i don't know what to do
I don't understand anything
I am at a point where I cannot advance without understanding the RVA to Offset
I saw C code but I want to make it in ASM
I don't understand the C code, when I try with a DLL that POPE analyzed I found the same
but when I get to find where it is hidden in memory I don't
I join to images with my results.
I don't want to copy any source code, I want to understand.
I only list 16 sections. For Microsoft there can be 96 sections. My screen (27") is not wide enough!
Could someone help me with my images if possible.
Thank You / Merci
Hi Philippe,
You could try to search the net to look for Iczelion's Portable Executable Tutorial in asm.
Hi Vortex,
Iczelion has 32 bits code me it is 64 bits code
I had enough problem with structure that would have to be for 64 bits but finally they were for 32 bits!
I will take a look
On MASM64 forum there is nothing on that point nor in the POASM forum that you are a Moderator.
Thank You Eroll
Philippe
https://tech-zealots.com/malware-analysis/understanding-concepts-of-va-rva-and-offset/
Thank Timo,
I already have it but when I try to make it in ASM what I do is wrong, FALSE.
It is the reason that I want to understand. Copying what others did is too easy.
But I thing you rewrote the source, in fact my problem must be that I don't give the good RVA.
In my program what I display is good but only Virtual.
I will work with what you did.
Thank You very much.
Philippe
Hi Philippe,
Here are some PE structures adapted for Poasm 64-bit :
IMAGE_DOS_HEADER STRUCT
e_magic WORD ?
e_cblp WORD ?
e_cp WORD ?
e_crlc WORD ?
e_cparhdr WORD ?
e_minalloc WORD ?
e_maxalloc WORD ?
e_ss WORD ?
e_sp WORD ?
e_csum WORD ?
e_ip WORD ?
e_cs WORD ?
e_lfarlc WORD ?
e_ovno WORD ?
e_res WORD 4 dup(?)
e_oemid WORD ?
e_oeminfo WORD ?
e_res2 WORD 10 dup(?)
e_lfanew DWORD ?
IMAGE_DOS_HEADER ENDS
IMAGE_FILE_HEADER STRUCT
Machine WORD ?
NumberOfSections WORD ?
TimeDateStamp DWORD ?
PointerToSymbolTable DWORD ?
NumberOfSymbols DWORD ?
SizeOfOptionalHeader WORD ?
Characteristics WORD ?
IMAGE_FILE_HEADER ENDS
IMAGE_DATA_DIRECTORY STRUCT
VirtualAddress DWORD ?
isize DWORD ?
IMAGE_DATA_DIRECTORY ENDS
IMAGE_OPTIONAL_HEADER64 STRUCT
Magic WORD ?
MajorLinkerVersion BYTE ?
MinorLinkerVersion BYTE ?
SizeOfCode DWORD ?
SizeOfInitializedData DWORD ?
SizeOfUninitializedData DWORD ?
AddressOfEntryPoint DWORD ?
BaseOfCode DWORD ?
ImageBase QWORD ?
SectionAlignment DWORD ?
FileAlignment DWORD ?
MajorOperatingSystemVersion WORD ?
MinorOperatingSystemVersion WORD ?
MajorImageVersion WORD ?
MinorImageVersion WORD ?
MajorSubsystemVersion WORD ?
MinorSubsystemVersion WORD ?
Win32VersionValue DWORD ?
SizeOfImage DWORD ?
SizeOfHeaders DWORD ?
CheckSum DWORD ?
Subsystem WORD ?
DllCharacteristics WORD ?
SizeOfStackReserve QWORD ?
SizeOfStackCommit QWORD ?
SizeOfHeapReserve QWORD ?
SizeOfHeapCommit QWORD ?
LoaderFlags DWORD ?
NumberOfRvaAndSizes DWORD ?
DataDirectory IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES dup(<>)
IMAGE_OPTIONAL_HEADER64 ENDS
IMAGE_NT_HEADERS64 STRUCT
Signature DWORD ?
FileHeader IMAGE_FILE_HEADER <>
OptionalHeader IMAGE_OPTIONAL_HEADER64 <>
IMAGE_NT_HEADERS64 ENDS
IMAGE_EXPORT_DIRECTORY STRUCT
Characteristics DWORD ?
TimeDateStamp DWORD ?
MajorVersion WORD ?
MinorVersion WORD ?
nName DWORD ?
nBase DWORD ?
NumberOfFunctions DWORD ?
NumberOfNames DWORD ?
AddressOfFunctions DWORD ?
AddressOfNames DWORD ?
AddressOfNameOrdinals DWORD ?
IMAGE_EXPORT_DIRECTORY ENDS
Hi Vortex,
I have read the file and the datas are good
https://www.mediafire.com/file/btps66gkfpg8kk4/Debug.7z/file (https://www.mediafire.com/file/btps66gkfpg8kk4/Debug.7z/file)
This link will show you that my datas compared with POPE and a Timo's program.
My problem is for computing the file offset
The program is loaded in memory with MapViewOfFile
I computed some datas by hand to verify I had understood.
Here are notes I took:
Search for IMAGE DATA DIRECTORY entries
Do not process those whose VirtualAddress AND Size entries are both 0.
VirtualAddress can be 0 and Size > 0
On the other hand VirtualAddress > 0 and Size = 0 => Error
IMAGE_IMPORT_DIRECTORY is the last 16 element structure of IMAGE_OPTIONAL_HEADER
Immediately after the IMAGE_OPTIONAL_HEADER is the sections table (Multiple IMAGE_SECTION_HEADER)
In the IMAGE_DATA_DIRECTORY table there are entries which are also in the sections table.
On the other hand, in the sections table not all the entries are found in the directories table
Find an IMAGE_DATA_DIRECTORY entry in IMAGE_SECTION_HEADER
For example search DataDirectory[BaseReloCationTable (5)] Among the list of sections
We take DataDirectory[BaseReloCationTable (5)].VirtualAddress and compare with
IMAGE_SECTION_HEADER.VirtualAddress If the two values match
we can calculate the address in memory
File loaded at address 0x0000000003390000
RVA - Virtual Offset + Raw Offset
The RVA is 65000 (Virtual Addr)
The VirtualOffset is 5FC00 (Ptr Raw Data)
RawOffset is 644 (VirtualSize)
So the offset is 65000 - 5FC00 + 644
=> (0x65000 - 0x5FC00) + 0x644
=> (0x5400) + 0x644
=> 0x5400 + 0x644
=> 0x5A44
That's all but I would accept help for understanding not a source code.
I don't want to make it in C only assembly X64.
Copying what another did don't help to understand
Thank You and Good day.
Philippe