Reputation: 21
In a Windows PE file, what happens when 2 sections have the same raw address?
I'm taking a look at a PE executable packed with UPX and the sections are laid out as follows:
UPX0: raw addr: 0x400, raw size: 0x0, virtual addr: 0x1000, virtual size: 0x6000
UPX1: raw addr: 0x400, raw size: 0xC00, virtual addr: 0x7000, virtual size: 0x1000
Section UPX0 has a raw size of zero and has the same raw address as UPX1. My question is, what data goes into section UPX0 when the PE executable is loaded into memory?
Based on other information I've read, the Windows loader pads a section with 0's when the virtual size is greater than the raw size of a section. Since the raw size of UPX0 is 0, does that mean that the entire section is initially filled with 0's when the executable is loaded? Or are virtual addresses 0x1000 - 0x1C00 (UPX0) filled with the same data as virtual addresses 0x7000 - 0x7C00 (UPX1) and addresses 0x1C01 - 0x6FFF (UPX0) padded with 0's? Or does something else happen?
Upvotes: 2
Views: 770
Answers (1)
Reputation: 149
Source: @0xC0000022L
Your first assumption is right, the UPX0 section will in memory be initialized with all zero.
And, because the UPX0 raw size is 0x0, then it will be filled with 0x0 when loading and UPX1 will have the data located in that location.
Upvotes: 1
Related Questions
- Entry point and main method in PE executable Windows
- Which parts/sections of PE files (.exe .dll) contain most their behaviours?
- Is there integrity check in PE files?
- How does a PE file get mapped into memory?
- What is the relationship between sections and data directories in a PE file?
- Why does section virtual addresses need to be continuous?
- What parts of a PE file are mapped into memory by the MS loader?
- PE file section RVA calculation
- jump stubs in PE files
- "Relative Virtual Addresses", relative to what?