I need byte size, IMAGE_OPTIONAL_HEADER.SizeOfImage appears to be rounded up to (unsure) boundary and is greater than real file size.
If the PE file has information outside of any section (like an installer) and is digitally signed, you can calculate the total size by summing VirtualAddress and Size of IMAGE_OPTIONAL_HEADER::DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY] .
Every PE file starts with a 64-bytes-long structure called the DOS header, it's what makes the PE file an MS-DOS executable.
The Portable Executable (PE) format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code.
This info is located in the PE header. To view it, you can open it with a PE explorer such as the NTCore CFF Explorer and open the Characterics field of the file header, where you can find whether it is a DLL or executable.
IMAGE_OPTIONAL_HEADER.SizeOfImage
is the size of the loaded executable/dll in virtual memory.
It is not the same as the size on disk.
You can calculate it with VirtualAddress + VirtualSize
of the last section.
IMAGE_OPTIONAL_HEADER.SizeOfImage
is that value rounded up to the value of IMAGE_OPTIONAL_HEADER.SectionAlignment
(usually the same as the page size).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With