Results 1 to 4 of 4

Thread: Section Table Question

  1. #1
    netpumber
    Guest

    Section Table Question

    Hallo everybody.. I have a little question..

    Here is the definition of Section_header

    Code:
    typedef struct _IMAGE_SECTION_HEADER {
        BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];
        union {
                DWORD   PhysicalAddress;
                DWORD   VirtualSize;
        } Misc;
        DWORD   VirtualAddress;
        DWORD   SizeOfRawData;
        DWORD   PointerToRawData;
        DWORD   PointerToRelocations;
        DWORD   PointerToLinenumbers;
        WORD    NumberOfRelocations;
        WORD    NumberOfLinenumbers;
        DWORD   Characteristics;
    }
    An here is a simple image example with one section table (.text)

    http://img594.imageshack.us/img594/5157/hexk.jpg

    the hex code in green is the PointerToRawData .. Am i right ?

    Im trying to understand why is this the PointerToRawData..

    The Name of the struct is always 8 bytes (if i remember) so.. we add and these

    DWORD PhysicalAddress;
    DWORD VirtualSize;
    DWORD VirtualAddress;
    DWORD SizeOfRawData;

    4 bytes each one.. And we have

    8 + (4*4) = 32 But the PointerOfRawData starts at 21st byte..

    Any explanation ?

    Thanks in advance
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Hi netpumber,
    The reason is this part of the structure:
    Code:
    union {
                DWORD   PhysicalAddress;
                DWORD   VirtualSize;
    }
    Union means the field entries use the same memory, which is the size of the biggest field (4 in this case).
    So setting PhysicalAddress to a value will also change VirtualSize, as they use same memory.
    Anyway, in use this field is always just VirtualSize, so you can redefine the structure if you wish like so:

    Code:
    typedef struct _IMAGE_SECTION_HEADER {
        BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];
        DWORD   VirtualSize;
        DWORD   VirtualAddress;
        DWORD   SizeOfRawData;
        DWORD   PointerToRawData;
        DWORD   PointerToRelocations;
        DWORD   PointerToLinenumbers;
        WORD    NumberOfRelocations;
        WORD    NumberOfLinenumbers;
        DWORD   Characteristics;
    }
    Have fun!
    BoB
    Last edited by BoB; May 25th, 2010 at 11:32.

  3. #3
    netpumber
    Guest
    Excellent explanation.. Thanks a lot BoB

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    i think he was checking to see whether anybody here knew what a "Union" is

Similar Threads

  1. getting Virtual Size of Section in PE
    By Vigual in forum The Newbie Forum
    Replies: 2
    Last Post: November 14th, 2009, 09:55
  2. /Section help
    By Swimmer in forum The Newbie Forum
    Replies: 7
    Last Post: June 5th, 2007, 03:31
  3. Replies: 2
    Last Post: October 3rd, 2006, 08:23
  4. Pe Section Table - How To Get Large Gaps Between Sections?
    By Uridium in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: March 6th, 2006, 22:26
  5. Section Atributes
    By Kilby in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: February 21st, 2002, 11:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •