Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Code Project
  1. Home
  2. General Programming
  3. C / C++ / MFC
  4. Get a pointer from an RVA

Get a pointer from an RVA

Scheduled Pinned Locked Moved C / C++ / MFC
csharpperformancequestion
2 Posts 2 Posters 0 Views 1 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T Offline
    T Offline
    Toni78
    wrote on last edited by
    #1

    template LPVOID GetPtrFromRVA( DWORD rva, T* pNTHeader, PBYTE imageBase ) // 'T' = PIMAGE_NT_HEADERS
    {
    PIMAGE_SECTION_HEADER pSectionHdr;
    INT delta;

    pSectionHdr = GetEnclosingSectionHeader( rva, pNTHeader );
if ( !pSectionHdr )
	return 0;

delta = (INT)(pSectionHdr->VirtualAddress-pSectionHdr->PointerToRawData);
return (PVOID) ( imageBase + rva - delta );

    }

    These lines of code were taken from Matt Pietrek's PEDump (http://www.wheaty.net/[^]). This function takes an RVA and gives you an actual memory address where this RVA is located. imageBase - is the image base where the PE file being viewed is mapped. pSectionHdr - is a pointer to a section where the rva falls in. Now I don't understand the last line of the function. Wouldn't imageBase + rva be enough? Why would we factor in this delta variable? On top of that, pSectionHdr->VirtualAddress and pSectionHdr->PointerToRawData point at the same information but in two different contexts. The VirtualAddress is the RVA of the section and PointerToRawData is the file offset of the section. Therefore, the load offset cannot always be the same as the file offset. // Afterall, I realized that even my comment lines have bugs If the sun were to blow up, it would take us 7-8 minutes to realize it.

    B 1 Reply Last reply
    0
    • T Toni78

      template LPVOID GetPtrFromRVA( DWORD rva, T* pNTHeader, PBYTE imageBase ) // 'T' = PIMAGE_NT_HEADERS
      {
      PIMAGE_SECTION_HEADER pSectionHdr;
      INT delta;

      pSectionHdr = GetEnclosingSectionHeader( rva, pNTHeader );
if ( !pSectionHdr )
	return 0;

delta = (INT)(pSectionHdr->VirtualAddress-pSectionHdr->PointerToRawData);
return (PVOID) ( imageBase + rva - delta );

      }

      These lines of code were taken from Matt Pietrek's PEDump (http://www.wheaty.net/[^]). This function takes an RVA and gives you an actual memory address where this RVA is located. imageBase - is the image base where the PE file being viewed is mapped. pSectionHdr - is a pointer to a section where the rva falls in. Now I don't understand the last line of the function. Wouldn't imageBase + rva be enough? Why would we factor in this delta variable? On top of that, pSectionHdr->VirtualAddress and pSectionHdr->PointerToRawData point at the same information but in two different contexts. The VirtualAddress is the RVA of the section and PointerToRawData is the file offset of the section. Therefore, the load offset cannot always be the same as the file offset. // Afterall, I realized that even my comment lines have bugs If the sun were to blow up, it would take us 7-8 minutes to realize it.

      B Offline
      B Offline
      bikram singh
      wrote on last edited by
      #2

      gah?! Bikram Singh

      1 Reply Last reply
      0
      Reply
      • Reply as topic
      Log in to reply
      • Oldest to Newest
      • Newest to Oldest
      • Most Votes

      • Login
      • Don't have an account? Register
      • Login or register to search.
      • First post
        Last post
      0
      • Categories
      • Recent
      • Tags
      • Popular
      • World
      • Users
      • Groups