Phishing & BotNets
PE Headers Oct 19 2005 08:28PM
keydet89 yahoo com (2 replies)
Re: PE Headers Oct 19 2005 09:12PM
Xman Security (xmansecurity gmail com)
Re: PE Headers Oct 19 2005 08:59PM
Jonathon Giffin (giffin cs wisc edu)
keydet89 (at) yahoo (dot) com [email concealed] wrote:
> I've gotten to the point where I can read the Import Table, obtaining the IMAGE_IMPORT_DESCRIPTORs (IID). What I'm looking for at this point is how to convert the RVAs in the IID to an offset within the binary itself.
>
> I've opened the file in Perl, in binary mode and can easily read the DOS and PE headers, as well as the Optional Headers, Data Directories, etc. I can even read the Bound Import Table. I'm stuck on how to convert the RVAs into static offsets within the file itself.
>
> I've located several resources on the web, from tutorials to explanations. My understanding is that the virtual address = RVA + image_base_address (ie, from the optional header).
>
> Assistance is appreciated.

You're almost there. You just need to figure out how to calculate the
value that you called image_base_address.

What has worked for me as the base address is the section header
PointerToRawData value minus the section header VirtualAddress value. Then

file_offset = iid.foo + sh.PointerToRawData - sh.VirtualAddress

where sh is the section header containing the import directory and iid
is one of the image import descriptors contained in the directory.

As an example, to read the import name, just do
fseek(fd, iid.Name + sh.PointerToRawData - sh.VirtualAddress, SEEK_SET)
and the file pointer for file descriptor fd will now be at the start of
a null-terminated C-string containing the imported DLL name.

Sorry, I don't know perl so I gave the code fragments above in C.

I hope this works for you.

Jon

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus