Author Topic: RTLImageRVAtoSection  (Read 8875 times)

guga

  • Moderator
  • Member
  • *****
  • Posts: 1449
  • Assembly is a state of art.
    • RosAsm
RTLImageRVAtoSection
« on: May 21, 2012, 09:54:07 AM »
Code: [Select]
;;
    RTLImageRVAtoSection function

    Locates a relative virtual address (RVA) within the image header of a file that is mapped as a file
    and returns a pointer to the section table entry for that RVA.

    Parameters:
        NtHeaders [in]: A pointer to an IMAGE_NT_HEADERS structure. This structure can be obtained by calling
                        the ImageNtHeader function. The 'PE' signature
    Base [in]:  This parameter is reserved.
    Rva [in]:   The relative virtual address to be located.

    Return value:   If the function succeeds, the return value is a pointer to an IMAGE_SECTION_HEADER structure.
                    If the function fails, the return value is NULL. To retrieve extended error information,
                    call GetLastError.

    Remarks:    All DbgHelp functions, such as this one, are single threaded. Therefore, calls from more than
                one thread to this function will likely result in unexpected behavior or memory corruption.
                To avoid this, you must synchronize all concurrent calls from more than one thread to this function.

    Example:
                call RTLImageRVAtoSection D@NtHeader, D@BaseAddress, D@Rva

    Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680217(v=vs.85).aspx

;;

Proc RTLImageRVAtoSection:
    Arguments @NtHeader, @BaseAddress, @Rva
    Local @RvaSectionAlignment
    Uses ecx, ebx, edx, esi

    xor eax eax
    mov edx D@NTHeader
    movzx ecx W$edx+PeHeader.FileHeader.NumberOfSectionsDis
    On ecx = 0, ExitP
    move D@RvaSectionAlignment D$edx+PeHeader.OptionalHeader.SectionAlignmentDis
    add edx SizeOf_PeHeader ; point to  IMAGE_SECTION_HEADER
    mov eax edx
    While ecx <> 0
        mov esi D$edx+SectionsHeaders.VirtualAddressDis
        mov ebx D$edx+SectionsHeaders.SrcMiscVirtualSizeDis
        ; Some compiler (Watcom-C) may set the RVA to zero. So... :
        On ebx < D$edx+SectionsHeaders.SizeOfRawDataDis, mov ebx D$edx+SectionsHeaders.SizeOfRawDataDis

        add ebx esi
        Align_On_Variable D@RvaSectionAlignment ebx
        .If_And esi <= D@Rva, D@Rva < ebx
            ExitP
        .End_If
        add edx SizeOf_SectionsHeaders
        mov eax edx
        dec ecx
    End_While

    xor eax eax

EndP
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Antariy

  • Member
  • ****
  • Posts: 564
Re: RTLImageRVAtoSection
« Reply #1 on: May 21, 2012, 10:27:01 AM »
Is the SizeOf_PeHeader a constant in your code?

guga

  • Moderator
  • Member
  • *****
  • Posts: 1449
  • Assembly is a state of art.
    • RosAsm
Re: RTLImageRVAtoSection
« Reply #2 on: May 21, 2012, 03:10:17 PM »
Yes..this is the size of IMAGE_NT_HEADERS = 248 (decimal value).

Sorry about that...i forgot to mention the equates (constants) related to it...Here is the set of constants i built for that (check them inside rosasm under the title "PEHeaderStructures"

