6

In this article, the definitions are

DWORD VirtualAddress

In EXEs, this field holds the RVA to where the loader should map the section. To calculate the real starting address of a given section in memory, add the base address of the image to the section's VirtualAddress stored in this field.

DWORD PointerToRawData

This is the file-based offset of where the raw data emitted by the compiler or assembler can be found. If your program memory maps a PE or COFF file itself (rather than letting the operating system load it), this field is more important than the VirtualAddress field. You'll have a completely linear file mapping in this situation, so you'll find the data for the sections at this offset, rather than at the RVA specified in the VirtualAddress field

Also RVA is defined as

Many fields in PE files are specified in terms of RVAs. An RVA is simply the offset of some item, relative to where the file is memory-mapped

and

To convert an RVA into a usable pointer, simply add the RVA to the base address of the module. The base address is the starting address of a memory-mapped EXE or DLL

The problem in hand is to reach the import section of a PE file. 

hFile = CreateFile(..);
hFileMapping = CreateFileMapping(..);
lpFileBase = MapViewOfFile(..);
ImageBase = (PIMAGE_DOS_HEADER)lpFileBase;
PEHeader = (ImageBase + ImageBase->e_lfanew);

Now to get hold of import table

PIMAGE_OPTIONAL_HEADER PEImageOptionalHeader = &(PEHeader->OptionalHeader);
IMAGE_DATA_DIRECTORY importTable = PEImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];

Since importTable.VirtualAddress is an RVA, to get a usable pointer, i can add the base of the image file.

So ImageBase + importTable.virtualAddress should get me to import section.But it does not.Why?

Then, if i reach at the correct section header(generally .idata) and do this.

ImageBase + pointerToSection->PointerToRawData;

The above correctly takes me to array of IMAGE_IMPORT_DESCRIPTORS.I understand that using pointerToSection->virtualAddress instead of PointerToRawData above, would not work as i am mapping the PE file myself.

Now to get the name of the item, the loaded module is dependent on,I can use pointer to IMAGE_IMPORT_DESCRIPTORS using the field name which is again anRVA.To convert an RVA, i just have to add the ImageBase..

 LPSTR libname = (PCHAR)((DWORD)ImageBase+ImageimportDescriptor->Name);

But it does not work.Why?To convert an RVA, we simply add base address of image.The below works

ImageBase+ImageimportDescriptor->Name + pointerToSection->PointerToRawData - pointerToSection->virtualAddress

And every time i need some info within a section, i need to make this adjustment

pointerToSection->PointerToRawData - pointerToSection->virtualAddress

Why is this adjustment required?

Gaurav Sehgal
  • 7,422
  • 2
  • 18
  • 34
  • at first in `CreateFileMapping` are you use `SEC_IMAGE` flag ? section can be mapped as image and in plain mode. depend on this need use `VirtualAddress` or `PointerToRawData`. then `ImageBase + ImageBase->e_lfanew` really ? if `ImageBase` defined as `PIMAGE_DOS_HEADER` this is of course error. `(DWORD)ImageBase` - again huge mistake. need `(DWORD_PTR)ImageBase` use – RbMm Jul 20 '17 at 11:15
  • `But it does not work.Why ?` all is great worked when code is correct. – RbMm Jul 20 '17 at 11:15
  • @RbMm I am not using the `SEC_IMAGE` flag.I'll read more about that.And why `ImageBase + ImageBase->e_lfanew` is an error.The exact code is `PIMAGE_NT_HEADERS PEHeader =(PIMAGE_NT_HEADERS)((DWORD)ImageBase+ImageBase->e_lfanew);`What is wrong in this? – Gaurav Sehgal Jul 20 '17 at 11:35
  • `(DWORD)ImageBase` - truncated pointer (which 8 byte on x64) to 4 bytes - error. and if `ImageBase` is defined as `PIMAGE_DOS_HEADER` - simply pointer arithmetic. if you not use `SEC_IMAGE` - section mapped in plain mode. you can not direct use RVA but first convert it to offset. and you want direct parse pe sections/data or use system api for this ? – RbMm Jul 20 '17 at 11:40
  • Suppose i have `ImageBase` as `PIMAGE_DOS_HEADER`.Then how can i get to the `PIMAGE_NT_Headers` ?I am directly parsing it. – Gaurav Sehgal Jul 20 '17 at 11:46
  • `(PBYTE)ImageBase + ImageBase->e_lfanew` or `(DWORD_PTR)ImageBase + ImageBase->e_lfanew` or `RtlImageNtHeader(ImageBase)`. for convert RVA to offset you for example can use `RtlAddressInSectionTable` – RbMm Jul 20 '17 at 11:52

