Hello,

is there a good tool around that after having parsed a PE file is capable of converting RVAs on that PE file to physical addresses?
BTW is it correct that to convert RVAs to physical addresses the specific PE file header must be first analyzed?
Thx.


yaa

There are a lot of tools providing the feature you ask for. I am fond of PEditor, but it's a matter of taste. In reply to your question: you only must scan the section table - located just after the PE header - to be able to convert between RVAs and offsets.

Peres

There are a lot of tools providing the feature you ask for.

sure!!! just do a little google search and you'll see

btw i recomend you to make a better effort and read the rulez + faq again, in case you ever did, of this board before posting again ....

Regards

I found Iczelion's. It seems to do the job fine. I didn't know of PEditor. If I hadn't asked I would not have known .... and I did ask google. It seems that this time Peres was better then google.

yaa

Do not ask where to get the Tools of our Trade. Do not even think about asking for them.

it's sad that maybe you don't read very well or you pretend to be a litle blind i guess. you did never saw the topic of this section didn't you?

let's wait for JMI reply ....

Hi yaa:

Sometimes cRk is a wee tad grumpy, although his suggestion was good, it would have been more helpful if he had suggested some search terms he knew would produce results. You may be suprised that the actual title of your thread contains the terms which would have found you several.

Try again using "RVA to physical addresses" and/or just "RVA physical address". (without the quotes) Mr. Google produced several additional tools you might want to try. And searching tool site is also a good place to find such things, usually under "utilities".

And cRk: It is NOT a violation of the "Rulez" to ask for the "name" of a tool. Just to ask where to find it. THAT is what searching if for.

Regards.

if you want to do it programmatically, this is handy: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/imagervatova.asp ("http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/imagervatova.asp")

Oh there ya go, bring some darn piece of Code into the problem again. We don't want no stinking Code man. We want tools man ... preferrably easy tools.

We don't want to work man,we want a prepackaged, genuine, over-the-counter solution man. Yah, Right On. We want the "tool" to do the work, Dude. What was you thinging man?

Regards,

disavowed,
little help, why i can't find about ZwYieldExecution in that m$-library.

Because you need Windows NT/2000 Native API Reference, page 245.

ZwYieldExecution yields the use of the processor by the current thread to any other thread that is ready to use it.

NTSYSAPI
NTSTATUS
NTAPI
ZwYieldExecution
VOID
);
Parameters
None
Return Value
Returns STATUS_SUCCESS or STATUS_NO_YIELD_PERFORMED
Related Win32 Functions
SwitchToThread
Remarks
SwitchToThread exposes the full functionality of ZwYieldExecution.

Have fun.

Regards,

I'm gonna change my title from 'PE Restyler' to 'Human search engine'

cRk I honestly find it hard to understand the subtle pleasure that people like you seem to experience when they can scold someone. It is something that is simply far from me.

yaa

"Windows NT/2000 Native API Reference" is not MSDN, ye?

Last time I looked, ye.

Regards,