Basic Structure of PE files-3 tables and RVA Conversion

All the section attributes in the PE file are defined in the section table. The Section Table is arranged by a series of image_section_header structures. Each structure is used to describe a section, the order of the structure is the same as the order of the sections they describe in the file. The end of all valid structures is an empty image_section_header structure. Therefore, the total number of image_section_header structures in the section table is equal to the number of sections plus one. The Section Table is always stored in the place immediately following the PE file header.

The image_section_header structure is defined as follows:

Tishmisc = packed record
Case INTEGER
0: (physicaladdress: DWORD );
1: (virtualsize: DWORD );
End;

Image_sizeof_short_name = 8;

_ Image_section_header = packed record
Name: packed array [0 .. IMAGE_SIZEOF_SHORT_NAME-1] of byte;
Misc: tishmisc;
Virtualaddress: DWORD; // The RVA address of the Section
Sizeofrawdata: DWORD;
Pointertorawdata: DWORD; // offset starting from the file header
Pointertorelocations: DWORD;
Pointertolinenumbers: DWORD;
Numberofrelocations: word;
Numberoflinenumbers: word;
Characteristics: DWORD;
End;
Timagesectionheader = _ image_section_header;
Image_section_header = _ image_section_header;

● Name field

The name field defines the section name. The field length is 8 bytes.

The section name in the PE file is an ANSI character string, but it is not specified to end with 0. If the name string of the section is less than 8 bytes in length, it is followed by 0, however, if the length of a string reaches 8 bytes, there will be no 0 characters after it. Therefore, you must pay attention to the end mode of the string during processing.

The name of each section is unique and cannot have two sections with the same name. However, the name of a section does not represent any meaning. It is just a tag set for ease of viewing, you can select any name or even leave it empty. it is legal to name the section containing code as "data" or the section containing data as "code.

Various compilers name the section in their own way. Therefore, you can see a variety of section names in the PE file, for example, in the executable file generated by masm32, the Code section is named ". text. the section containing read-only data, imported tables, and exported tables is named ". RDATA, and the resource section is named ". rsrc. However, in other compilers, the import table is separately placed in ". idata", and the code section may be named ". Code ".

Conversion of RVA and file offset

The concept of RVA in PE files is that the memory image of PE is different from the disk file image. To improve efficiency, the PE File Header uses the offset in the memory image, that is, RVA. RVA is only for the data in the section. For the file header and the section table, there is no need for RVA and file offset, since they are mapped to the memory, no change will be made in size or offset.

When processing PE files, any RVA must be converted to the file offset:

(1) scan the Section Table cyclically and obtain the starting RVA of each section in the memory (based on the virtualaddress field), and calculate the ending RVA of the section based on the section size (sizeofrawdata field, finally, compare and determine whether the target RVA falls into a specific section.

(2) If the target RVA is in a specific section, use the target RVA to subtract the starting RVA of the Section, and the offset RVA of the target RVA to the starting address of the section is obtained '.

(3) In the section table, obtain the offset (pointertorawdata field) in the section in the file, and add the offset value to the RVA value obtained in the previous step, this is the real offset position of the data in the file.

That is, the starting RVA of Section 1-the offset of the Section in the file = K

2 target RVA-k = file offset