address of section from memory

[Avenger]

how can i get address of section(such as .text or .rsrc)from memory?

[atom0s]

Parse the PE header just like you would normally if you read the file from disk. Just use the memory location of the start of the target instead. (GetModuleHandle can get you the base, or use the needed iteration API's if the target is remote etc. for example CreateToolhelp32Snapshot / Process32First / Process32Next / Module32First / Module32Next)

[Avenger]

excuse me

it is possible to explain about it?

i have the app in disk

it is possible to calculation address?

if yes, how?

Edited January 8, 2017 by Avenger

[havanacj13]

Load app / dll to memory e.g. with CreateFileMapping()+MapViewOfFile() or directly loading in a memory malloced range.

You get the first section in header in the following way:

IMAGE_DOS_HEADER* pDOSHeader = (IMAGE_DOS_HEADER*)address;

IMAGE_NT_HEADERS* pNTHeaders = (IMAGE_NT_HEADERS*)((BYTE*)pDOSHeader + pDOSHeader->e_lfanew);
IMAGE_SECTION_HEADER* pSectionHdr = (IMAGE_SECTION_HEADER*)((uint8_t*)pNTHeaders + sizeof(IMAGE_NT_HEADERS));

Then you can iterate pSectionHdr++ via all section headers.
Inside IMAGE_SECTION_HEADER parameters the RVA and size in memory and in file ist available.

 

[eXit]

You can also use dumpbin <filename> to do this. Dumpbin comes with the C++ toolkit when you install visual studios or visual studio code.

[havanacj13]

It depends what you want to do. Getting the address with dumpbin can be help if you basically want the address in memory.

With CreateToolhelp32Snapshot / Process32First / Process32Next / Module32First / Module32Next you can access to another process and it's loaded modules. Reading out the data with ReadProcessMemory() and with IMAGE_XXX structures you can access to memory of the process / module directly. But only if you have the same rights or admin rights.

 

Edited January 21, 2017 by havanacj13