hey everybody,
lets say i've loaded a PE executable into memory and suited it with dos,nt headers structures and now i want to find out its .text/code segement actual(not VA) offset+size how do i do that? is there a win32 api for finding the .text start offset or maybe a pointer from a sturcture that points to the start offset of that segment
thanks.
The IMAGE_FILE_HEADER and IMAGE_OPTIONAL_HEADER have some of this information. You can retrieve them with the GetNTHeaders() function. From there, you can get the first section header with IMAGE_FIRST_SECTION (pNtHeaders). The section headers are sequential, and hold the rest of the information you are interested in. The file header contains the number of sections.
Try using the PE File Format DLL to get the information. Full source code provided with, non-GPL encumbered, so you can use it in your commercial project just fine.
Also available (with source) is the PE File Explorer to show you how to use the DLL. pro