Phishing & BotNets
PE Headers Oct 19 2005 08:28PM
keydet89 yahoo com (2 replies)

I'm digging into the PE header format, writing a Perl script for parsing information.

I've gotten to the point where I can read the Import Table, obtaining the IMAGE_IMPORT_DESCRIPTORs (IID). What I'm looking for at this point is how to convert the RVAs in the IID to an offset within the binary itself.

I've opened the file in Perl, in binary mode and can easily read the DOS and PE headers, as well as the Optional Headers, Data Directories, etc. I can even read the Bound Import Table. I'm stuck on how to convert the RVAs into static offsets within the file itself.

I've located several resources on the web, from tutorials to explanations. My understanding is that the virtual address = RVA + image_base_address (ie, from the optional header).

Assistance is appreciated.


H. Carvey
"Windows Forensics and Incident Recovery"

[ reply ]
Re: PE Headers Oct 19 2005 09:12PM
Xman Security (xmansecurity gmail com)
Re: PE Headers Oct 19 2005 08:59PM
Jonathon Giffin (giffin cs wisc edu)


Privacy Statement
Copyright 2010, SecurityFocus