Jump to content
Tuts 4 You

from VA to File Offset

eXec0d3

By eXec0d3
in Programming and Coding

Recommended Posts

eXec0d3

eXec0d3

Posted
Posted

How can I Get File Offset from VA or RVA ? in delphi ^^

BoB

BoB

Posted
Posted

Eh? In March you knew how to do this!


/>http://forum.tuts4you.com/index.php?showtopic=22623&view=findpost&p=107940

Did you try searching? This has been asked many times before!

Parse PE Headers to get number of sections, find section headers, find section containing RVA, calculate (Section.Raw + (YourRVA - Section.RVA)) ..

If you try and get stuck, I'll help, but you won't learn anything if I just give you code!

  • Like 1
eXec0d3

eXec0d3

Posted
  • Author
Posted

yeeees I've did it ^^

Raw Offset + for example 0044DF20 -> 44DF20 - Virtual Offset = tadaa 44D320 ^^ :D tnx for help

eXec0d3

eXec0d3

Posted
  • Author
Posted

hey, but how can I get section data? i use sabre-g or stud_pe, can anyone help? I hope can ^^

izlesa

izlesa

Posted
Posted (edited)

>> hey, but how can I get section data? i use sabre-g or stud_pe, can anyone help? I hope can ^^

read tuts about pe format, plz. In two words - array of IMAGE_SECTION_HEADER (number of elements of this array -> IMAGE_FILE_HEADER.NumberOfSections) placed after IMAGE_OPTIONAL_HEADER:

BYTE *ptr; //base of image
IMAGE_DOS_HEADER *mz;
IMAGE_NT_HEADERS *nt;
IMAGE_SECTION_HEADER *section;nt = (IMMAGE_NT_HEADERS *)((DWORD)ptr + mz->e_lfanew);
section = (IMAGE_SECTION_HEADER *)((DWORD)&nt->OptionalHeader + (DWORD)nt->FileHeader.SizeOfOptionalHeader);

PS Sorry for my bad english ^____^"

Edited by izlesa
eXec0d3

eXec0d3

Posted
  • Author
Posted

what's wrong? :S

N = Number of sections ...

 For i:= 0 To N - 1 Do
 begin
  ReadFile(H,HSect,$28,br,nil);
  if
  (HSect.SizeOfRawData <= EP) and
  (EP <(HSect.SizeOfRawData + HSect.Misc.VirtualSize))
  Then
  begin
   // we are in the code section
  end;
 end;
BoB

BoB

Posted
Posted

Well, you should read the whole file, or at least all the headers at once. Disk reads are slow! :)

Ok, now at least you've tried to do it, better to code in a way you can use again..

// Returns Raw offset from RVA ..Function  RvaToRaw(Const Filename : PChar; Const Rva : DWord) : DWord;
Type
  PImageSectionHeader = ^TSection;
  TImageSectionHeader = Packed Record
    Name                 : Array [1 .. 8] Of Char;
    VirtualSize          : DWord;
    VirtualRva           : DWord;
    SizeOfRawData        : DWord;
    PointerToRawData     : DWord;
    Unused               : Array [1 .. 3] Of DWord;  // Depreciated / Coff only ..
    Characteristics      : DWord;
  End;
Var
  Mem : Pointer;
  H   : hFile;
  C   : DWord;
  NT  : PImageNtHeaders;
  Sec : PImageSectionHeader;
Begin
  Result := 0;
  If (Filename = Nil) Or (Rva = 0) Then Exit;  // Open a PE file, minimal checking!
  H := CreateFile(Filename, GENERIC_READ, FILE_SHARE_READ, Nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
  If (H <> INVALID_HANDLE_VALUE) Then Try
    // Read max 4k of file into memory ..
    C := GetFileSize(H, Nil);
    If (C > $1000) Then C := $1000;
    GetMem(Mem, C);
    ReadFile(H, Mem^, C, C, Nil);
    CloseHandle(H);
    If (PWord(Mem)^ <> IMAGE_DOS_SIGNATURE) Or (PDWord(DWord(Mem) + $3C)^ > C) Then Exit;    // Get position of PE Headers, find first section ..
    NT  := Pointer(DWord(Mem) + PDWord(DWord(Mem) + $3C)^);
    Sec := Pointer(DWord(@NT^.OptionalHeader) + NT^.FileHeader.SizeOfOptionalHeader);    // Find section containing rva ..
    C := 0;  // Note I NEVER use For loops cos Delphi sometimes reverses the counter and things are backwards!
    While (C < NT^.FileHeader.NumberOfSections) And (Rva > Sec^.VirtualRva + Sec^.VirtualSize) Do Begin
      Inc(C);
      Inc(Sec);
    End;    // Return Raw offset ..
    If (C < NT^.FileHeader.NumberOfSections) Then Result := Sec^.PointerToRawData + (Rva - Sec^.VirtualRva);  Finally
    FreeMem(Mem);
  End;
End;

Have fun!

  • Like 1
eXec0d3

eXec0d3

Posted
  • Author
Posted

argh :@ now whats wrong, "undeclared identifier: 'TSection'"

eXec0d3

eXec0d3

Posted
  • Author
Posted 
Function  RvaToRaw(Const Filename : PChar; Const Rva : DWord) : DWord;
Type
  PImageSectionHeader = ^TSection;
  TImageSectionHeader = Packed Record
    Name                 : Array [1 .. 8] Of Char;
    VirtualSize          : DWord;
    VirtualRva           : DWord;
    SizeOfRawData        : DWord;
    PointerToRawData     : DWord;
    Unused               : Array [1 .. 3] Of DWord;  // Depreciated / Coff only ..
    Characteristics      : DWord;
  End;
Var

this must be like this,

Function  RvaToRaw(Const Filename : PChar; Const Rva : DWord) : DWord;
Type
  TImageSectionHeader = Packed Record
    Name                 : Array [1 .. 8] Of Char;
    VirtualSize          : DWord;
    VirtualRva           : DWord;
    SizeOfRawData        : DWord;
    PointerToRawData     : DWord;
    Unused               : Array [1 .. 3] Of DWord;  // Depreciated / Coff only ..
    Characteristics      : DWord;
  End;
  PImageSectionHeader = ^TImageSectionHeader;
Var
BoB

BoB

Posted
Posted

Actually it should be this:

Type
  PImageSectionHeader = ^TImageSectionHeader;

I copied the structure locally to the function but it didn't throw error cos original was still in scope and called TSection :)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...