RVA / Physical Address

[HellOfMice]

i don't know what to do
I don't understand anything
I am at a point where I cannot advance without understanding the RVA to Offset
I saw C code but I want to make it in ASM
I don't understand the C code, when I try with a DLL that POPE analyzed I found the same
but when I get to find where it is hidden in memory I don't
I join to images with my results.
I don't want to copy any source code, I want to understand.
I only list 16 sections. For Microsoft there can be 96 sections. My screen (27") is not wide enough!

Could someone help me with my images if possible.


Thank You / Merci

[Vortex]

Hi Philippe,

You could try to search the net to look for Iczelion's Portable Executable Tutorial in asm.

[HellOfMice]

Hi Vortex,

Iczelion has 32 bits code me it is 64 bits code
I had enough problem with structure that would have to be for 64 bits but finally they were for 32 bits!
I will take a look
On MASM64 forum there is nothing on that point nor in the POASM forum that you are a Moderator.

Thank You Eroll

Philippe

[TimoVJL]

https://tech-zealots.com/malware-analysis/understanding-concepts-of-va-rva-and-offset/

[HellOfMice]

Thank Timo,


I already have it but when I try to make it in ASM what I do is wrong, FALSE.
It is the reason that I want to understand. Copying what others did is too easy.


But I thing you rewrote the source, in fact my problem must be that I don't give the good RVA.
In my program what I display is good but only Virtual.


I will work with what you did.


Thank You very much.


Philippe

[Vortex]

Hi Philippe,

Here are some PE structures adapted for Poasm 64-bit :

Code: [Select]

  IMAGE_DOS_HEADER STRUCT
    e_magic           WORD      ?
    e_cblp            WORD      ?
    e_cp              WORD      ?
    e_crlc            WORD      ?
    e_cparhdr         WORD      ?
    e_minalloc        WORD      ?
    e_maxalloc        WORD      ?
    e_ss              WORD      ?
    e_sp              WORD      ?
    e_csum            WORD      ?
    e_ip              WORD      ?
    e_cs              WORD      ?
    e_lfarlc          WORD      ?
    e_ovno            WORD      ?
    e_res             WORD   4 dup(?)
    e_oemid           WORD      ?
    e_oeminfo         WORD      ?
    e_res2            WORD  10 dup(?)
    e_lfanew          DWORD      ?
  IMAGE_DOS_HEADER ENDS


  IMAGE_FILE_HEADER STRUCT
    Machine               WORD    ?
    NumberOfSections      WORD    ?
    TimeDateStamp         DWORD   ?
    PointerToSymbolTable  DWORD   ?
    NumberOfSymbols       DWORD   ?
    SizeOfOptionalHeader  WORD    ?
    Characteristics       WORD    ?
  IMAGE_FILE_HEADER ENDS


  IMAGE_DATA_DIRECTORY STRUCT
    VirtualAddress    DWORD      ?
    isize             DWORD      ?
  IMAGE_DATA_DIRECTORY ENDS

  IMAGE_OPTIONAL_HEADER64 STRUCT
    Magic                         WORD       ?
    MajorLinkerVersion            BYTE       ?
    MinorLinkerVersion            BYTE       ?
    SizeOfCode                    DWORD      ?
    SizeOfInitializedData         DWORD      ?
    SizeOfUninitializedData       DWORD      ?
    AddressOfEntryPoint           DWORD      ?
    BaseOfCode                    DWORD      ?
    ImageBase                     QWORD      ?
    SectionAlignment              DWORD      ?
    FileAlignment                 DWORD      ?
    MajorOperatingSystemVersion   WORD       ?
    MinorOperatingSystemVersion   WORD       ?
    MajorImageVersion             WORD       ?
    MinorImageVersion             WORD       ?
    MajorSubsystemVersion         WORD       ?
    MinorSubsystemVersion         WORD       ?
    Win32VersionValue             DWORD      ?
    SizeOfImage                   DWORD      ?
    SizeOfHeaders                 DWORD      ?
    CheckSum                      DWORD      ?
    Subsystem                     WORD       ?
    DllCharacteristics            WORD       ?
    SizeOfStackReserve            QWORD      ?
    SizeOfStackCommit             QWORD      ?
    SizeOfHeapReserve             QWORD      ?
    SizeOfHeapCommit              QWORD      ?
    LoaderFlags                   DWORD      ?
    NumberOfRvaAndSizes           DWORD      ?
    DataDirectory                 IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES dup(<>)
  IMAGE_OPTIONAL_HEADER64 ENDS


  IMAGE_NT_HEADERS64 STRUCT
    Signature         DWORD                   ?
    FileHeader        IMAGE_FILE_HEADER       <>
    OptionalHeader    IMAGE_OPTIONAL_HEADER64 <>
  IMAGE_NT_HEADERS64 ENDS


  IMAGE_EXPORT_DIRECTORY STRUCT
    Characteristics           DWORD      ?
    TimeDateStamp             DWORD      ?
    MajorVersion              WORD       ?
    MinorVersion              WORD       ?
    nName                     DWORD      ?
    nBase                     DWORD      ?
    NumberOfFunctions         DWORD      ?
    NumberOfNames             DWORD      ?
    AddressOfFunctions        DWORD      ?
    AddressOfNames            DWORD      ?
    AddressOfNameOrdinals     DWORD      ?
  IMAGE_EXPORT_DIRECTORY ENDS


[HellOfMice]

Hi Vortex,

I have read the file and the datas are good

https://www.mediafire.com/file/btps66gkfpg8kk4/Debug.7z/file

This link will show you that my datas compared with POPE and a Timo's program.

My problem is for computing the file offset

The program is loaded in memory with MapViewOfFile

I computed some datas by hand to verify I had understood.

Here are notes I took:

Search for IMAGE DATA DIRECTORY entries

Do not process those whose VirtualAddress AND Size entries are both 0.
VirtualAddress can be 0 and Size > 0
On the other hand VirtualAddress > 0 and Size = 0 => Error

IMAGE_IMPORT_DIRECTORY is the last 16 element structure of IMAGE_OPTIONAL_HEADER
Immediately after the IMAGE_OPTIONAL_HEADER is the sections table (Multiple IMAGE_SECTION_HEADER)

In the IMAGE_DATA_DIRECTORY table there are entries which are also in the sections table.
On the other hand, in the sections table not all the entries are found in the directories table

Find an IMAGE_DATA_DIRECTORY entry in IMAGE_SECTION_HEADER

For example search DataDirectory[BaseReloCationTable (5)] Among the list of sections

We take DataDirectory[BaseReloCationTable (5)].VirtualAddress and compare with

IMAGE_SECTION_HEADER.VirtualAddress If the two values ​​match
we can calculate the address in memory

File loaded at address 0x0000000003390000

RVA - Virtual Offset + Raw Offset

The RVA is 65000 (Virtual Addr)
The VirtualOffset is 5FC00 (Ptr Raw Data)
RawOffset is 644 (VirtualSize)

So the offset is 65000 - 5FC00 + 644
=> (0x65000 - 0x5FC00) + 0x644
=> (0x5400) + 0x644
=> 0x5400 + 0x644
=> 0x5A44

That's all but I would accept help for understanding not a source code.
I don't want to make it in C only assembly X64.

Copying what another did don't help to understand

Thank You and Good day.

Philippe