Reputation: 5124
PE file section names
According to this article http://msdn.microsoft.com/en-us/library/ms809762.aspx?ppud=4
we can name the PE sections with custom names.
So in a PE file which its creator has replaced the sections names with his own names,
now if the ".pdata" section for example isn't called ".pdata" anymore so I can't find it by its name.
how can I find the ".pdata"?
Upvotes: 2
Views: 6010
Answers (1)
Reputation: 6324
Correct, according to the Windows Portable Executable specification and other source like the ones of Matt Pietrek, sections Names are made for the humans! Typically compilers set "standard" names for specific types of sections content (e.g. ".text" for code, etc..). But, these names are fully ignored by the loader. These sections names can be modified using different methods (using pragma or other tools e.g Peid, etc..). The section of interest (.pdata) is associated the IMAGE_DIRECTORY_ENTRY_EXCEPTION directory.
To find the .pdata section (which is BTW an indicator that the image is 64bit) when it has been renamed, all you need to do is to search for the IMAGE_DIRECTORY_ENTRY_EXCEPTION directory, and based on its content, retrieve the section it is located in (as you can do for all directories).
Upvotes: 3
Related Questions
- What is the image base (in windows PE files)
- I am confused about PE file relocations
- What is the relationship between sections and data directories in a PE file?
- Names of PE directories
- PE file - what's missing?
- How to determine and find resource section in PE file?
- PE File Format Section Add On
- What are the effects of the PE header "subsystem" field?
- About the code section of PE format
- About the entry point of PE in Windows