finding the section of a PE's entrypoint
I'm trying to find what section the PE entrypoint points to. I have two questions:
- Is it correct to say that this section is the one such that section.PointerToRawData <开发者_运维百科; AddressOfEntryPoint < section.PointerToRawData + section.SizeOfRawData ?
- I see some PE's that have AddressOfEntryPoint > total size of file. How is this possible? Is the AddressOfEntryPoint value wrong?
thanks
Is it correct to say that this section is the one such that section.PointerToRawData < AddressOfEntryPoint < section.PointerToRawData + section.SizeOfRawData ?
Not quite, the section you want should be the one such that: section.VirtualAddress < AddressOfEntryPoint < section.VirtualAddress+ section.VirtualSize
Then to find the position in the file, use: AddressOfEntryPoint - section.VirtualAddress + section.PointerToRawData
加载中,请稍侯......
精彩评论