How to map a file offset in an EXE to its PE section

Question

I've opened up a program I wrote with ImageHlp.dll to play around with it a little, and I noticed that there seem to be large gaps in the file. As I understand it, for each PE section, the section header gives its offset in the file as PhysicalAddress, and its size as SizeOfRawData, and thus everything from PhysicalAddress to PhysicalAddress + SizeOfRawData ought to be that section. But there are large swaths of the EXE file that aren't covered by these ranges, so I must be missing something.

I know I can use ImageRVAToSection and give it an RVA address to find out which section that RVA is located in. Is there any way to do something similar with file offsets? How can I find out which PE section byte $ED178 or whatever belongs to?

Answer 1

Edit: Sorry, I didn't read your question carefully enough.

Doing some looking, I'm finding a few files like you mentioned, that the data in the section headers doesn't cover the entire contents of the file. Most of those I've found so far contain a debug record that's not covered. There are a few others with discrepancies I haven't been able to figure out yet though. When/if I can figure out more, I'll add it.

Answer 2

I posted in http://stackoverflow.com/questions/3010741/how-does-one-use-virtualallocex-do-make-room-for-a-code-cave/3010909#3010909 a code fragment which examine PEs current loaded in the memory. Probably you will find the answer on your question if you compare the contain of DLL in memory with the contain on the disk (which shows ImageHlp.dll).

Answer 3

You might be interested in a tool PeStudio which shows PhysicalAddress, SizeOfRawData, etc...(and thus the caves) of any executable file.