 =0x0002040



if ( (RVA >= section_header->VirtualAddress) &&
(RVA < (section_header->VirtualAddress + section_header->Misc.VirtualSize)) ){
return section_header;
}


once u have the section pointer you can easily get its properties and calculate the offset:

1.
offset = ( importsStartRVA - (VirtualAddress-PointerToRawData) )
Offset = ( 0x0002040 - (0x0002000 - 0x00000600) ) ; Offset=0x0000640

or

2.
Offset = (ImportsStartRva - VirtualAddress) + PointerToRawData
Offset = (0x0002040 - 0x0002000) + 0x0000600 ; Offset=0x0000640
Posted on 2004-07-08 19:37:13 by wizzra
rva2raw:	; pointer to start of image (MZ), rva

xor eax,eax
mov edx,[esp+04h]
add edx,[edx+IMAGE_DOS_HEADER.e_lfanew]
movzx ecx,[edx+IMAGE_NT_HEADERS.FileHeader.NumberOfSections]
add edx,sizeof.IMAGE_NT_HEADERS
jecxz .quit
.next: mov eax,[edx+IMAGE_SECTION_HEADER.VirtualAddress]
cmp [esp+08h],eax
jb .skip
add eax,[edx+IMAGE_SECTION_HEADER.VirtualSize]
cmp [esp+08h],eax
jae .skip
mov eax,[edx+IMAGE_SECTION_HEADER.PointerToRawData]
sub eax,[edx+IMAGE_SECTION_HEADER.VirtualAddress]
add eax,[esp+08h]
jmp .quit
.skip: add edx,sizeof.IMAGE_SECTION_HEADER
loop .next
xor eax,eax
.quit: retn 08h
Posted on 2004-07-08 22:59:52 by comrade
Thank you all.

Here is the code from donkey's library if anyone needs it ... donkey, hope you don't mind my posting it.



RVAToFilePos FRAME pFileMap,RVA
uses edi,esi,edx,ecx

mov esi,[pFileMap]
add esi,[esi+IMAGE_DOS_HEADER.e_lfanew]
mov edi,[RVA]
mov edx,esi
add edx,sizeof IMAGE_NT_HEADERS
movzx ecx,W[esi+IMAGE_NT_HEADERS.FileHeader.NumberOfSections]
jmp >L2
L1:
cmp edi,[edx+IMAGE_SECTION_HEADER.VirtualAddress]
jl >E2
mov eax,[edx+IMAGE_SECTION_HEADER.VirtualAddress]
add eax,[edx+IMAGE_SECTION_HEADER.SizeOfRawData]
cmp edi,eax
jge >E1
mov eax,[edx+IMAGE_SECTION_HEADER.VirtualAddress]
sub edi,eax
mov eax,[edx+IMAGE_SECTION_HEADER.PointerToRawData]
add eax,edi
ret
E1:
E2:
add edx,sizeof IMAGE_SECTION_HEADER
dec ecx
L2:
or ecx,ecx
js >
jnz <L1
:

mov eax,edi
ret
ENDF



yaa
Posted on 2004-07-09 04:42:46 by yaa
donkey, hope you don't mind my posting it.


Nope, don't mind at all. Though anyone can download it at any time from my website, all the source is included with the system library. It was pretty much based on an example I had seen, can't remember where, so I can't claim that it is 100% original work. For normal use you don't need to preserve edx and ecx, that is only because the functions that call it in system.lib expect them to be preserved.
Posted on 2004-07-09 10:35:25 by donkey
Originally posted by donkey

Nope, don't mind at all. Though anyone can download it at any time from my website, all the source is included with the system library. It was pretty much based on an example I had seen, can't remember where, so I can't claim that it is 100% original work. For normal use you don't need to preserve edx and ecx, that is only because the functions that call it in system.lib expect them to be preserved.


Iczelion's PE tutorials if I am not wrong.:grin:
Posted on 2004-07-09 11:37:50 by roticv



Iczelion's PE tutorials if I am not wrong.:grin:


That could very well be, or someone else who used it as a starting point. I just didn't want to take credit for somebody else's work so I thought I would mention that it was not completely mine.
Posted on 2004-07-09 12:06:45 by donkey