Introduction to reverse commissioning - VA and RVA conversion in PE 04/07

Block characteristics ：

1、 Properties of memory pages

2、 The offset address of the section

3、 Section size

4、 Sections that are not mapped

A section is actually a combination of the same attribute data .

The relationship between file and memory mapping

Formula for

RVA It's a relative virtual address （RelativeVirtualAddress） Abbreviation .RVA When PE After the file is loaded into memory , The offset of a data location from the file header .

Reference article ：

      
      

       
       https://javajgs.com/archives/44114
      
      
      
      

       
       
1.
      
      

In practice , We often come across... That will be accessed in code snippets RVA convert to PA, In this case, you need to read ⽂ To do the corresponding conversion .

The conversion process

The conversion ⼀ The general steps are ：

1、 take exe⽂ Piece mapping ⼊ In the memory , Read Dos MZ Header, In this structure , We can get through e_lfanew To get NT⽂ The piece head is relative to Dos⽂ Offset of part head .

MZ Head

DOS The head is relative to PE Head offset

2、 Got it NT⽂ The address of the header ,NT⽂ The header contains two ⽂ Piece head ,⼀ Yes FILE⽂ Piece head ,⼀ Yes Optional Optional ⽂ Piece head , stay FILE⽂ In the header, we can read the number of segments , It's changing RVA At the address , We just need to get this amount .

The number of segments is 8

3、 take NT⽂ The piece head is followed by SECTION TABLE, This is the description header , In this paragraph description header , We ⼏ You can almost get the information of all the segments .

VritualAddress: This is ⼀ individual RVA Address , The meaning of representation is to tell PE Loader this segment exists in RVA The address is VritualAddress It's about

VA by 1000H

PointerToRawData: This is a ⼀ Physical offset addresses , tell PE The loader will physically ⽂ Piece offset PointerToRawData Data mapping at ⼊VritualAddress It's about

VirtualSize: Of this paragraph ⼤⼩

SizeOfRawData: The physics of this segment ⼤⼩. Due to alignment problems , So the ⼤⼩ Why not ⼩ On VirtualSize⼤⼩ Alignment of ⼤⼩ Integer multiple .

4. By traversing SECTION TABLE, Determine what to convert RVA Whether the address is in the... Of all segments RVA Address range . Of this paragraph RVA The scope is : VritualAddress + SizeOfRawData, More precisely, of course VirtualAddress + VirtualSize.

5. If it exists in the address range , Then we can use the RVA Address minus the... Of the segment VirtualAddress Calculate the offset relative to the segment

6. Add... To the offset PointerToRawData, You can work out the physical address .

The algorithm is complex .

We use OD Tools to analyze .

Let's look at the address 00400200

Sure enough, the address is code Code block for .