Neitsa
September 15th, 2004, 09:40
Hello,
Nilom, A will try to explain a liitle bit what I was meaning by VA to Offset conversion:
When you launch a program, the "Windows loader" map (in fact load in memory) your program. The static code from the PE file (Portable executable) became a process, which is having is own adress space in memory.
-offset: this is the location of an item within the file itself before beeing processed by the loader. This is, if you want, the position in the file on your hard disk. Just open your file in an hex heditor, an go to the 1000th bytes : you are at offset 1000h ! that's all...
-VA: (Virtual Address)When a program is loaded by the Win loader (it is "mapped"
, the VA is an address in the process address space.
Let say you're debugging a file, and the current adress is 401000h, so the current VA is 401000h.
-RVA: RVA (Relative Virtual Address) is nearly the same thing as a VA, except you must subtract the ImageBase of the file.
Let say the current VA is 401000h and the ImageBase is 400000h:
401000h - 400000h = 1000h => the current RVA is 1000h
What is the ImageBase ?
- The ImageBase is the prefered load adresse for a PE File (a PE file can be an EXE, a DLL, a driver, etc. Everythning that can run Code. A pe File is just a structure for executable file).
Where I can find it ?
You can find the ImageBase in the PE header.
Opn your PE file in an Hex editor an search for the PE signature wich is "PE",0,0.
Go at offset 0x3C => You'll find there an offset to the PE signature (on a DWORD) ex: offset 3C: C0000000 . Since intel is using the little endian format you must reverse this number = 000000C0
PE Signature is at 0xC0 => let's go there
0xC0 = 5045000 (in ASCII PE,0,0) : this is the PE signature which is telling us this is trully a PE file
The ImageBase is at PE signature + 0x34 => 0xC0 + 0x34 = 0xF4
0xF4 = 00004000 (little endian) => 0x400000
We have our ImageBase wich is 0x400000
How to do VA/offset conversion ?
It depends where you are exactly (what is the section), most of the time you'll be in the code section of the PE file.
Let's take an example: you want to retrieve on your file disk, the location of the Virtual address 401014. IT means you'll have to do a VA/offset conversion
Firt of all go to the sections loacation in the PE hader: the first section table (charcateristics) is most of the time the code section (.text) an this table is located at PE signature + 0xF8
0xC0 + 0xF8 = 0x1B8
here's an example:
Code:
1B8 ASCII ".text" ; SECTION
1C0 DD 00000046 ; VirtualSize = 46 (70.)
1C4 DD 00001000 ; VirtualAddress = 1000
1C8 DD 00000200 ; SizeOfRawData = 200 (512.)
1CC DD 00000400 ; PointerToRawData = 400
1D0 DD 00000000 ; PointerToRelocations = 0
1D4 DD 00000000 ; PointerToLineNumbers = 0
1D8 DW 0000 ; NumberOfRelocations = 0
1DA DW 0000 ; NumberOfLineNumbers = 0
1DC DD 60000020 ; Characteristics = CODE|EXECUTE|READ
The Virtual Address field is in fact an RVA (so the VA is 400000 + 1000 = 401000) this is the base of the code section. The Pointer to rawData is telling us where i is in the file on hard disk, so 0x401000 in memory is at offset 0x400 in the file.
We want to retrieve 0x401014 in your hard disk, so :
-substract ImageBase
-Subtratct Virual Address
-Add Pointer to RawData
0x401014 - 0x400000 = 0x1014
0x1014 - 0x1000 = 0x14
0x400 + 0x14 = 414
So the VA 0x401014 is at offset 414 in the PE file...
Sorry for this long post, but I hope it could help someone. Try to find a PE viewer rather than a simple hex editor, you'll see the PE header fields more clearly (Little endian is not always easy to read).
Reagrds, Neitsa.
