Hi

I've been messing around writing my own PE library, and when testing out the PE dump functions I have found something interesting. Sometimes the virtual size can be greater than that of the raw data.

Example (kernel32.dll):
Section: .data
Virtual Size: 9752
Size Of Raw Data: 9216

My question is, what does the PE loader do to fill the bytes it has no data for in memory? My guess would be it fills the difference with 0x00 or similar. This is still a bit confusing though, because I thought the compiler would be required to instead expand the amount of raw data so its >= the virtual size..

Thanks in advance!

4543

Does it matter whether it's filled with 0x00 or random data?

Is it of practical value? Unlikely, but I am simply curious about best practice for this kind of situation.

4543

The size difference is important. It's not just random data that will go in that gap when the program is running.

You have the choice.. you can have it all set to zero on disk and have VirtualSize=RawSize
or
set the rawsize accordingly and let windows handle the rest at load time (but usually this involves rebasing a lot of the PE structures)

These differences usuallly occur when you define global, un-initialized variables.
ex:
some_var db ?

It's a LOT easier to keep the VirtualSize and RawSize match 1:1, but your exes tend to get very big.

Hmm, OK, thanks. I thought that unintialized data should go in .bss though? Actually if what you say is true, shouldnt the RawSize of a .bss section always be 0, with Virtual Size equal the amount of storage required?

.bss could be merged with .data

As for the 2nd question, I have never investigated that, but I suppose it depends on many things, compiler, linker, ...

OK, thank you very much for your help and insight!

On a related note, I'm about to embark on a real adventure: I've resolved a nasty undefined base class problem in my library I'm going to add code so it can write an EXE out again...

4543