The Portable executeworkflow file is the conforming data format of the executable file under win32. it is also a reverse compilation file. The ultimate file is a. EXE file and A. dll file. This document describes the structure of pe files and how to convert virtual memory addresses to file addresses.
Basic Structure of pe files
The basic pe file mainly includes the following parts:
. Text section: generated by the compiler. The binary machine code of the village counterattack library will become the main object during debugging .. Data Section: data blocks, macro definitions, global variables, static variables, etc .. Idata section: Dynamic Link Library and external function information and file information used by executable files .. Rsrc: training resources, icons, menus, etc.
Several important concepts
The above briefly introduces the basic structure of pe. Now we will introduce several basic concepts of storage addresses to prepare for address translation.
File offset address: mainly refers to the offset (a-0) of the content in the file relative to the beginning of the file ). Therefore, the file address starts with 0 and increases sequentially. Image base: it refers to the primary memory address (400000) not allocated to the file when the program is loaded in the memory ), that is to say, the Mount address stores files with the file address 0. Virtual address (VA): address of the memory after the file is loaded into the memory (B ). Relative virtual address (RVA): the distance between the address after the file is loaded into the memory (b-400000 ), that is, the offset relative to the loading BASE address (memory address VA-loading BASE address image base ).
Note:The file offset address is equal to the relative virtual address, mainly because the file offset address is the offset relative to the disk storage, and the disk is 0 × 200 (0.5 k, the size of each node is a multiple of 0x200 (add 0x00 for multiple split operations), while the relative virtual address is the offset relative to the memory, and the memory is 0x1000 (1 K) unit: the size of each section is a multiple of 0x1000 (add 0x00 for multiple splits ). The difference between each section is calledSection offset(The Section offset of the. text section is (d-4000)-(c-0), that is, the filled section), the ing method is as follows:
Conversion between file offset addresses and virtual memory addresses
Therefore, we can use IDA to obtain the virtual memory address (VA) as B, and use LordPE to obtain the section offset (d-c ), then we can conclude that the address of a is (a = b-400000-[(d-400000)-(c-0)]), and the formula is:
File offset address = VA-Image Base-section offset
This article is from my blog: Introduction to PE files
The above content is based on my understanding after reading 0-day security: software vulnerability analysis.