计算文件中的PE文件的入口点偏移 [英] Calculating the file offset of a entry point in a PE file

问题描述

在

http://en.redinskala.com/finding-the-ep/

有关于如何找到文件中的一个exe文件的入口点的偏移信息。

there is information about how to find the file offset of the entry point in a exe-file.

在这里，我可以阅读

EP（文件）= AddressOfEntryPoint - BaseOf code +的.text [的PointerToRawData]
  + FileAlignment

EP (File) = AddressOfEntryPoint – BaseOfCode + .text[PointerToRawData] + FileAlignment

然而，当我一直在计算这一点我自己（我用了几个不同的EXE文件），我已经来到了结论：

However, when I have been calculating this myself (I used a couple of different exe files) I have came to the conclusion that

在EXE文件偏移切入点= AddressOfEntryPoint +的.text [的PointerToRawData] -
  的.text [虚拟地址]

Offset of entry point in EXE file = AddressOfEntryPoint + .text[PointerToRawData] - .text[VirtualAddress]

在哪里AddressOfEntryPoint是IMAGE_OPTIONAL_HEADER从IMAGE_SECTION_HEADER其他两个值牵强。

Where AddressOfEntryPoint is fetched from IMAGE_OPTIONAL_HEADER and the other two values from the IMAGE_SECTION_HEADER.

就是Web页面上的信息虚假的？添加FileAlignment像他们这样做似乎只是错误的，它没有任何意义。还是没有呢？一个文件对齐建议我应该用模或东西来计算值。如果BaseOf code和FileAlignment是相同的值（大多是一些），它不会打扰他们增加了计算，但如何将它有意义吗？

Is the information on that web page false? Adding FileAlignment like they do just seems wrong, it does not make sense. Or does it? A file alignment suggests that I should use modulo or something to compute a value. If BaseOfCode and FileAlignment is the same value (mostly they are), it would not disturb adding them to the calculation, but how would it make sense?

推荐答案

正确的，你并不需要在所有使用 FileAlignment 值。

Correct, you don't need to use the FileAlignment value at all.

该算法应该是类似如下（与你的差不多）：

The algorithm should be something like as follow (very similar to yours):

• 获取 AddressOfEntryPoint 从IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint（这是一个VA）


• 搜索在节头这VA所在（通常是第一个1，但你应该在所有的节头真搜索）。


• 当你有正确的节头，得到它的虚拟地址和的PointerToRawData 字段。


• 减去虚拟地址从 AddressOfEntryPoint ：你现在有一个三角


• 作为完全相同三角洲适用于偏移，则：增加增量来的PointerToRawData
。


• Get AddressOfEntryPoint from IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint (this is a VA)
• Search in which section header this VA resides (usually the 1st one, but you should really search in all section headers).
• Once you have the right section header, get its VirtualAddress and PointerToRawData fields.
• Subtract VirtualAddress from AddressOfEntryPoint: you now have a "delta"
• As the exactly same delta applies to offsets, then: add "delta" to PointerToRawData.

您根本不需要 FileAlignment ，因为其中的入口点在于该值已经对准部分。

You simply don't need FileAlignment because the section in which the entry point lies is already aligned on that value.

这篇关于计算文件中的PE文件的入口点偏移的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！