Aspis
Reputation: 7
How to find .text section in PE file without PE headers
This is my code to get text section
section get_text_section(std::uintptr_t module)
{
section text_section = {};
PIMAGE_DOS_HEADER dosheader = reinterpret_cast<PIMAGE_DOS_HEADER>(module);
PIMAGE_NT_HEADERS nt_headers = reinterpret_cast<PIMAGE_NT_HEADERS>(module + dosheader->e_lfanew);
PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(nt_headers);
for (int i = 0; i < nt_headers->FileHeader.NumberOfSections; i++, section++)
{
std::string name(reinterpret_cast<char const*>(section->Name));
if (name != ".text")
continue;
void* address = reinterpret_cast<void*>(module + section->VirtualAddress);
text_section = { section->Name, address, crc32(address, section->Misc.VirtualSize) };
}
return text_section;
}
It requires the PE headers intact, but I am making dump-prevention measures which works my erasing the headers to prevent a valid dump from memory. How can I find the .text section using an alternative method?
Upvotes: 0
Views: 15
Answers (0)
Related Questions
- How to avoid reverse engineering of an APK file
- Getting .text section header of PE file
- Executable Section Headers - Meaning and use?
- Added pe executable section corrupting .text section
- Extracting .text section only from a PE file
- Understanding .text section of PE executable
- Python: Deleting a section from a PE file
- PE file section RVA calculation
- How to determine and find resource section in PE file?
- PE File .text Section Size