;;
RTLImageRVAtoSection function
Locates a relative virtual address (RVA) within the image header of a file that is mapped as a file
and returns a pointer to the section table entry for that RVA.
Parameters:
NtHeaders [in]: A pointer to an IMAGE_NT_HEADERS structure. This structure can be obtained by calling
the ImageNtHeader function. The 'PE' signature
Base [in]: This parameter is reserved.
Rva [in]: The relative virtual address to be located.
Return value: If the function succeeds, the return value is a pointer to an IMAGE_SECTION_HEADER structure.
If the function fails, the return value is NULL. To retrieve extended error information,
call GetLastError.
Remarks: All DbgHelp functions, such as this one, are single threaded. Therefore, calls from more than
one thread to this function will likely result in unexpected behavior or memory corruption.
To avoid this, you must synchronize all concurrent calls from more than one thread to this function.
Example:
call RTLImageRVAtoSection D@NtHeader, D@BaseAddress, D@Rva
Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680217(v=vs.85).aspx
;;
Proc RTLImageRVAtoSection:
Arguments @NtHeader, @BaseAddress, @Rva
Local @RvaSectionAlignment
Uses ecx, ebx, edx, esi
xor eax eax
mov edx D@NTHeader
movzx ecx W$edx+PeHeader.FileHeader.NumberOfSectionsDis
On ecx = 0, ExitP
move D@RvaSectionAlignment D$edx+PeHeader.OptionalHeader.SectionAlignmentDis
add edx SizeOf_PeHeader ; point to IMAGE_SECTION_HEADER
mov eax edx
While ecx <> 0
mov esi D$edx+SectionsHeaders.VirtualAddressDis
mov ebx D$edx+SectionsHeaders.SrcMiscVirtualSizeDis
; Some compiler (Watcom-C) may set the RVA to zero. So... :
On ebx < D$edx+SectionsHeaders.SizeOfRawDataDis, mov ebx D$edx+SectionsHeaders.SizeOfRawDataDis
add ebx esi
Align_On_Variable D@RvaSectionAlignment ebx
.If_And esi <= D@Rva, D@Rva < ebx
ExitP
.End_If
add edx SizeOf_SectionsHeaders
mov eax edx
dec ecx
End_While
xor eax eax
EndP
