|
|
#1
12-24-2004, 01:06
|
||||
|
||||
|
how to calculate RVA from file offset
Hi,
anyone could post here any how to convert a file offset to its' memory equivalent RVA address .. practically what the RVA converter from Lazarus does...but the question is "how". I'm coding it in C and already have a library/class which gives me all the PE header fields..but I'm not sure of the formula to use. Any help is welcome!
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com 
|
|
#2
12-24-2004, 02:06
|
|||
|
|||
|
Code:
DWORD OffsetToRVA(DWORD offset, IMAGE_SECTION_HEADER *is_hdr, unsigned scount){
// Find section holding the Offset
for(unsigned i = 0; i < scount;i++)
if((offset >= is_hdr[i].PointerToRawData) && (offset <= is_hdr[i].PointerToRawData +is_hdr[i].SizeOfRawData)){
// Convert Offset to RVA
return offset+is_hdr[i].VirtualAddress-is_hdr[i].PointerToRawData;
}
return 0;
}
is_hdr is a array of IMAGE_SECTION_HEADERS and scount is the number of sections (file header) Last edited by Eggi; 12-24-2004 at 03:12.
|
|
#3
12-24-2004, 04:39
|
||||
|
||||
|
10x mate, nice to receive answers here from you ;-)
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com
|
|
#4
12-24-2004, 04:43
|
||||
|
||||
|
for masm:
http://pe-lib.cjb.net there is a newer (unofficial) version of this (0.3d see attachment). code: Code:
invoke plOpenFile,PL_NO_OPEN_DIALOG,chr$("C:\File.exe")
invoke plOffsetToRVA,00000200h
invoke plCloseFile
__________________
Thinking In Bytes
|
|
#5
12-24-2004, 18:14
|
||||
|
||||
|
well, what Eggi posted suits my need excellently, the only thing is that the result must be added to the imagebase but it's ok for the tests I did..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com
|
|
#6
12-25-2004, 11:46
|
|||
|
|||
|
As I know:
For language such as VC++ MFC, Delphi, VB, the compiler use RVA as event pointer, so File Offset = RVA For language as asm and on, you must use code above to convert RVA to offset
|
|
#7
01-07-2005, 20:25
|
|||
|
|||
|
I've read this article from (iczelion).
It has a section about converting RVA to offset (asm code) I think that it will do what you want(with a little change). h--p://spiff.tripnet.se/~iczelion/pe-tut7.html
|
|
#8
01-07-2005, 23:56
|
|||
|
|||
|
This might come in handy too, straight from the evil empire:
Microsoft Portable Executable and Common Object File Format Specification -- hxxp://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx It doesn't have example code, but it's nice to have around as a reference.
|
|
#9
01-08-2005, 05:08
|
|||
|
|||
|
There is another PE library.
pe library v1.2 - by death http://www.polarhome.com:793/~execution/02/ex-pel12.zip This is a c++ library for pe manipulation. also, the compiled samples are available below. http://www.polarhome.com:793/~execution/02/pelsamples.zip
|
|
#10
09-22-2009, 12:33
|
|||
|
|||
|
i know this is a long time ago post and it was answered but still i found somthing good when i was looking for an answer to this question..
Understanding RVAs and Import Tables - by Sunshine http://www.sunshine2k.de/Tuts/tut_rvait.htm the only thing he didn't say is that the RVA is calculated first by VA(the disassbler shown address) - ImageBase = RVA and then it shows how to calc the offset from the RVA... Regards, LaBBa.
|
 |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| How to calculate the exact size of a piece of code? | zaratustra | General Discussion | 10 | 09-25-2004 13:28 |
| How to obtain the file offset from an RVA??? | yaa | General Discussion | 3 | 07-09-2004 17:26 |
Linear Mode
