News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

RTLImageRVAtoSection

Started by guga, May 21, 2012, 09:54:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

guga

May 21, 2012, 09:54:07 AM
Code Select
;;
    RTLImageRVAtoSection function

    Locates a relative virtual address (RVA) within the image header of a file that is mapped as a file
    and returns a pointer to the section table entry for that RVA.

    Parameters:
        NtHeaders [in]: A pointer to an IMAGE_NT_HEADERS structure. This structure can be obtained by calling
                        the ImageNtHeader function. The 'PE' signature
    Base [in]:  This parameter is reserved.
    Rva [in]:   The relative virtual address to be located.

    Return value:   If the function succeeds, the return value is a pointer to an IMAGE_SECTION_HEADER structure.
                    If the function fails, the return value is NULL. To retrieve extended error information,
                    call GetLastError.

    Remarks:    All DbgHelp functions, such as this one, are single threaded. Therefore, calls from more than
                one thread to this function will likely result in unexpected behavior or memory corruption.
                To avoid this, you must synchronize all concurrent calls from more than one thread to this function.

    Example:
                call RTLImageRVAtoSection D@NtHeader, D@BaseAddress, D@Rva

    Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680217(v=vs.85).aspx

;;

Proc RTLImageRVAtoSection:
    Arguments @NtHeader, @BaseAddress, @Rva
    Local @RvaSectionAlignment
    Uses ecx, ebx, edx, esi

    xor eax eax
    mov edx D@NTHeader
    movzx ecx W$edx+PeHeader.FileHeader.NumberOfSectionsDis
    On ecx = 0, ExitP
    move D@RvaSectionAlignment D$edx+PeHeader.OptionalHeader.SectionAlignmentDis
    add edx SizeOf_PeHeader ; point to  IMAGE_SECTION_HEADER
    mov eax edx
    While ecx <> 0
        mov esi D$edx+SectionsHeaders.VirtualAddressDis
        mov ebx D$edx+SectionsHeaders.SrcMiscVirtualSizeDis
        ; Some compiler (Watcom-C) may set the RVA to zero. So... :
        On ebx < D$edx+SectionsHeaders.SizeOfRawDataDis, mov ebx D$edx+SectionsHeaders.SizeOfRawDataDis

        add ebx esi
        Align_On_Variable D@RvaSectionAlignment ebx
        .If_And esi <= D@Rva, D@Rva < ebx
            ExitP
        .End_If
        add edx SizeOf_SectionsHeaders
        mov eax edx
        dec ecx
    End_While

    xor eax eax

EndP
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Antariy

#1
May 21, 2012, 10:27:01 AM
Is the SizeOf_PeHeader a constant in your code?

guga

#2
May 21, 2012, 03:10:17 PM
Yes..this is the size of IMAGE_NT_HEADERS = 248 (decimal value).

Sorry about that...i forgot to mention the equates (constants) related to it...Here is the set of constants i built for that (check them inside rosasm under the title "PEHeaderStructures"

Code Select

; Equates related to the PE Structures

; IMAGE_DOS_HEADER

[DosHeader.e_magicDis 0
DosHeader.e_cblpDis 2
DosHeader.e_cpDis 4
DosHeader.e_crlcDis 6
DosHeader.e_cparhdrDis 8
DosHeader.e_minallocDis 10
DosHeader.e_maxallocDis 12
DosHeader.e_ssDis 14
DosHeader.e_spDis 16
DosHeader.e_csumDis 18
DosHeader.e_ipDis 20
DosHeader.e_csDis 22
DosHeader.e_lfarlcDis 24
DosHeader.e_ovnoDis 26
DosHeader.e_res_01Dis 28
DosHeader.e_res_02Dis 30
DosHeader.e_res_03Dis 32
DosHeader.e_res_04Dis 34
DosHeader.e_oemidDis 36
DosHeader.e_oeminfoDis 38
DosHeader.e_res2_01Dis 40
DosHeader.e_res2_02Dis 42
DosHeader.e_res2_03Dis 44
DosHeader.e_res2_04Dis 46
DosHeader.e_res2_05Dis 48
DosHeader.e_res2_06Dis 50
DosHeader.e_res2_07Dis 52
DosHeader.e_res2_08Dis 54
DosHeader.e_res2_09Dis 56
DosHeader.e_res2_10Dis 58
DosHeader.e_lfanewDis 60]

[SizeOf_DosHeader 64]

