Block description, alignment value, and RVA (PE description 06)

Many of my friends like to listen to the PE explanation of Tom, because they think that what the teacher explained in the class was omitted, and it was difficult for everyone to go around ~ It's just that little turtle's literary talents are not as good as the professors in the class. They can only describe them in plain words ~

Generally, data in a block is logically associated. PE files generally have at least two blocks: one is a code block and the other is a data block. Each block must have a different name, which is mainly used to express the purpose of the block. For example, a block named. RDATA indicates that it is a read-only block. Note: blocks are arranged by the starting address (RVA) in the image, rather than the alphabetic order.

In addition, block names are used only for the convenience of understanding and programming, which is irrelevant to the operating system. Microsoft gave these blocks a special name, but this is not necessary. When programming to read the required content from the PE file, such as the input table and output table, the block name cannot be used as a reference. The correct method is to locate it based on the fields in the data directory table.

The block name and its meaning in the following table:






Of course, we can also name our block in Visual C ++ and declare it with # pragma, telling the compiler to insert data into a block in the following format:
# Pragma data_msg ("fc_data ")

Do you still remember? # It's a macro. What is a macro? To put it simply, the compiler directly implements translation first. It may be mechanical replacement in the specified format. Hey, you need to understand programming when learning to crack it ~

The preceding statement tells the compiler to put the data in a block called "fc_data" instead of the default. data block. Blocks are generally placed by the compiler starting from the OBJ file. The work of the linker is to merge the Left and Right OBJ and the required blocks in the library to make them a final suitable block. The linker follows a complete set of rules to determine which blocks will be merged and how they will be merged.

Merge blocks:
An interesting feature of the linker is the ability to merge blocks. If the two blocks have similar and consistent attributes, they can be merged into a single block during connection. This depends on whether the/merge switch of the compiler is enabled. In fact, one benefit of merging blocks is that they can save disk memory space ...... Note: we should not merge. rsrc,. reloc, And. pdata into the ** block.



Alignment of blocks:

We have learned that blocks must be aligned, whether Stored in memory or on disks ~ But their general alignment values are different.

The filealigment In the PE File Header defines the aligment of the disk block. Each block is stored from the offset position of a multiple of the alignment values. The actual code or data size of a block is not necessarily so large, so the excess space is usually filled with 00 H, which is the gap between blocks.

For example, in a PE file, a typical alignment value is 200 h, so that each block starts from the file offset position multiple of 200 h, assuming that the first block is at 400 h and the length is 90 h, the contents of the block are from 400 h to 490 h, and the file alignment value is 200 h, therefore, in order to make the block length an integer multiple of filealignment, the range from 490 h to 600 h will be filled with 00 H. This space is called a block gap, the starting address of the next block is 600 h.

The sectionaligment In the PE File Header defines the alignment of the block in the memory. When a PE file is mapped to the memory, the block always starts at least from a page boundary.

Generally in the x86 series CPU, pages are arranged by 4 kb (1000 h); On the IA-64, is arranged by 8 KB (2000 h. Therefore, in x86 systems, the memory alignment value of the PE file block is generally equal to 1000 h, and each block is stored in the memory in multiples of 1000 h.


Conversion of RVA and file offset

We have discussed the term RVA before, but it is especially strange and helpless for friends who are new to PE files. Chinese people do not like the abbreviations of foreigners, but they always ** accept ...... However, with the knowledge of the frontend, we should be able to talk about this concept. At least it doesn't seem so confusing and helpless ~

RVA is the abbreviation of relative virtual address. As its name suggests, RVA is a "relative address ". In the PE file, most of the data structures that contain addresses are indicated by RVA ??

More accurately, RVA is the offset of a Data Location relative to the file header when the PE file is loaded into the memory. For example, if the windows loader loads a PE file into the memory at 00400000 H, and a data in a block is loaded at 0040 ** XH, then the RVA of this data is (0040 ** XH-00400000 H) = ** XH. In other words, add the RVA value to the base address of the file to be loaded, you can find the actual address of the data in the memory.

Figure-based speech:


Obviously, the offset position and size of the DOS file header, PE file header, and block table are not changed. After each block is mapped to the memory, its offset position changes.

RVA makes it easy to locate the data after the file is loaded into the memory, but it makes trouble to locate the static PE file on the disk. Let's give an example :...... As the example is in the video, I won't write it if I try to get the time. Let's see the video demonstration.


How to convert the RVA and file offset?

When processing PE files, any RVA must be converted to a file offset before it can be used to locate and access the data in the file, but the conversion cannot be completed using a simple formula. In fact, the only available method is the most stupid one:

Step 1: scan the block table cyclically to obtain the starting RVA of each block in the memory (according to the virtualaddress field in image_section_header), and according to the block size (according to the sizeofrawdata field in image_section_header) calculate the end RVA of the block (the two can be added together), and determine whether the target RVA falls into the block.

Step 2: After the target RVA is in a specific block, use the target RVA to subtract the starting RVA from the block, in this way, the offset between the target RVA and the starting address rva2.

Step 3: Obtain the offset address of the block in the file in the block table (according to the pointertorawdata field in image_section_header) and add the offset value to the rva2 value obtained in step 2, the real file offset address is obtained.

To save ink and time, the above steps will be demonstrated in the video ......

Through the above three steps, we can write the program ......

Block description, alignment value, and RVA (PE description 06)