Phishing & BotNets
Re: PE Headers Oct 20 2005 01:41PM
Harlan Carvey (keydet89 yahoo com)

Thanks for the response...

> If you have the section headers, you should be able
> to identify the VirtAddr
> of each section and the raw data offset in the
> binary itself.

Yes, I can see that. For example, I've pulled this
information from netstat.exe:

Section Name : .text
Virtual Size : 0x4848
Virtual Address : 0x1000
Pointer to Raw Data : 0x400
Size of Raw Data : 0x4A00
Section Characteristics:

Section Name : .data
Virtual Size : 0xb30
Virtual Address : 0x6000
Pointer to Raw Data : 0x4E00
Size of Raw Data : 0xA00
Section Characteristics:

As you can see, I can easily view the Virtual Address,
as well as the Pointer to Raw Data.

> By combining
> this information with the RVA, you should be able to
> convert the RVA to the offset in the binary itself.
> A simple example is as follows:
> .text VirtAddr 401000 raw data offset 200
> .data VirtAddr 402000 raw data offset 300
> RVA: 4010A0 will be raw data offset 2A0
> RVA: 4020B0 will be raw data offset 3B0

Can you be more specific on what you mean by

Also, since my original question was with regards to
the Import Table, which section would I be interested
in? .data? More importantly, what if the section
names are non-standard, as can be the case with

> For more details, you can refer to these 2 articles
> from Matt Pietrek:

I have both of those articles strewn across my
desk...I printed them out over a month ago. If you
could point me to the paragraph within either article
that answers my question, I'd appreciate it. After
all, I've been going through these articles, and felt
that I had to ask the question.



Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus