Reputation: 765
Why is sometimes .data section virtual size bigger than raw size?
Recently I found out, that .data section in PE can have virtual size bigger than raw size (in file). This is quite suprising. Some people say that this is an effect of uninitialized data somewhere.
But after analyzing some PE, I can't really find this extra data. Here is link to PEDump results of some program:
As you can see, .data section has bigger virtual size than raw size. Why is it like this in this particular example?
Upvotes: 3
Views: 5759
Answers (1)
Reputation: 7479
Values for any initialized data is stored in the section, if the binary wants to reserve space in memory for any uninitialized data, then the virtual size will be larger than the raw data size.
You won't find this data in the file, because it doesn't need to be there. The addresses that reference the data (in the code section) are baked into the binary so that they will point to the correct location when it is loaded into memory.
If the loader didn't reserve this space up front, then globals, etc. would have to be allocated on the heap before they could be used.
From the PE spec:
[SizeOfRawData is the] size of the section (for object files) or the size of the initialized data on disk (for image files). For executable images, this must be a multiple of FileAlignment from the optional header. If this is less than VirtualSize, the remainder of the section is zero-filled. Because the SizeOfRawData field is rounded but the VirtualSize field is not, it is possible for SizeOfRawData to be greater than VirtualSize as well. When a section contains only uninitialized data, this field should be zero.
Edit: Respond to the question about the SizeOfUninitializedData.
The SizeOfUninitializedData field in the Optional Header is just the size of the .bss section (or the sum of them if there are multiple). Your binary didn't have a separate section for that data, so it was zero. Since sections are aligned on specific boundaries, it may be more efficient to save some space at the end of an existing section than to use a separate one.
Upvotes: 1
Related Questions
- How can a windows executable be of only 128 bytes
- How can an executable be this small in file size?
- PE: Relation between SizeOfRawData and VirtualSize fields of the section header
- In a windows pe(exe,sys,dll etc) file how is the size of initialized data calculated
- PE File sections - SizeOfRawData or VirtualSize
- In a compressed PE must the virtual size of the data section match the raw size?
- Data in the data section of an exe
- The size of a PE Header
- How can a program have a high virtual byte count while the private bytes are relatively low on Windows 32-bit?
- file size c is different than the size data string's size