Log in

View Full Version : Section Table Question

netpumber
May 25th, 2010, 10:34
Hallo everybody.. I have a little question..

Here is the definition of Section_header

Code:
typedef struct _IMAGE_SECTION_HEADER {

    BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];

    union {

            DWORD   PhysicalAddress;

            DWORD   VirtualSize;

    } Misc;

    DWORD   VirtualAddress;

    DWORD   SizeOfRawData;

    DWORD   PointerToRawData;

    DWORD   PointerToRelocations;

    DWORD   PointerToLinenumbers;

    WORD    NumberOfRelocations;

    WORD    NumberOfLinenumbers;

    DWORD   Characteristics;

}


An here is a simple image example with one section table (.text)

http://img594.imageshack.us/img594/5157/hexk.jpg

the hex code in green is the PointerToRawData .. Am i right ?

Im trying to understand why is this the PointerToRawData..

The Name of the struct is always 8 bytes (if i remember) so.. we add and these

DWORD PhysicalAddress;
DWORD VirtualSize;
DWORD VirtualAddress;
DWORD SizeOfRawData;

4 bytes each one.. And we have

8 + (4*4) = 32 But the PointerOfRawData starts at 21st byte..

Any explanation ?

Thanks in advance
BoB
May 25th, 2010, 11:24
Hi netpumber,
The reason is this part of the structure:
Code:
union {

            DWORD   PhysicalAddress;

            DWORD   VirtualSize;

}


Union means the field entries use the same memory, which is the size of the biggest field (4 in this case).
So setting PhysicalAddress to a value will also change VirtualSize, as they use same memory.
Anyway, in use this field is always just VirtualSize, so you can redefine the structure if you wish like so:

Code:
typedef struct _IMAGE_SECTION_HEADER {

    BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];

    DWORD   VirtualSize;

    DWORD   VirtualAddress;

    DWORD   SizeOfRawData;

    DWORD   PointerToRawData;

    DWORD   PointerToRelocations;

    DWORD   PointerToLinenumbers;

    WORD    NumberOfRelocations;

    WORD    NumberOfLinenumbers;

    DWORD   Characteristics;

}


Have fun!
BoB
netpumber
May 25th, 2010, 11:51
Excellent explanation.. Thanks a lot BoB

ronnie291983
May 27th, 2010, 00:07
i think he was checking to see whether anybody here knew what a "Union" is