Hi,

Can you please tell me how to find the offset given the relative virtual address.

Thanks a lot,
Chamal.

You should understand the structure of a PE executable (the windows standard) file. At the start of the file is the header, which describes the structure of the rest of the file.
One of the things you will find, is a section table. The actualy content of the file sits in these sections. There will likely be, among others, a section for data, and a section for code. If you look at the table at the start, you can see where each section is in the file.

For example, a section labeled ".code" might have a file offset of 400h and a size of E00h, which means you will find it in the file at offsets 400h-1200h. This is the file offset.

After the file is loaded into memory, it does not necessarily keep the same structure. Often programs use a smaller file alignment (say, 200h) for file offset, while they use 1000h alignment in memory. That means that files will have different sizes and starting points in memory, from the ones they have in file. To convert between the two, you should simply look in the section table. The section table contains both the file offsets and (relative)virtual offsets of the sections.
Now, using common sense, you can look at a section with these specifics:

name : ".data"
file offset : 800h
RVA : 2000h

And know that, what in file is offset 804h, is in memory, 804h - 800h = 4h + 2000h = 2004h in memory. (Relative Virtual Address)
The full address is the image base (to be found in the PE header) plus the relative virtual address. Assuming the most common imagebase (400000h), the file offset 804h would translate to the Virtual Address 402004h

KW

By the way, you might enjoy this reference
http://its.mine.nu/html/resources/PE.pdf
It explains the PE structure, and should come in useful in cases like these.

KW

ahem... the current version can be downloaded from

http://www.microsoft.com/whdc/hwdev/hardwa...are/pecoff.mspx (http://www.microsoft.com/whdc/hwdev/hardware/pecoff.mspx)

regards, sna