问题
In
http://en.redinskala.com/finding-the-ep/
there is information about how to find the file offset of the entry point in a exe-file.
Here I can read that
EP (File) = AddressOfEntryPoint – BaseOfCode + .text[PointerToRawData] + FileAlignment
However, when I have been calculating this myself (I used a couple of different exe files) I have came to the conclusion that
Offset of entry point in EXE file = AddressOfEntryPoint + .text[PointerToRawData] - .text[VirtualAddress]
Where AddressOfEntryPoint is fetched from IMAGE_OPTIONAL_HEADER and the other two values from the IMAGE_SECTION_HEADER.
Is the information on that web page false? Adding FileAlignment like they do just seems wrong, it does not make sense. Or does it? A file alignment suggests that I should use modulo or something to compute a value. If BaseOfCode and FileAlignment is the same value (mostly they are), it would not disturb adding them to the calculation, but how would it make sense?
回答1:
Correct, you don't need to use the FileAlignment value at all.
The algorithm should be something like as follow (very similar to yours):
- Get
AddressOfEntryPointfrom IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint (this is a VA) - Search in which section header this VA resides (usually the 1st one, but you should really search in all section headers).
- Once you have the right section header, get its
VirtualAddressandPointerToRawDatafields. - Subtract
VirtualAddressfromAddressOfEntryPoint: you now have a "delta" - As the exactly same delta applies to offsets, then: add "delta" to
PointerToRawData.
You simply don't need FileAlignment because the section in which the entry point lies is already aligned on that value.
来源:https://stackoverflow.com/questions/33724306/calculating-the-file-offset-of-a-entry-point-in-a-pe-file