How to find starting offset of resource section in PE file ?
BOOL IsResource(PIMAGE_SECTION_HEADER Input){
}
First you should take a look at the following PE file specification by Microsoft: Microsoft PE and COFF Specification
The information you are looking for is stored in the optional header at offset 112 and is interpreted as IMAGE_DATA_DIRECTORY. Take a look at page 23.
This will give you the RVA (relative virtual address) and the size of the section. Interpretation of this section is explained in section 5.9. beginning at page 89.
The RVA is the address of the table relative to the base address of
the image when the table is loaded.
Related
I need help to understand these concepts.
I understand that the rva is an offset from the base address. But Its relative to what in a file? I understood it was from where the image will be loaded in memory, but in the executable file itself, an rva is relative to what? The beggining of the file, so the file Id at the start?
Thanks for reading :)
Yes, usually from the start of the file. There are probably a couple of exceptions when you get deeper into specific parts of a file. You will generally find them when reading the documentation:
MESSAGE_RESOURCE_BLOCK.OffsetToEntries:
The offset, in bytes, from the beginning of the MESSAGE_RESOURCE_DATA structure to the MESSAGE_RESOURCE_ENTRY structures in this MESSAGE_RESOURCE_BLOCK. The MESSAGE_RESOURCE_ENTRY structures contain the message strings.
I am new to assembly language and try to get the memory base of the .rdata section because I would like to compare a string from there with a current string that's on the stack. I am using x64dbg.
Example: At a specific call I see the (relative) memory address from some data that is stored in .rdata, let's say it is 0x001C0000 and .rdata starts at 0x001A0000 and ends at 0x001F0000. In x64dbg I can get the .rdata memory base by typing mem.base(0x001C0000) which returns 0x001A0000 but how can I do it in x86 assembly language? What I am trying to do is access data from .rdata but I don't know the offset from the memory base. How can I do that?
Use "dumpbin.exe". Here is how: suppose your file is "foo.exe", do:
dumpbin.exe /all foo.exe >foo.txt
Then, open foo.txt and look for "SECTION HEADER #1" and check the name (for example ".text"). Then, look for "SECTION HEADER #2", #3, etc..
One of these will be named ".rdata". Just under the name, you have the field "virtual address". That's what you want.
I am trying to perform certain calculations using the resources in a PE File. To do so I follow these steps:
Get the RVA of Resource Section from the header
PEHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress
Convert the above RVA to File Offset
Reach to the start of Resource Section and traverse the resource tree
Reach the leaves (actual resources) and do the calculations.
The above steps work just fine when I am dealing with proper PE Files with valid resource sections but I am unable to handle the following cases:
The RVA of Resource Section is present in DataDirectory but the actual ".rsrc" section is missing
The ".rsrc" section is present but without section header
The ".rsrc" section is present but it's header has garbage values in either PointerToRawData or SizeOfRawData field.
I encounter a garbage value in fields such as OffsetToData/OffsetToDirectory midway while traversing the resource tree
When met with the above situations, my code crashes with ACCESS_VIOLATION_EXCEPTIONS or produces inconsistent results.
My question is that apart from checking for NULL pointers/values, how do I handle the above cases when the resource section headers and pointers are pointing to/containing something junk.
I am analyzing PE structure.
some article in MSDN(http://msdn.microsoft.com/en-us/magazine/bb985997.aspx) says
"IMAGE_DIRECTORY_ENTRY_IMPORT" points to the imports(an array of IMAGE_IMPORT_DESCRIPTOR structures).
I checked the actual value with 010 Editor PE template.
however the value seemed to be encoded somehow and I don't know how to interpret.
pictures below clearly explains this situation problem.
some advice would be appreciated...!
I looked through the template, and it would appear that the "FOA" comments are generated by passing an RVA to the "RVA2FOA" function, which looks like it's converting the RVA to a file offset.
That makes sense, the file offset is something you often want to know (especially in a HEX editor, where you have to navigate by file offset), and FOA looks like it can be short for File Offset Something-or-other.
I need to read the ".pdata" section of a x64 PE file.
I've seen that the structures in the ".pdata" section differ from one platform to another
http://msdn.microsoft.com/en-us/library/aa448751.aspx
It also says the same thing in the PE specifications document.
But I dont understand what it is for the regular windows (XP/Vista/Win7 etc.)
Does anybody what it is?
The .pdata section is an array of RUNTIME_FUNCTION. It gives you a code range (first two members) and an RVA to the corresponding UNWIND_INFO.
From there you get info like exception handler RVA, size of prolog, etc.