Hi
What are the meanings of or what are the differnces between

VOffset
VSize
ROffset
RSize
RVA
VA

I need clear definitions.I am very confused about these.

Sawer I suggest you to read some docs on Portable Executable, there are more on the web, and on Reversing sites.

A quick reply for the moment...

VA = Virtual Address: it's a memory address (like 00401040)
RVA = Relative Virtual Address. It's an offset and it's relative to Image Base (like 1040)

Virtual Offset, Virtual Size, Raw Offset and Raw Size are used for section's fields.

Virtual Offset: the starting rva of the section in memory
Virtual Size: the real dimension of the section in memory
Raw offset: it's a physical address and represents the starting address of the section inside the file
Raw size: how many bytes the section needs inside the physical file. It follows an alignment, the File Alignment...

Well, it's not easy to talk about the pe fields without talking about other things (I did mention Image Base and File Alignement but there are others like Section Alignment and so on...), if you don't have any specific questions I suggest to read a pe guide and then if you have something to ask you are welcome to ask it.

Thanks zairon
I am reading arteam's PE document.While i am reading it,i confused a lot.I am trying to understand it.

Thanks for answer again.

I don't usually trust second-sourced information, fortunately for the PE file format Micro$oft publishes the official specification:

http://www.microsoft.com/whdc/system/platform/firmware/PECOFFdwn.mspx?

These are also a great, tutorial-esque introduction:

http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx
http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/default.aspx

thanks for links and answers.
I have looked them.

I have one more question.There is a formula:
Raw Offset = RVA_YouHave - ImageBase - VirtualOffsetOfSection + RawOffsetOfSection

Isn't Raw offset independent from virtual offset?

I understand that raw indicates harddisk virtual indicates memory.
But what is the relationship between them.I really don't understand the formula.

Thanks again.

A suggestion for an excercise:

Get a small .exe file.

Open it with PE TOOLS. ; See all the addresses in the PE headings The Base Address, the sections Virtual addresses and sizes etc.


Open it with a Hex Editor ;Look (write down) at the the bytes that are present at the begining of the sections, located by their RAW adresses in the disk (From the info that PE tools give you)

Load it in Olly ; Look (Or search for ) at the byte patterns you noted in the Hex editor now distributed in their virtual positions in memory. See how the file is loaded in memory using Olly ->View -> Memory Option. See how the size of the sections in disk and in memory may be different. Look at the byte pattern at the end of each section in disk and in memory. Compute the size by substraction. Deduce the formulas by direct observation.

Look carefully at the Address (Offsets) of the same byte patterns in memory (Olly) and in disk (Hex Editor)

Make a drawing, a map of the file sections in the disk and in memory with THE REAL ADDRESSES YOU SAW in the hex and olly maps

Don't read more shit, JUst do it

And you will see the light

Here's a small file you might find useful in studying the PE file structure. Open an exe file in a hex editor and compare to this file.

As Naides says, or was that Nike?, Just Do It!

Exe file format with offsets rather than explanations
http://www.woodmann.com/IDArchive/ID-RIP/database/essays/fboyjoe/exe_hdr.html


Later, you can supplement with info from this page

http://www.woodmann.net/yates/peinfo.html