Va&rva and RVA to RAW

Va&rva

VA refers to the absolute address of the virtual memory of the process, the RVA (Relative virtual address, relative virtual addresses) refers to the relative address starting at a base location (ImageBase). VA and RVA meet the conversion relationship below.

RVA + ImageBase = VA

The head information of PE (portable executable) mostly exists in RVA form. The reason is that, when the PE file (primarily a DLL) is loaded into a specific location of process virtual memory, the location may have loaded other PE files (dll,dynamic Linked Library). It must be loaded into other blank locations by repositioning (relocation), which will not be accessible if the PE header information is using Va. Therefore, using RVA to locate information, even if a relocation occurs, as long as the relative address relative to the base location does not change, you can access the specified information normally, no problem occurs.

Tips:

In a 32-bit widows OS, each process is allocated 4GB of virtual memory, so the range of VA values in the process is 0000 0000 ~ FFFF FFFF.

RVA to RAW

When the PE file is loaded into memory, the mapping between the memory address and the file offset can be accurately completed for each section area. This mapping is generally called RVA to RAW, as follows:

1. Find the section area of the RVA.
2. Calculates the file offset (RVA) using a simple formula.

According to the Image_section_header structure, the conversion formula is as follows:

Raw-pointertorawdata = rva-virtualaddress

In turn, you get:

RAW = rva-virtualaddress + pointertorawdata

Preference

Reverse engineering Core principle \ (p_{92}\) \ (p_{104}\)

This post understands RVA, VA, RAW, offset

Va&rva and RVA to RAW