Phishing & BotNets
PE Headers Oct 19 2005 08:28PM
keydet89 yahoo com (2 replies)
Re: PE Headers Oct 19 2005 09:12PM
Xman Security (xmansecurity gmail com)
If you have the section headers, you should be able to identify the VirtAddr
of each section and the raw data offset in the binary itself. By combining
this information with the RVA, you should be able to convert the RVA to the
offset in the binary itself.
A simple example is as follows:
.text VirtAddr 401000 raw data offset 200
.data VirtAddr 402000 raw data offset 300

RVA: 4010A0 will be raw data offset 2A0
RVA: 4020B0 will be raw data offset 3B0

For more details, you can refer to these 2 articles from Matt Pietrek:
http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx
http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/default.aspx

/ba

On 19 Oct 2005 20:28:41 -0000, keydet89 (at) yahoo (dot) com [email concealed] <keydet89 (at) yahoo (dot) com [email concealed]>
wrote:
>
> All,
>
> I'm digging into the PE header format, writing a Perl script for parsing
> information.
>
> I've gotten to the point where I can read the Import Table, obtaining the
> IMAGE_IMPORT_DESCRIPTORs (IID). What I'm looking for at this point is how to
> convert the RVAs in the IID to an offset within the binary itself.
>
> I've opened the file in Perl, in binary mode and can easily read the DOS
> and PE headers, as well as the Optional Headers, Data Directories, etc. I
> can even read the Bound Import Table. I'm stuck on how to convert the RVAs
> into static offsets within the file itself.
>
> I've located several resources on the web, from tutorials to explanations.
> My understanding is that the virtual address = RVA + image_base_address (ie,
> from the optional header).
>
> Assistance is appreciated.
>
> Thanks,
>
> H. Carvey
> "Windows Forensics and Incident Recovery"
> http://www.windows-ir.com
> http://windowsir.blogspot.com
>

[ reply ]
Re: PE Headers Oct 19 2005 08:59PM
Jonathon Giffin (giffin cs wisc edu)


 

Privacy Statement
Copyright 2010, SecurityFocus