Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Calculating the file offset of a entry point in a PE file

Tags:

windows

assembly

portable-executable

In

http://en.redinskala.com/finding-the-ep/

there is information about how to find the file offset of the entry point in a exe-file.

Here I can read that

EP (File) = AddressOfEntryPoint – BaseOfCode + .text[PointerToRawData] + FileAlignment

However, when I have been calculating this myself (I used a couple of different exe files) I have came to the conclusion that

Offset of entry point in EXE file = AddressOfEntryPoint + .text[PointerToRawData] - .text[VirtualAddress]

Where AddressOfEntryPoint is fetched from IMAGE_OPTIONAL_HEADER and the other two values from the IMAGE_SECTION_HEADER.

Is the information on that web page false? Adding FileAlignment like they do just seems wrong, it does not make sense. Or does it? A file alignment suggests that I should use modulo or something to compute a value. If BaseOfCode and FileAlignment is the same value (mostly they are), it would not disturb adding them to the calculation, but how would it make sense?

like image 547
Anders Lindén Avatar asked Nov 15 '15 19:11

Anders Lindén

People also ask

How do I find the entry point of a PE file?

The entry point is given by AddressOfEntryPoint in the PE header, which gives you the virtual address of the entry point.

What is the file signature of a PE file?

Signature (Image Only) After the MS-DOS stub, at the file offset specified at offset 0x3c, is a 4-byte signature that identifies the file as a PE format image file. This signature is "PE\0\0" (the letters "P" and "E" followed by two null bytes).

How many sections are possible in a PE file?

The PE file format has eleven predefined sections, as is common to applications for Windows NT, but each application can define its own unique sections for code and data.

1 Answers

Correct, you don't need to use the FileAlignment value at all.

The algorithm should be something like as follow (very similar to yours):

  • Get AddressOfEntryPoint from IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint (this is a VA)
  • Search in which section header this VA resides (usually the 1st one, but you should really search in all section headers).
  • Once you have the right section header, get its VirtualAddress and PointerToRawData fields.
  • Subtract VirtualAddress from AddressOfEntryPoint: you now have a "delta"
  • As the exactly same delta applies to offsets, then: add "delta" to PointerToRawData.

You simply don't need FileAlignment because the section in which the entry point lies is already aligned on that value.

like image 69
Neitsa Avatar answered Sep 23 '22 02:09

Neitsa
Sign in to Comment

Related questions

CUDA kernel as member function of a class
fgetpos() behaviour depends on newline character
How to switch current user using powershell?
undefined reference to `JNI_CreateJavaVM' windows
Outline-offset does not get applied on Chrome/ Windows when outline-style is auto
Open process with debug privileges and read/write memory
How to keep remote powershell command alive after session end?
Haskell list drives in Windows
MongoDB 2.4.8 capped collection and tailable cursor consuming all memory
os.listdir is removing character accent
How to adjust %PATH% for dynamically loaded native dlls?
Windows 7 touch screen - disabling multi-touch gesture not working
CRAN finds an warning that R CMD check --as-cran does not
How do I do a "word count" command in Windows Command Prompt
Inno Setup always installs into admin's AppData directory
I cannot use the msg command in cmd (or batch for that matter). How can I fix this?
Elevate NodeJS/Electron process on Windows
System tray/taskbar icon/notify icon with universal apps
Failed to Create Data Directory - Google Chrome Cannot Read and Write Its Data Directory - Cordova
"WindowsError: [Error 5] Access is denied" using urllib2

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!