/[RomCheater]/trunk/Win32/Sojaner.MemoryScanner/rva_definition.txt
ViewVC logotype

Contents of /trunk/Win32/Sojaner.MemoryScanner/rva_definition.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 336 - (show annotations) (download)
Thu Jun 7 21:47:14 2012 UTC (8 years, 1 month ago) by william
File MIME type: text/plain
File size: 2332 byte(s)

1 ´╗┐parts used from: http://webster.cs.ucr.edu/Page_TechDocs/pe.txt
2 Relative Virtual Addresses
3 --------------------------
4
5 The PE format makes heavy use of so-called RVAs. An RVA, aka "relative
6 virtual address", is used to describe a memory address if you don't know
7 the base address. It is the value you need to add to the base address to
8 get the linear address.
9 The base address is the address the PE image is loaded to, and may vary
10 from one invocation to the next.
11
12 Example: suppose an executable file is loaded to address 0x400000 and
13 execution starts at RVA 0x1560. The effective execution start will then
14 be at the address 0x401560. If the executable were loaded to 0x100000,
15 the execution start would be 0x101560.
16
17 Things become complicated because the parts of the PE-file (the
18 sections) are not necessarily aligned the same way the loaded image is.
19 For example, the sections of the file are often aligned to
20 512-byte-borders, but the loaded image is perhaps aligned to
21 4096-byte-borders. See 'SectionAlignment' and 'FileAlignment' below.
22
23 So to find a piece of information in a PE-file for a specific RVA,
24 you must calculate the offsets as if the file were loaded, but skip
25 according to the file-offsets.
26 As an example, suppose you knew the execution starts at RVA 0x1560, and
27 want to diassemble the code starting there. To find the address in the
28 file, you will have to find out that sections in RAM are aligned to 4096
29 bytes and the ".code"-section starts at RVA 0x1000 in RAM and is 16384
30 bytes long; then you know that RVA 0x1560 is at offset 0x560 in that
31 section. Find out that the sections are aligned to 512-byte-borders in
32 the file and that ".code" begins at offset 0x800 in the file, and you
33 know that the code execution start is at byte 0x800+0x560=0xd60 in the
34 file.
35
36 Then you disassemble and find an access to a variable at the linear
37 address 0x1051d0. The linear address will be relocated upon loading the
38 binary and is given on the assumption that the preferred load address is
39 used. You find out that the preferred load address is 0x100000, so we
40 are dealing with RVA 0x51d0. This is in the data section which starts at
41 RVA 0x5000 and is 2048 bytes long. It begins at file offset 0x4800.
42 Hence. the veriable can be found at file offset
43 0x4800+0x51d0-0x5000=0x49d0.

  ViewVC Help
Powered by ViewVC 1.1.22