Reverse Engineering Asked by Loliconaoquadrado on February 10, 2021
What is physical address on a Pe file? I had search on the microsoft website article about pe files and don’t have found anything.
As i Commented it seems the tool You used is misusing a Name
The Section Header is Documented Thus
As Can be Seen The Second Member of the Structure is an Union Misc
union {
DWORD PhysicalAddress;
DWORD VirtualSize;
} Misc;
So Your tool Should probably be using it as Misc.PhysicalAddress
or it should simply use it as
VirtualSize as PhysicalAddress is not relevent to usermode Executables ( it used to be used in obj files )
ollydbg section display
013001F0 2E 74 65 78>ASCII ".text" ; SECTION
013001F8 8C6D0100 DD 00016D8C ; VirtualSize = 16D8C (93580.)
013001FC 00100000 DD 00001000 ; VirtualAddress = 1000
01300200 006E0100 DD 00016E00 ; SizeOfRawData = 16E00 (93696.)
01300204 00040000 DD 00000400 ; PointerToRawData = 400
01300208 00000000 DD 00000000 ; PointerToRelocations = 0
0130020C 00000000 DD 00000000 ; PointerToLineNumbers = 0
01300210 0000 DW 0000 ; NumberOfRelocations = 0
01300212 0000 DW 0000 ; NumberOfLineNumbers = 0
01300214 20000060 DD 60000020 ; Characteristics = CODE|EXECUTE|READ
windbg section Display
SECTION HEADER #1
.text name
16D8C virtual size
1000 virtual address
16E00 size of raw data
400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
(no align specified)
Execute Read
Dumpbin or visualStudio Linker Display of Section
:>dumpbin /section:.text cdb.exe
Microsoft (R) COFF/PE Dumper Version 14.16.27035.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file cdb.exe
File Type: EXECUTABLE IMAGE
SECTION HEADER #1
.text name
16D8C virtual size
1000 virtual address (00401000 to 00417D8B)
16E00 size of raw data
400 file pointer to raw data (00000400 to 000171FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
Summary
17000 .text
this field's usage according to Matt Pietrek peering inside pe article copy
(microsoft simply dumped all contents into some gutter and only promotes windows 10 so i couldn't locate the original of msdn magazines)
union {
DWORD PhysicalAddress
DWORD VirtualSize
} Misc;
This field has different meanings, in EXEs or OBJs. In an EXE,
it holds the actual size of the code or data. This is the size
before rounding up to the nearest file alignment multiple. The
SizeOfRawData field (seems a bit of a misnomer) later on in the
structure holds the rounded up value. The Borland linker reverses
the meaning of these two fields and appears to be correct. For OBJ
files, this field indicates the physical address of the section. The
first section starts at address 0. To find the physical address in
an OBJ file of the next section, add the SizeOfRawData value to the
physical address of the current section.
Answered by blabb on February 10, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP