How does a PE file get mapped into memory?

Question

So I have been reasearching the PE format for the last couple days, and I still have a couple of questions

1. Does the data section get mapped into the process' memory, or does the program read it from the disk?

2. If it does get mapped into its memory, how can the process aqquire the offset of the section? ( And other sections )

3. Is there any way the get the entry point of a process that has already been mapped into the memory, without touching the file on disk?

Answer 1

Does the data section get mapped into the process' memory

Yes. That's unlikely to survive for very long, the program is apt to write to that section. Which triggers a copy-on-write page copy that gets the page backed by the paging file instead of the PE file.

how can the process aqquire the offset of the section?

The linker already calculated the offsets of variables in the section. It might be relocated, common for DLLs that have an awkward base address that's already in use when the DLL gets loaded. In which case the relocation table in the PE file is used by the loader to patch the addresses in the code. The pages that contain such patched code get the same treatment as the data section, they are no longer backed by the PE file and cannot be shared between processes.

Is there any way the get the entry point of a process

The entire PE file gets mapped to memory, including its headers. So you can certainly read IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint from memory without reading the file. Do keep in mind that it is painful if you do this for another process since you don't have direct access to its virtual address space. You'd have to use ReadProcessMemory(), that's fairly little joy and unlikely to be faster than reading the file. The file is pretty likely to be present in the file system cache. The Address Space Layout Randomization feature is apt to give you a headache, designed to make it hard to do these kind of things.