; IMAGE_NT_HEADERS

[PeHeader.SignatureDis 0
PeHeader.FileHeader.MachineDis 4
PeHeader.FileHeader.NumberOfSectionsDis 6
PeHeader.FileHeader.TimeDateStampDis 8
PeHeader.FileHeader.PointerToSymbolTableDis 12
PeHeader.FileHeader.NumberOfSymbolsDis 16
PeHeader.FileHeader.SizeOfOptionalHeaderDis 20
PeHeader.FileHeader.CharacteristicsDis 22
PeHeader.OptionalHeader.MagicDis 24
PeHeader.OptionalHeader.MajorLinkerVersionDis 26
PeHeader.OptionalHeader.MinorLinkerVersionDis 27
PeHeader.OptionalHeader.SizeOfCodeDis 28
PeHeader.OptionalHeader.SizeOfInitializedDataDis 32
PeHeader.OptionalHeader.SizeOfUninitializedDataDis 36
PeHeader.OptionalHeader.AddressOfEntryPointDis 40
PeHeader.OptionalHeader.BaseOfCodeDis 44
PeHeader.OptionalHeader.BaseOfDataDis 48
PeHeader.OptionalHeader.ImageBaseDis 52
PeHeader.OptionalHeader.SectionAlignmentDis 56
PeHeader.OptionalHeader.FileAlignmentDis 60
PeHeader.OptionalHeader.MajorOperatingSystemVersionDis 64
PeHeader.OptionalHeader.MinorOperatingSystemVersionDis 66
PeHeader.OptionalHeader.MajorImageVersionDis 68
PeHeader.OptionalHeader.MinorImageVersionDis 70
PeHeader.OptionalHeader.MajorSubsystemVersionDis 72
PeHeader.OptionalHeader.MinorSubsystemVersionDis 74
PeHeader.OptionalHeader.Win32VersionValueDis 76
PeHeader.OptionalHeader.SizeOfImageDis 80
PeHeader.OptionalHeader.SizeOfHeadersDis 84
PeHeader.OptionalHeader.CheckSumDis 88
PeHeader.OptionalHeader.SubsystemDis 92
PeHeader.OptionalHeader.DllCharacteristicsDis 94
PeHeader.OptionalHeader.SizeOfStackReserveDis 96
PeHeader.OptionalHeader.SizeOfStackCommitDis 100
PeHeader.OptionalHeader.SizeOfHeapReserveDis 104
PeHeader.OptionalHeader.SizeOfHeapCommitDis 108
PeHeader.OptionalHeader.LoaderFlagsDis 112
PeHeader.OptionalHeader.NumberOfRvaAndSizesDis 116
PeHeader.DataDirectory.ExportDis 120
PeHeader.DataDirectory.ExportSizeDis 124
PeHeader.DataDirectory.ImportDis 128
PeHeader.DataDirectory.ImportSizeDis 132
PeHeader.DataDirectory.ResourceDis 136
PeHeader.DataDirectory.ResourceSizeDis 140
PeHeader.DataDirectory.ExceptionDis 144
PeHeader.DataDirectory.ExceptionSizeDis 148
PeHeader.DataDirectory.CertificateDis 152
PeHeader.DataDirectory.CertificateSizeDis 156
PeHeader.DataDirectory.RelocationDis 160
PeHeader.DataDirectory.RelocationSizeDis 164
PeHeader.DataDirectory.DebugDis 168
PeHeader.DataDirectory.DebugSizeDis 172
PeHeader.DataDirectory.ArchitectureDis 176
PeHeader.DataDirectory.ArchitectureSizeDis 180
PeHeader.DataDirectory.GPRegDis 184
PeHeader.DataDirectory.GPRegSizeDis 188
PeHeader.DataDirectory.ThreadDis 192
PeHeader.DataDirectory.ThreadSizeDis 196
PeHeader.DataDirectory.ConfigTableDis 200
PeHeader.DataDirectory.ConfigTableSizeDis 204
PeHeader.DataDirectory.BoundIATDis 208
PeHeader.DataDirectory.BoundIATSizeDis 212
PeHeader.DataDirectory.IATDis 216
PeHeader.DataDirectory.IATSizeDis 220
PeHeader.DataDirectory.DelayIDDis 224
PeHeader.DataDirectory.DelayIDSizeDis 228
PeHeader.DataDirectory.COMDis 232
PeHeader.DataDirectory.COMSizeDis 236
PeHeader.DataDirectory.ReservedDis 240
PeHeader.DataDirectory.ReservedSizeDis 244]

[SizeOf_PeHeader 248]



; IMAGE_SECTION_HEADER

[SectionsHeaders.Name1Dis 0
SectionsHeaders.SrcMiscVirtualSizeDis 8
SectionsHeaders.VirtualAddressDis 12
SectionsHeaders.SizeOfRawDataDis 16
SectionsHeaders.PointerToRawDataDis 20
SectionsHeaders.PointerToRelocationsDis 24
SectionsHeaders.PointerToLinenumbersDis 28
SectionsHeaders.NumberOfRelocationsDis 32
SectionsHeaders.NumberOfLinenumbersDis 34
SectionsHeaders.CharacteristicsDis 36]

[SizeOf_SectionsHeaders 40]
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Antariy

#3
May 22, 2012, 09:30:49 AM
Quote from: guga on May 21, 2012, 03:10:17 PM
Yes..this is the size of IMAGE_NT_HEADERS = 248 (decimal value).

Actually, you shouldn't rely on the constant size of IMAGE_NT_HEADERS, because the size of IMAGE_OPTIONAL_HEADER may be smaller than the default one (224 bytes) if the IMAGE_DATA_DIRECTORY in the IMAGE_OPTIONAL_HEADER is truncated. For this reason, to get the actual size of IMAGE_NT_HEADERS, need calculate it in runtime depending on the PE-file:

size_of(IMAGE_NT_HEADERS) = sizeof(DWORD) (it's signature) + sizeof(IMAGE_FILE_HEADER) + IMAGE_FILE_HEADER.SizeOfOptionalHeader (i.e. something like pImageNTHeaders.FileHeader.SizeOfOptionalHeader)

guga

#4
May 23, 2012, 10:06:50 AM
Hmm...good point...I`ll review the code later.

I made like this because RosAsm PE have rigid structures sizes....But...since i made the function to work for whatever situation, it may be helpfull adapt it to fit other needs
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com
Print
Go Up Pages1
User actions