All geek questions in one place

How can dumpbin read an export table when it appears in the file offset more than the file itself?

I am writing a small PE reader, so I run dumpbin along with my test application to make sure that the values ​​are read correctly. Everything that it works so far, except for the export table.

The file I'm testing with is the DLL. My application reads the file as an array of bytes, which is passed to my PE reading class. Values ​​align with dumpbin output, including RVA and export data directory size.

        E000 [     362] RVA [size] of Export Directory

The problem is that the size of the byte array is only 42,496. As you can imagine, when my PE reader tries to read E000 (57,344), I get IndexOutOfRangeException. dumpbin, however, does not have such a problem and reads the export directory perfectly. And yes, the whole file is actually read into an array of bytes.

How is this possible?

+3
source share
1 answer

The PE file contains "sections", and sections have independent base addresses. PE is not a continuous image of memory. Each section is a continuous image of memory.

. .

OllyDbg, Windows. , , , , , , " ".

dumpbin /all :

SECTION HEADER #1
   .text name
    BC14 virtual size
    1000 virtual address (00401000 to 0040CC13)
    BE00 size of raw data
     400 file pointer to raw data (00000400 to 0000C1FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         Execute Read

.text RVA 1000 RVA CE00. - 400. - RVAs 1000-CDFF 600. ( .)

, "RVA" ( ), ( ), :

  • , RVA. RVAs . .
  • RVA - .
  • PointerToRawData , (2). , RVA.

, , MapViewOfFileEx() FILE_MAP_EXECUTE, dwDesiredAccess. API PE " ".

- , PE-. DLL LoadLibrary() GetModuleInformation() function MODULEINFO member lpBaseOfDll.

MapViewOfFileEx() - MapViewOfFileEx().

RVA :

  • char *
  • RVA char *
  • char * .

, OS , , , , , , , .

+5

Source: https://habr.com/ru/post/1720139/

More articles:


All Articles