All this was done on OS=win98

i have an exe file which has
section aligment = 1000h
file aligment = 200h

since as section aligment = 1000h , then Size of Raw Data should be N*1000h , right ?

but looking in the PE section i found that Size of Raw Data equal
sec1 = 1200h
sec2 = 200h
sec3 = D200h

i.e. they are aligmnet to file aligment, and file work fine ..


Changing Section aligment
section aligment = 0h, and i got error " The PE is improperly linked with alignment less than 0x1000"
section aligment = 200h, the same error
section aligment = 1452h, PE work fine

Changing File Aligment
file aligment = 123h , PE work fine
file aligment = 300h, PE work fine
file aligment = 1234h, PE work fine


could anyone explain ?
and is section aligment & file aligment have no meaning ?

Sa6ry
Posted on 2002-03-05 13:56:32 by Sa6ry
Normally, you shouldn't mess with section alignment. It's 4K because Windows allocates memory in 4K pages.

File alignment is simply how the sections are stored in the EXE. When the EXE is loaded into memory, sections are always moved to the next 4K (or section alignment) boundary, no matter how they're stored in the EXE. Using a small file align gets rid of some of the extra space that may be at the end of a previous section, but that "lost space" is added backwhen the section is loaded into memory. :)
Posted on 2002-03-05 22:43:30 by S/390
Is this the virtual alignment or the physical alignment? Virtual will be what is done in memory, and physical is what is done to the file on the harddrive.
Posted on 2002-03-06 02:00:00 by Jag
first , thanks S/390 & Jag , for replays
i got an answer from Lord Julus through virus-list@yahoogroups.com which answer my qe.

here is his message

===========
Hi!

All sections are aligned to Section Alignment when loaded into the
memory and to File Alignment when in the file. So, changing the file
alignment in the header will not affect anything because the sections
will still be loaded based on their size and physical address. The
purpose of the file alignment of 200h was, in the begining to be
equal to the size of a disk sector or something like that, in order
to optimize the speed of reading from the HDD (because if the whole
sector was read at once it's suppose to be quicker; actually I am not
very keen about that, but this is what i heard; of course with the
large hdds nowadays it probably doesn't matter). The section
alignment of 1000h is related to protected mode pages, if i recall
correctly this is the size of a page (that receives different
rights), so it makes sense to have the section rounded up to that,
because the entire page has to receive the same rights. Again, I am
no expert in protected mode either, but... this is what I heard ;-)

However WindowsNT and it's next generations will NEVER load a PE file
unless it's image is correct, unlike Win9x who will load PE files
with structure mistakes.

Changing the section alignment will result in unpredictable stuff
happening, but in my testing (not too many) I wasn't able to crash
one...

Try to run your examples on NT and you will see...

best,
LJ
========
Posted on 2002-03-06 23:51:09 by Sa6ry