2 Answers2

7

First, this line: 

PEHeader = (ImageBase + ImageBase->e_lfanew);

Is incorrect. ImageBase is of type PIMAGE_DOS_HEADERS so when you add to it ImageBase->e_lfanew, which is a DWORD you are doing pointer arithmetic, that is, you are adding to ImageBase as many bytes as (ImageBase->e_lfanew)*sizeof(IMAGE_DOS_HEADERS) which is not what you want. What you want is to advance ImageBase->e_lfanew bytes form the place ImageBase points to. You achieve this by doing the following:

PIMAGE_NT_HEADERS PEheader = (PIMAGE_NT_HEADERS) ((PBYTE)(ImageBase) + dosHeader->e_lfanew);

Notice the cast to PBYTE, this makes the operation advance byte by byte.

This is very common when dealing with PE file since many times you want to advance n bytes from a pointer and not n data structure the pointer points to. In the article you refered to it even says in a comment:

// Ignoring typecasts and pointer conversion issues for clarity...
pNTHeader = dosHeader + dosHeader->e_lfanew;

Now to your question about VirtualAddress and PointerToRawData:

The line ImageBase + importTable.virtualAddress is also incorrect for the following reason:

The PE Loader doesn't map all the executable file continuously in memory like you do in your file mapping, it maps each section at its corresponding VirtualAddress. In the latter situation, to get a VA from an RVA you just add the ImageBase to the RVA and it works, because the file on disk is meant to be a representation of what the PE loader maps in memory. However, since you are not mapping each sections where the PE loader would map them, adding the ImageBase to an RVA like you did doesn't work.

You need a function that given an RVA, gives you the file offset corresponding to that RVA in the file on disk. to get a VA you just need to add this file offset to the byte pointer that points to your mapped file.

Whenever you have an RVA (like the RVA to the import section, or to a name string or whatever), in order to access it you must do the following.

PBYTE actualAddress = (PBYTE) (lpFileBase + RVAtoFileOffset(pNTHeader, RVA))

Here is the function: I posted it on pastebin because I can't manage to format it correctly here.

Here is how it works: When you have an RVA, that RVA must lie within a section, so you traverse all section headers (which are right after the optional header) and whe you find the section where the RVA lies in, you calculate the offset of that RVA within that section RVA - VirtualAddress and add it to the PointerToRawData of that section, now you have the file offset of the RVA. If the RVA is invalid (it doesn't lie within any section), the function returns 0.

You need to do this in order to access the import directory or the name of each import descriptor, since what you have are RVAs.

I hope I have helped.

Mihai
  • 509
  • 5
  • 14
  • 1
    if we add that value (rva - virtual address) to PointerToRawData, then PointerToRawData is basically the first byte of the section? – Trey Jun 02 '20 at 14:43
  • 1
    @Trey yes, PointerToRawData is the offset within the file of the first byte in a section. That first byte will end up being mapped at the VA (VA = RVA+ImageBase). – Mihai Jun 02 '20 at 22:53
1

Once we have valid PE/NT header address we can directly jump to first section:

PIMAGE_SECTION_HEADER sectionHeader;
sectionHeader = IMAGE_FIRST_SECTION(peHeader);

Also we can find name of section by masking 

sectionHeader->Characteristics
Nishikant Mokashi
  • 161
  • 1
  • 7