Code: [Select]
; Equates related to the PE Structures

; IMAGE_DOS_HEADER

[DosHeader.e_magicDis 0
 DosHeader.e_cblpDis 2
 DosHeader.e_cpDis 4
 DosHeader.e_crlcDis 6
 DosHeader.e_cparhdrDis 8
 DosHeader.e_minallocDis 10
 DosHeader.e_maxallocDis 12
 DosHeader.e_ssDis 14
 DosHeader.e_spDis 16
 DosHeader.e_csumDis 18
 DosHeader.e_ipDis 20
 DosHeader.e_csDis 22
 DosHeader.e_lfarlcDis 24
 DosHeader.e_ovnoDis 26
 DosHeader.e_res_01Dis 28
 DosHeader.e_res_02Dis 30
 DosHeader.e_res_03Dis 32
 DosHeader.e_res_04Dis 34
 DosHeader.e_oemidDis 36
 DosHeader.e_oeminfoDis 38
 DosHeader.e_res2_01Dis 40
 DosHeader.e_res2_02Dis 42
 DosHeader.e_res2_03Dis 44
 DosHeader.e_res2_04Dis 46
 DosHeader.e_res2_05Dis 48
 DosHeader.e_res2_06Dis 50
 DosHeader.e_res2_07Dis 52
 DosHeader.e_res2_08Dis 54
 DosHeader.e_res2_09Dis 56
 DosHeader.e_res2_10Dis 58
 DosHeader.e_lfanewDis 60]

[SizeOf_DosHeader 64]

; IMAGE_NT_HEADERS

[PeHeader.SignatureDis 0
 PeHeader.FileHeader.MachineDis 4
 PeHeader.FileHeader.NumberOfSectionsDis 6
 PeHeader.FileHeader.TimeDateStampDis 8
 PeHeader.FileHeader.PointerToSymbolTableDis 12
 PeHeader.FileHeader.NumberOfSymbolsDis 16
 PeHeader.FileHeader.SizeOfOptionalHeaderDis 20
 PeHeader.FileHeader.CharacteristicsDis 22
 PeHeader.OptionalHeader.MagicDis 24
 PeHeader.OptionalHeader.MajorLinkerVersionDis 26
 PeHeader.OptionalHeader.MinorLinkerVersionDis 27
 PeHeader.OptionalHeader.SizeOfCodeDis 28
 PeHeader.OptionalHeader.SizeOfInitializedDataDis 32
 PeHeader.OptionalHeader.SizeOfUninitializedDataDis 36
 PeHeader.OptionalHeader.AddressOfEntryPointDis 40
 PeHeader.OptionalHeader.BaseOfCodeDis 44
 PeHeader.OptionalHeader.BaseOfDataDis 48
 PeHeader.OptionalHeader.ImageBaseDis 52
 PeHeader.OptionalHeader.SectionAlignmentDis 56
 PeHeader.OptionalHeader.FileAlignmentDis 60
 PeHeader.OptionalHeader.MajorOperatingSystemVersionDis 64
 PeHeader.OptionalHeader.MinorOperatingSystemVersionDis 66
 PeHeader.OptionalHeader.MajorImageVersionDis 68
 PeHeader.OptionalHeader.MinorImageVersionDis 70
 PeHeader.OptionalHeader.MajorSubsystemVersionDis 72
 PeHeader.OptionalHeader.MinorSubsystemVersionDis 74
 PeHeader.OptionalHeader.Win32VersionValueDis 76
 PeHeader.OptionalHeader.SizeOfImageDis 80
 PeHeader.OptionalHeader.SizeOfHeadersDis 84
 PeHeader.OptionalHeader.CheckSumDis 88
 PeHeader.OptionalHeader.SubsystemDis 92
 PeHeader.OptionalHeader.DllCharacteristicsDis 94
 PeHeader.OptionalHeader.SizeOfStackReserveDis 96
 PeHeader.OptionalHeader.SizeOfStackCommitDis 100
 PeHeader.OptionalHeader.SizeOfHeapReserveDis 104
 PeHeader.OptionalHeader.SizeOfHeapCommitDis 108
 PeHeader.OptionalHeader.LoaderFlagsDis 112
 PeHeader.OptionalHeader.NumberOfRvaAndSizesDis 116
 PeHeader.DataDirectory.ExportDis 120
 PeHeader.DataDirectory.ExportSizeDis 124
 PeHeader.DataDirectory.ImportDis 128
 PeHeader.DataDirectory.ImportSizeDis 132
 PeHeader.DataDirectory.ResourceDis 136
 PeHeader.DataDirectory.ResourceSizeDis 140
 PeHeader.DataDirectory.ExceptionDis 144
 PeHeader.DataDirectory.ExceptionSizeDis 148
 PeHeader.DataDirectory.CertificateDis 152
 PeHeader.DataDirectory.CertificateSizeDis 156
 PeHeader.DataDirectory.RelocationDis 160
 PeHeader.DataDirectory.RelocationSizeDis 164
 PeHeader.DataDirectory.DebugDis 168
 PeHeader.DataDirectory.DebugSizeDis 172
 PeHeader.DataDirectory.ArchitectureDis 176
 PeHeader.DataDirectory.ArchitectureSizeDis 180
 PeHeader.DataDirectory.GPRegDis 184
 PeHeader.DataDirectory.GPRegSizeDis 188
 PeHeader.DataDirectory.ThreadDis 192
 PeHeader.DataDirectory.ThreadSizeDis 196
 PeHeader.DataDirectory.ConfigTableDis 200
 PeHeader.DataDirectory.ConfigTableSizeDis 204
 PeHeader.DataDirectory.BoundIATDis 208
 PeHeader.DataDirectory.BoundIATSizeDis 212
 PeHeader.DataDirectory.IATDis 216
 PeHeader.DataDirectory.IATSizeDis 220
 PeHeader.DataDirectory.DelayIDDis 224
 PeHeader.DataDirectory.DelayIDSizeDis 228
 PeHeader.DataDirectory.COMDis 232
 PeHeader.DataDirectory.COMSizeDis 236
 PeHeader.DataDirectory.ReservedDis 240
 PeHeader.DataDirectory.ReservedSizeDis 244]

