Thursday, December 24, 2009

PE File Format

- VA = Image Base + RVA

Relation of File Offset and RVA

Section | RVA | File Offset

.text 0x00001000 0x0400
.rdata 0x00007000 0x6200
.data 0x00009000 0x7400
.rsrc 0x0002D000 0x7800

.text section offset = 0x1000-0x400 = 0xc00
.rdata section offset = 0x7000-0x6200 = 0xE00
.data section offset = 0x9000-0x7400 = 0x1c00
.rsrc section offset = 0x2D000-0x7800 = 0x25800

File offset = VA - Imagebase - section offset
= RVA - section offset

LordPE is a nice tool for PE analysis

Hex Editor : Ultra Edit, Hex Workshop, WinHex

No comments:

Post a Comment