How to understand the PE header in this graph?
IMO,this should hold:
rva = raw - imagebase
which is not the case in the graph,why?
The entry point RVA, entry point raw address, and image base address are not related in that way.
The image base is the "preferred address of the first byte of the image when it is loaded in memory". In other words, it's the virtual address of the image when it gets loaded assuming there's not a conflict. If there is an address conflict when the image is loaded (e.g. another image is already loaded in an overlapping range), then a new base address will be chosen for the image.
An RVA is a relative virtual address. It is "relative" in the sense that it is changed when the image is actually loaded. It's the address when the base address is not known (e.g. when the image isn't loaded). Once the image is loaded, the RVA becomes a virtual address (VA), an actual address in virtual memory.
The raw vs. RVA distinction is due to alignment. There is section alignment (the alignment of the sections when they get loaded into memory) as well as file alignment (the alignment of the raw data in the sections). The section alignment here is 0x1000 while the file alignment is 0x200.
The entry point RVA is used to determine the VA of the entry point when the image is loaded (i.e. the entry point will be located at virtual address EntryPoint (rva) + ImageBase
). The entry point raw address is the offset into the file where the entry point is located.
This document has a good explanation of alignment.
精彩评论