[SizeOf_PeHeader 248]



; IMAGE_SECTION_HEADER

[SectionsHeaders.Name1Dis 0
 SectionsHeaders.SrcMiscVirtualSizeDis 8
 SectionsHeaders.VirtualAddressDis 12
 SectionsHeaders.SizeOfRawDataDis 16
 SectionsHeaders.PointerToRawDataDis 20
 SectionsHeaders.PointerToRelocationsDis 24
 SectionsHeaders.PointerToLinenumbersDis 28
 SectionsHeaders.NumberOfRelocationsDis 32
 SectionsHeaders.NumberOfLinenumbersDis 34
 SectionsHeaders.CharacteristicsDis 36]

[SizeOf_SectionsHeaders 40]

Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Antariy

  • Member
  • ****
  • Posts: 564
Re: RTLImageRVAtoSection
« Reply #3 on: May 22, 2012, 09:30:49 AM »
Yes..this is the size of IMAGE_NT_HEADERS = 248 (decimal value).

Actually, you shouldn't rely on the constant size of IMAGE_NT_HEADERS, because the size of IMAGE_OPTIONAL_HEADER may be smaller than the default one (224 bytes) if the IMAGE_DATA_DIRECTORY in the IMAGE_OPTIONAL_HEADER is truncated. For this reason, to get the actual size of IMAGE_NT_HEADERS, need calculate it in runtime depending on the PE-file:

size_of(IMAGE_NT_HEADERS) = sizeof(DWORD) (it's signature) + sizeof(IMAGE_FILE_HEADER) + IMAGE_FILE_HEADER.SizeOfOptionalHeader (i.e. something like pImageNTHeaders.FileHeader.SizeOfOptionalHeader)

guga

  • Moderator
  • Member
  • *****
  • Posts: 1449
  • Assembly is a state of art.
    • RosAsm
Re: RTLImageRVAtoSection
« Reply #4 on: May 23, 2012, 10:06:50 AM »
Hmm...good point...I`ll review the code later.

I made like this because RosAsm PE have rigid structures sizes....But...since i made the function to work for whatever situation, it may be helpfull adapt it to fit other needs
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Antariy

  • Member
  • ****
  • Posts: 564
Re: RTLImageRVAtoSection
« Reply #5 on: May 23, 2012, 12:59:04 PM »
 :icon14: