tags:

views:

61

answers:

1
+1  Q: 

How to understand the PE header in this graph?

alt text

IMO,this should hold:

rva = raw - imagebase

which is not the case in the graph,why?

+1  A: 

The entry point RVA, entry point raw address, and image base address are not related in that way.

The image base is the "preferred address of the first byte of the image when it is loaded in memory". In other words, it's the virtual address of the image when it gets loaded assuming there's not a conflict. If there is an address conflict when the image is loaded (e.g. another image is already loaded in an overlapping range), then a new base address will be chosen for the image.

An RVA is a relative virtual address. It is "relative" in the sense that it is changed when the image is actually loaded. It's the address when the base address is not known (e.g. when the image isn't loaded). Once the image is loaded, the RVA becomes a virtual address (VA), an actual address in virtual memory.

The raw vs. RVA distinction is due to alignment. There is section alignment (the alignment of the sections when they get loaded into memory) as well as file alignment (the alignment of the raw data in the sections). The section alignment here is 0x1000 while the file alignment is 0x200.

The entry point RVA is used to determine the VA of the entry point when the image is loaded (i.e. the entry point will be located at virtual address EntryPoint (rva) + ImageBase). The entry point raw address is the offset into the file where the entry point is located.

This document has a good explanation of alignment.

Chris Schmich  2010-09-19 14:04:50
I don't quite understand what you mean by `offset into the file where the entry point is located`,can you elaborate it?
COMer  2010-09-19 15:05:09
I might be incorrect, but my understanding is that the entry point has an address in memory when loaded (RVA + image base), and an "address" on disk when the image is not loaded. The "address" on disk is really just the offset into the file. So, if you wanted to start disassembling the entry point without having to first load the image, you would seek to the raw entry point address in the file.
Chris Schmich  2010-09-19 22:16:05
The `EntryPoint (rva)` should be calculated based on `EntryPoint (raw)` during image loading ,is that right?
wamp  2010-09-25 03:43:28
The entry point at runtime will be at `Entry Point (rva) + ImageBase` (the image base address can change from the default specified in the DLL if there is a load conflict due to another DLL already being loaded at that address).
Chris Schmich  2010-09-25 07:46:41

related questions

Why is my PE file invalid?
Modifying .rdata unicode strings from windows PE files
Windows PE - Where and how are strings stored if not in resources?
When does the PE file format IAT function addresses get set
Patching a PE executable
How to use WM2003 binary (dll) on Windows Mobile 6.1 (WM6.1) device ? (PE-loader can't accept old binaries)
Strange Value in EXE header!
Find out where PE file ends through PE header?
PE Header Requirements
Write a value into PE file
protect c++ output file(pe file) from editing using crc
How to protect PE file resources(string,image....) ?
Find Windows DLLs not compiled with SafeSEH
How to create an "empty" space in an executable at a definite address (gcc,linux)?
How can I read the headers from a WinNT portable executable file using Perl?
Native Linux app to edit Win32 PE like ResHacker
What does the /TSAWARE linker flag do to the PE executable?
Deterministic builds under Windows
Scriptable Windows Disassembler [non cygwin]
What is the MZ signature in a PE file for?
Installing .NET framework from USB drive when necessary.
Executable sections marked as "execute" AND "read"?
Converting kernel image from ELF to PE
What is the smallest possible Windows (PE) executable?
How the basic link process works for ELF and PE