| View previous topic :: View next topic |
| Author |
Message |
oib111
I post too much
 Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
 Posted: Tue Jul 22, 2008 11:11 pm Post subject: SizeOfHeaders |
 |
|
I'm reading Iczelion's PE Tutorial and I'm at the section table. And he says the steps to walking the section table are as follows:
| Quote: |
1. Verify that the file is a valid PE
2. Go to the beginning of the PE header
3. Obtain the number of sections from NumberOfSections field in the file header.
4. Go to the section table either by adding ImageBase to SizeOfHeaders or by adding the address of the PE header to the size of the PE header. (The section table immediately follows the PE header). If you don't use file mapping, you need to move the file pointer to the section table using SetFilePointer. The file offset of the section table is in SizeOfHeaders.(SizeOfHeaders is a member of IMAGE_OPTIONAL_HEADER)
5. Process each IMAGE_SECTION_HEADER structure.
|
The definitions for ImageBase and SizeOfHeaders are:
| Quote: |
It's the preferred load address for the PE file.
The size of all headers+section table. In short, this value is equal to the file size minus the combined size of all sections in the file. You can also use this value as the file offset of the first section in the PE file.
|
Ok, so my question is, if SizeOfHeaders is the size of all the headers+the section table. Then its size of the whole PE file, right? So how is it the size of the file minus the size of the section table? So if you use his method in step 4, wouldn't you end up somewhere totally different than the section table?
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
 |
samuri25404
Grandmaster Cheater
 Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Tue Jul 22, 2008 11:18 pm Post subject: |
|
|
It's not the file size minus the size of the section table, it's the size of the file minus the size of the combined sections (basically the actual file itself).
| Code: |
File
PE Header
..
Section Table
..
.idata
.edata
.reloc
..
|
The order is probably off, but whatever; it's simple arithmetic.
Basically, in this, the size of the header would be
| Code: |
FileSize - (sizeof(idata) + sizeof(edata) + sizeof(reloc));
|
_________________
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Tue Jul 22, 2008 11:30 pm Post subject: |
|
|
Oh ok. I guess he made a typo.
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
samuri25404
Grandmaster Cheater
Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Tue Jul 22, 2008 11:35 pm Post subject: |
|
|
| oib111 wrote: | | Oh ok. I guess he made a typo. |
More like you read it wrong.
I reread both quotes a number of times, and both are perfectly fine. You just made a little 'whoopsie' with reading, I'm betting.
_________________
|
|
| Back to top |
|
|
DoomsDay
Grandmaster Cheater
 Reputation: 0
Joined: 06 Jan 2007
Posts: 768
Location: %HomePath%
|
| Posted: Tue Jul 22, 2008 11:51 pm Post subject: |
|
|
| Suggestion: use SizeOfOptionalHeader as a pointer (add it to the optional header's offset, which begins with the MagicNumber value).
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
