How can I Get File Offset from VA or RVA ? in delphi ^^

Eh? In March you knew how to do this!

/>http://forum.tuts4you.com/index.php?showtopic=22623&view=findpost&p=107940

Did you try searching? This has been asked many times before!

Parse PE Headers to get number of sections, find section headers, find section containing RVA, calculate (Section.Raw + (YourRVA - Section.RVA)) ..

If you try and get stuck, I'll help, but you won't learn anything if I just give you code!

yeeees I've did it ^^

Raw Offset + for example 0044DF20 -> 44DF20 - Virtual Offset = tadaa 44D320 ^^ tnx for help

hey, but how can I get section data? i use sabre-g or stud_pe, can anyone help? I hope can ^^

>> hey, but how can I get section data? i use sabre-g or stud_pe, can anyone help? I hope can ^^

read tuts about pe format, plz. In two words - array of IMAGE_SECTION_HEADER (number of elements of this array -> IMAGE_FILE_HEADER.NumberOfSections) placed after IMAGE_OPTIONAL_HEADER:

BYTE *ptr; //base of image
IMAGE_DOS_HEADER *mz;
IMAGE_NT_HEADERS *nt;
IMAGE_SECTION_HEADER *section;nt = (IMMAGE_NT_HEADERS *)((DWORD)ptr + mz->e_lfanew);
section = (IMAGE_SECTION_HEADER *)((DWORD)&nt->OptionalHeader + (DWORD)nt->FileHeader.SizeOfOptionalHeader);

PS Sorry for my bad english ^____^"

Edited July 8, 201015 yr by izlesa

what's wrong? :S

N = Number of sections ...

 For i:= 0 To N - 1 Do
 begin
  ReadFile(H,HSect,$28,br,nil);
  if
  (HSect.SizeOfRawData <= EP) and
  (EP <(HSect.SizeOfRawData + HSect.Misc.VirtualSize))
  Then
  begin
   // we are in the code section
  end;
 end;

Well, you should read the whole file, or at least all the headers at once. Disk reads are slow!

Ok, now at least you've tried to do it, better to code in a way you can use again..

// Returns Raw offset from RVA ..Function  RvaToRaw(Const Filename : PChar; Const Rva : DWord) : DWord;
Type
  PImageSectionHeader = ^TSection;
  TImageSectionHeader = Packed Record
    Name                 : Array [1 .. 8] Of Char;
    VirtualSize          : DWord;
    VirtualRva           : DWord;
    SizeOfRawData        : DWord;
    PointerToRawData     : DWord;
    Unused               : Array [1 .. 3] Of DWord;  // Depreciated / Coff only ..
    Characteristics      : DWord;
  End;
Var
  Mem : Pointer;
  H   : hFile;
  C   : DWord;
  NT  : PImageNtHeaders;
  Sec : PImageSectionHeader;
Begin
  Result := 0;
  If (Filename = Nil) Or (Rva = 0) Then Exit;  // Open a PE file, minimal checking!
  H := CreateFile(Filename, GENERIC_READ, FILE_SHARE_READ, Nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
  If (H <> INVALID_HANDLE_VALUE) Then Try
    // Read max 4k of file into memory ..
    C := GetFileSize(H, Nil);
    If (C > $1000) Then C := $1000;
    GetMem(Mem, C);
    ReadFile(H, Mem^, C, C, Nil);
    CloseHandle(H);
    If (PWord(Mem)^ <> IMAGE_DOS_SIGNATURE) Or (PDWord(DWord(Mem) + $3C)^ > C) Then Exit;    // Get position of PE Headers, find first section ..
    NT  := Pointer(DWord(Mem) + PDWord(DWord(Mem) + $3C)^);
    Sec := Pointer(DWord(@NT^.OptionalHeader) + NT^.FileHeader.SizeOfOptionalHeader);    // Find section containing rva ..
    C := 0;  // Note I NEVER use For loops cos Delphi sometimes reverses the counter and things are backwards!
    While (C < NT^.FileHeader.NumberOfSections) And (Rva > Sec^.VirtualRva + Sec^.VirtualSize) Do Begin
      Inc(C);
      Inc(Sec);
    End;    // Return Raw offset ..
    If (C < NT^.FileHeader.NumberOfSections) Then Result := Sec^.PointerToRawData + (Rva - Sec^.VirtualRva);  Finally
    FreeMem(Mem);
  End;
End;

Have fun!

thnx

argh :@ now whats wrong, "undeclared identifier: 'TSection'"

Function  RvaToRaw(Const Filename : PChar; Const Rva : DWord) : DWord;
Type
  PImageSectionHeader = ^TSection;
  TImageSectionHeader = Packed Record
    Name                 : Array [1 .. 8] Of Char;
    VirtualSize          : DWord;
    VirtualRva           : DWord;
    SizeOfRawData        : DWord;
    PointerToRawData     : DWord;
    Unused               : Array [1 .. 3] Of DWord;  // Depreciated / Coff only ..
    Characteristics      : DWord;
  End;
Var

this must be like this,

Function  RvaToRaw(Const Filename : PChar; Const Rva : DWord) : DWord;
Type
  TImageSectionHeader = Packed Record
    Name                 : Array [1 .. 8] Of Char;
    VirtualSize          : DWord;
    VirtualRva           : DWord;
    SizeOfRawData        : DWord;
    PointerToRawData     : DWord;
    Unused               : Array [1 .. 3] Of DWord;  // Depreciated / Coff only ..
    Characteristics      : DWord;
  End;
  PImageSectionHeader = ^TImageSectionHeader;
Var

Actually it should be this:

Type
  PImageSectionHeader = ^TImageSectionHeader;

I copied the structure locally to the function but it didn't throw error cos original was still in scope and called TSection