Phishing & BotNets
Re: PE Headers Oct 20 2005 01:59PM
Harlan Carvey (keydet89 yahoo com) (1 replies)
Jonathon,

Thanks for the response.

> You're almost there. You just need to figure out how
> to calculate the
> value that you called image_base_address.
>
> What has worked for me as the base address is the
> section header
> PointerToRawData value minus the section header
> VirtualAddress value. Then
>
> file_offset = iid.foo + sh.PointerToRawData -
> sh.VirtualAddress
>
> where sh is the section header containing the import
> directory and iid
> is one of the image import descriptors contained in
> the directory.
>
> As an example, to read the import name, just do
> fseek(fd, iid.Name + sh.PointerToRawData -
> sh.VirtualAddress, SEEK_SET)
> and the file pointer for file descriptor fd will now
> be at the start of
> a null-terminated C-string containing the imported
> DLL name.
>
> Sorry, I don't know perl so I gave the code
> fragments above in C.

Let me show you what I've got...from reading the
headers of netstat.exe, I've got:

Section Name : .text
Virtual Size : 0x4848
Virtual Address : 0x1000
Pointer to Raw Data : 0x400
Size of Raw Data : 0x4A00
Section Characteristics:
-> IMAGE_SCN_CNT_CODE
-> IMAGE_SCN_MEM_EXECUTE
-> IMAGE_SCN_MEM_READ

Section Name : .data
Virtual Size : 0xb30
Virtual Address : 0x6000
Pointer to Raw Data : 0x4E00
Size of Raw Data : 0xA00
Section Characteristics:
-> IMAGE_SCN_CNT_INITIALIZED_DATA
-> IMAGE_SCN_MEM_READ
-> IMAGE_SCN_MEM_WRITE

So, as you can see, I have the .text and .data
sections. I've purposely excluded the .rsrc section
here.

Based on what you've said, given the information from
the .data section above, the calculation of
"sh.PointerToRawData - sh.VirtualAddress" is a
negative number.

From the headers of netstat.exe, I can pull the
IMAGE_IMAGE_DESCRIPTORS. The RVA for the DLL Name for
the first descriptor is 0x5354. Using the calculation
above for the .text section, the offset within the
file for the DLL name is 0x4754. This works out
perfectly.

I guess what I'm not getting from this point, from any
source, is this...when dealing with the RVAs in the
IMAGE_IMPORT_DESCRIPTOR, how does one determine the
particular section to be used? I'm assuming that the
RVAs for the import lookup table and the import
address table would be in the .data section, and the
RVA for the DLL name would be within the .text
section, but how do you calculate the offsets for
sections with non-standard names? Should I instead be
looking at the characteristics of the section?

Thanks,

Harlan

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

[ reply ]
Re: PE Headers Oct 20 2005 02:53PM
Jonathon Giffin (giffin cs wisc edu)


 

Privacy Statement
Copyright 2010, SecurityFocus