Reputation: 141
How to get the address of a resource data entry from the resource table in a Windows executable?
I'm trying to familiarize myself with the resource table in the PE format, and I think I've gotten the hang of it except that the rva of data entry leaf node in the resource tree is supposed to point to the start of the resource data, but it's not.
In the image posted below (from 010 hex editor), a resource data entry is selected. As you see in the image, 0x28AF0 is the actual address of the resource data, but the value of DataRVA is 0x2BEF0, which actually exceeds the size of the file. The last byte of the DataRVA and actual address matches for this data and others in the resource table, so I think they're connected, but the difference between them (0x3400) is not consistent across the resource table. So how is the actual address gotten?
Happy to provide PE header information or the executable itself if requested.
Upvotes: 0
Views: 20
Answers (1)
Reputation: 141
I had to debug an open-source PE analyzer to find out how it's calculated. The formula is:
Offset (actual address) = DataRVA - Section.VirtualAddress + Section.PointerToRawData
where Section.VirtualAddress <= DataRVA < (Section.VirtualAddress + Section.VirtualSize).
Upvotes: 0
Related Questions
- In a Windows PE file, what happens when 2 sections have the same raw address?
- Find address in x64 executable from memory address
- Manually sign a PE file
- VA (Virtual Address) & RVA (Relative Virtual Address)
- ResourceEntries RVAs of a Resource Table need relocation upon copying it to a different image/PE?
- Executable Section Headers - Meaning and use?
- How to find a (PE)Executable entry point in RAW memory?
- How to find offset of Dword where Address Of entry point of an executable is stored