从磁盘偏移量计算Win PE文件的任何部分的内存偏移量 [英] Calculating Memory offset of any Section of a Win PE File from Disk offset

问题描述

假设我有一个PE文件(例如Notepad.exe).假设将文件保存在硬盘中时，notepad.exe的.text部分位于0xabcdefgh偏移处.

Suppose I have a PE file(E.G. Notepad.exe). Suppose when the file is saved in hard-disk, the .text section of notepad.exe is at 0xabcdefgh offset.

因此，当相同的可执行文件(notepad.exe)在其执行时被加载到内存中时，如何计算/预测 .text 节的偏移量执行，假设未启用ASLR?

So, how can I calculate/predict the offset of .text section when the same executable (notepad.exe) will be loaded into memory at the time of its execution, assuming ASLR is not enabled?

预先感谢.

推荐答案

PE文件与位置无关.相反，它们具有首选的加载地址，并且如果OS无法(因为已经使用了地址空间，或者因为ASLR生效)无法将其加载到该地址中，则必须重新定位它.看到这里:

PE files are not position independent. Instead, they have a preferred load address, and if the OS is unable (because the address space is already used, or because ASLR is in effect) to load it in this address, it has to relocate it. See here:

http://en.wikipedia.org/wiki/Portable_Executable#Relocations

因此，如果未启用ASLR(地址空间布局随机化)，则应按标头中指定的首选装入地址指定的偏移量进行装入.对于DLL可能不是这种情况，但对于可执行文件应该如此.

So, if ASLR (Address Space Layout Randomization) is not enabled, it should load at the offset specified by the preferred load address specified in the header. This may not be the case for DLLs, but for executables it should be.

您可以在此处获取有关文件格式的更多信息:

You can get more info on the file format here:

http://www.wotsit.org/list.asp?fc=5

这篇关于从磁盘偏移量计算Win PE文件的任何部分的内存偏移量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！