Basic knowledge
1. Virtual Address and offset Conversion
Because Windows programs run in 386 protection mode, in protection mode, the logical address used by the program to access the memory is called virtual address (virual address, VA ). Similar to the segment address in real address mode, a virtual address can also be written in the form of "segment: Offset". The segment here refers to the segment selector.
The initial memory address is called the base address (imagebase ). In Windows NT, the default value is 10000 h. For DLLs, the default value is 400000 H. In Windows 9x, cmdh cannot be used to load 32-bit execution files because the address is in the linear address area shared by all processes, therefore, Microsoft changes the default base address of the Win32 executable file to 400000 H.
Relative virual address (RVA) indicates the offset between the code segment and the base address in the memory. That is, relative virtual address (RVA) = Virtual Address (VA)-base address (imagebase ).
The address in the file is different from that in the memory. It is expressed by the file offset.
The address value displayed in SoftICE and w32dasm is the memory address (memory offset), or virtual address (virual address, VA ). In hexadecimal tools, the addresses displayed in hiew and hex workshop are file addresses, which are called file offset or raw offset ).
In actual operations, you can use a RVA-offset converter to easily find the value of the string RVA and offset.
Take pc_offset (CD \ tools \ offset) as an example to describe how to use the virtual address (virual address, VA) convert to file offset in the hexadecimal tool, run the software to open the Notepad program, and enter the value of virtual address (virual address, VA) in memory address (memory address: 40117d, click the "do it" button to display the file offset, as shown in.
(Figure 1) converting a memory virtual address to a file offset
Virtual Address and offset Conversion