) RVA-Explanation of relative virtual addresses

RVA is the abbreviation of relative virtual address. As its name suggests, RVA is a "relative" address, or "offset ", most of the address-related fields in various data structures of PE files are represented by RVA.

Accurately speaking, RVA is the offset of a Data Location relative to the file header when the PE file is loaded into the memory. For example, if the windows loader loads a PE file into the memory at H, and a piece of data in a section is loaded at xxxxh, then, the RVA of the data is (0040xxxxh-00400000 H) = xxxxh. Conversely, you can find the actual address of the data in the memory by adding the RVA value to the base address of the file to be loaded.

The concept of RVA in PE files is that the memory image of PE is different from the disk file image, and the offset of the same data relative to the file header may be different in the memory and in the disk file, to improve efficiency, the PE File Header uses the offset in the memory image, that is, RVA. We can also draw another conclusion from figure 17.3, that is, RVA is only for the data in the section. It does not matter for the file header and the section table, RVA and file offset, since they are mapped to the memory, no change will be made in size or offset.

 

2. Mutual conversion between the virtual address (VRA) and the file offset address (fileoffset) in the Assembly:

+ --------- +

| Segment name virtual address virtual size physical address physical size mark |

+ --------- +

| Name voffset vsize roffset rsize flags |

+ --------- +

|. Text 00001000 00000092 00000400 00000200 |

|. RDATA 00002000 000000f6 00000600 00000200 40000040 |

|. Data 00003000 0000018e 00000800 00000200 c0000040 |

|. Rsrc 00004000 000003a0 00000a00 00000400 c0000040 |

+ --------- +

The formula for calculating the file virtual offset address and file physical offset address is as follows:

 

>>>>>>> Vatofileoffset (virtual address to file offset address)

For example, VA = 00401000 (virtual address)

Imagebase = 00400000 (base address)

Vrk = voffset-roffset = 00001000-00000400 = c00 (obtain the vrk value between the file virtual address and the file physical address)

Fileoffset = va-imagebase-vrk = 00401000-00400000-c00 = 400 (the offset of the physical address of the file)

 

For example, if Va = 00401325, then:

Fileoffset = va-imagebase-vrk = 00401325-00400000-c00 = 725

 

>>>>>> Fileoffsettova (convert the file offset address to the virtual address)

For example, fileoffset = 435 (File offset address)

Va = fileoffset + imagebase + vrk = 435 + 00400000 + c00 = 00401035 (virtual address)

 

Source Document