Mo7attem
May 10th, 2007, 04:22
Hi all
I'm confused between the two members in the SECTION HEADER, the VirtualSize, and the SizeOfRawData, I've read a lot of tutorials about PE files, and as I understood: the VirtualSize is the total size of the section "in memory", and the SizeOfRawData is the total size of the section on the "Hard Disk" , I've also read that the SizeOfRawData may be greater than the VirtualSize, this because the linkers (or compliers, I forgot
) are tend to round the section up to the "FileAlignment", and in this case the rest of the size in the SizeOfRawData is filled with "Zeros", at this point I have no problem ..
but Here I get confused: while I was checking some PE files, I found some of them have VirtualSize GREATER than SizeOfRawData !!! How this can be ?!
as I understood the VirtualSize in fact is a part of SizeOfRawData, but how can it be greater than it ? for example: if the SizeOfRawData is 500byte , the PE loader will load the VirtualSize in Memory, which may be all of SizeOfRawData, or it may be some of it (400byte for example).
but how can The PE loader load the VirtualSize if it size is "say" 700byte ?! where will the "extra" 200bytes come from ?!
the total size of the section is only 500byte in the desk! how to load 700 in memory :|
I don't know where I have the misunderstood,
I hope you've understood my confusion, and please help me!
btw: I have a satisfactory (but little) experience with PE files, I know how change EP, how to add code, how to crypt certain sections, how to convert RVA or (VA) to Offset and vice-versa, and I've read about 4 or 5 good tutorials about PE files, but I didn't find the answer of my question :|
I'm confused between the two members in the SECTION HEADER, the VirtualSize, and the SizeOfRawData, I've read a lot of tutorials about PE files, and as I understood: the VirtualSize is the total size of the section "in memory", and the SizeOfRawData is the total size of the section on the "Hard Disk" , I've also read that the SizeOfRawData may be greater than the VirtualSize, this because the linkers (or compliers, I forgot

but Here I get confused: while I was checking some PE files, I found some of them have VirtualSize GREATER than SizeOfRawData !!! How this can be ?!
as I understood the VirtualSize in fact is a part of SizeOfRawData, but how can it be greater than it ? for example: if the SizeOfRawData is 500byte , the PE loader will load the VirtualSize in Memory, which may be all of SizeOfRawData, or it may be some of it (400byte for example).
but how can The PE loader load the VirtualSize if it size is "say" 700byte ?! where will the "extra" 200bytes come from ?!
the total size of the section is only 500byte in the desk! how to load 700 in memory :|
I don't know where I have the misunderstood,
I hope you've understood my confusion, and please help me!
btw: I have a satisfactory (but little) experience with PE files, I know how change EP, how to add code, how to crypt certain sections, how to convert RVA or (VA) to Offset and vice-versa, and I've read about 4 or 5 good tutorials about PE files, but I didn't find the answer of my question :|