eXec0d3 Posted July 7, 2010 Share Posted July 7, 2010 How can I Get File Offset from VA or RVA ? in delphi ^^ Link to comment
BoB Posted July 7, 2010 Share Posted July 7, 2010 Eh? In March you knew how to do this!/>http://forum.tuts4you.com/index.php?showtopic=22623&view=findpost&p=107940Did you try searching? This has been asked many times before!Parse PE Headers to get number of sections, find section headers, find section containing RVA, calculate (Section.Raw + (YourRVA - Section.RVA)) ..If you try and get stuck, I'll help, but you won't learn anything if I just give you code! 1 Link to comment
eXec0d3 Posted July 7, 2010 Author Share Posted July 7, 2010 yeeees I've did it ^^ Raw Offset + for example 0044DF20 -> 44DF20 - Virtual Offset = tadaa 44D320 ^^ tnx for help Link to comment
eXec0d3 Posted July 7, 2010 Author Share Posted July 7, 2010 hey, but how can I get section data? i use sabre-g or stud_pe, can anyone help? I hope can ^^ Link to comment
izlesa Posted July 8, 2010 Share Posted July 8, 2010 (edited) >> hey, but how can I get section data? i use sabre-g or stud_pe, can anyone help? I hope can ^^ read tuts about pe format, plz. In two words - array of IMAGE_SECTION_HEADER (number of elements of this array -> IMAGE_FILE_HEADER.NumberOfSections) placed after IMAGE_OPTIONAL_HEADER:BYTE *ptr; //base of imageIMAGE_DOS_HEADER *mz;IMAGE_NT_HEADERS *nt;IMAGE_SECTION_HEADER *section;nt = (IMMAGE_NT_HEADERS *)((DWORD)ptr + mz->e_lfanew);section = (IMAGE_SECTION_HEADER *)((DWORD)&nt->OptionalHeader + (DWORD)nt->FileHeader.SizeOfOptionalHeader);PS Sorry for my bad english ^____^" Edited July 8, 2010 by izlesa Link to comment
eXec0d3 Posted July 8, 2010 Author Share Posted July 8, 2010 what's wrong? :SN = Number of sections ... For i:= 0 To N - 1 Do begin ReadFile(H,HSect,$28,br,nil); if (HSect.SizeOfRawData <= EP) and (EP <(HSect.SizeOfRawData + HSect.Misc.VirtualSize)) Then begin // we are in the code section end; end; Link to comment
BoB Posted July 8, 2010 Share Posted July 8, 2010 Well, you should read the whole file, or at least all the headers at once. Disk reads are slow! Ok, now at least you've tried to do it, better to code in a way you can use again.. // Returns Raw offset from RVA ..Function RvaToRaw(Const Filename : PChar; Const Rva : DWord) : DWord;Type PImageSectionHeader = ^TSection; TImageSectionHeader = Packed Record Name : Array [1 .. 8] Of Char; VirtualSize : DWord; VirtualRva : DWord; SizeOfRawData : DWord; PointerToRawData : DWord; Unused : Array [1 .. 3] Of DWord; // Depreciated / Coff only .. Characteristics : DWord; End;Var Mem : Pointer; H : hFile; C : DWord; NT : PImageNtHeaders; Sec : PImageSectionHeader;Begin Result := 0; If (Filename = Nil) Or (Rva = 0) Then Exit; // Open a PE file, minimal checking! H := CreateFile(Filename, GENERIC_READ, FILE_SHARE_READ, Nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); If (H <> INVALID_HANDLE_VALUE) Then Try // Read max 4k of file into memory .. C := GetFileSize(H, Nil); If (C > $1000) Then C := $1000; GetMem(Mem, C); ReadFile(H, Mem^, C, C, Nil); CloseHandle(H); If (PWord(Mem)^ <> IMAGE_DOS_SIGNATURE) Or (PDWord(DWord(Mem) + $3C)^ > C) Then Exit; // Get position of PE Headers, find first section .. NT := Pointer(DWord(Mem) + PDWord(DWord(Mem) + $3C)^); Sec := Pointer(DWord(@NT^.OptionalHeader) + NT^.FileHeader.SizeOfOptionalHeader); // Find section containing rva .. C := 0; // Note I NEVER use For loops cos Delphi sometimes reverses the counter and things are backwards! While (C < NT^.FileHeader.NumberOfSections) And (Rva > Sec^.VirtualRva + Sec^.VirtualSize) Do Begin Inc(C); Inc(Sec); End; // Return Raw offset .. If (C < NT^.FileHeader.NumberOfSections) Then Result := Sec^.PointerToRawData + (Rva - Sec^.VirtualRva); Finally FreeMem(Mem); End;End; Have fun! 1 Link to comment
eXec0d3 Posted July 8, 2010 Author Share Posted July 8, 2010 argh :@ now whats wrong, "undeclared identifier: 'TSection'" Link to comment
eXec0d3 Posted July 8, 2010 Author Share Posted July 8, 2010 Function RvaToRaw(Const Filename : PChar; Const Rva : DWord) : DWord;Type PImageSectionHeader = ^TSection; TImageSectionHeader = Packed Record Name : Array [1 .. 8] Of Char; VirtualSize : DWord; VirtualRva : DWord; SizeOfRawData : DWord; PointerToRawData : DWord; Unused : Array [1 .. 3] Of DWord; // Depreciated / Coff only .. Characteristics : DWord; End;Varthis must be like this,Function RvaToRaw(Const Filename : PChar; Const Rva : DWord) : DWord;Type TImageSectionHeader = Packed Record Name : Array [1 .. 8] Of Char; VirtualSize : DWord; VirtualRva : DWord; SizeOfRawData : DWord; PointerToRawData : DWord; Unused : Array [1 .. 3] Of DWord; // Depreciated / Coff only .. Characteristics : DWord; End; PImageSectionHeader = ^TImageSectionHeader;Var Link to comment
BoB Posted July 8, 2010 Share Posted July 8, 2010 Actually it should be this: Type PImageSectionHeader = ^TImageSectionHeader; I copied the structure locally to the function but it didn't throw error cos original was still in scope and called TSection Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now