flat assembler
Message board for the users of flat assembler.

 Index > Windows > PE Format - SizeOfImage
Author
wyvern

Joined: 08 Dec 2011
Posts: 27
wyvern 15 Dec 2011, 02:07
Hi, im trying to understand how to calculae the SizeOfImage value. From what i have read in different places:

First i have: "SizeOfImage = SectionAlignment * NumberOfSections" (assuming the sections are equal size). But in a PE from scratch in this forum i saw this:
Code:
```;SA = SectionAlignment = 0x1000
;NA = NumberOfSections = 3
.SizeOfImage            dd SA*(NS+1)
```

The result here is: 16384 bytes
But why the "+1" ?? Is adding another section or this is for the round up?

Second i have: "SizeOfImage = VirtualAddress * VirtualSize" (values for the last section). But this doesnt return the same result than the first... so i dont know what to believe. However, In the PE Tools app i noted a "?" button next to the "SizeOfImage" data field, when i click it the value decreases and match this formula.

Can somebody explain me which is the correct method, or what i am doing wrong?. Thanks[/quote]

_________________
Thanks
15 Dec 2011, 02:07
revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 19094
Location: In your JS exploiting you and your system
revolution 15 Dec 2011, 02:15
I presume NS == NA? Assuming that is so, then you add one (+1) because the initial section (the first section, the header) is not included in the NA (NS) value.
15 Dec 2011, 02:15
DOS386

Joined: 08 Dec 2006
Posts: 1898
DOS386 15 Dec 2011, 05:48
> I presume NS == NA?

SS === SA ???

> Hi, im trying to understand how to calculae the SizeOfImage value.

Sum of all section sizes (every section padded up to multiple of 4 KiB) + 4 KiB.

> "SizeOfImage = SectionAlignment * NumberOfSections"

Consider a section > 4 KiB

Note: section alignment is always 4 KiB in EXE and DLL (Ring0 SYS at your own risk).

_________________
Bug Nr.: 12345

Title: Hello World program compiles to 100 KB !!!

Status: Closed: NOT a Bug
15 Dec 2011, 05:48
revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 19094
Location: In your JS exploiting you and your system
revolution 15 Dec 2011, 05:57
DOS386 wrote:
SS === SA ???
I don't see SS in the post. To what are you referring?
15 Dec 2011, 05:57
wyvern

Joined: 08 Dec 2011
Posts: 27
wyvern 15 Dec 2011, 11:48
DOS386 wrote:

Sum of all section sizes (every section padded up to multiple of 4 KiB) + 4 KiB.

Please, can you show me an example of that?
15 Dec 2011, 11:48
DOS386

Joined: 08 Dec 2006
Posts: 1898
DOS386 17 Dec 2011, 01:52
why don't you check my examples?

Code:
```org \$0040'0000 ; RVA=0 | AVA=\$0040'0000
; bullshit (up to 4 KiB, some versions of Windaube do
; mmap the MZ stub and PE headers too for no valid reason)
org \$0040'1000 ; RVA=\$1000 | AVA=\$0040'1000
; a section with \$1001 useful Byte's
...
call dword [GetVirusEx]
int1
...
; \$0FFF Byte's wasted
org \$0040'3000 ; RVA=\$3000 | AVA=\$0040'3000
; a section with \$0800 useful Byte's
...
. db "NTOSKRNL.EXE",0
. db "LSASS.EXE",0
...
; \$0800 Byte's wasted
org \$0040'4000 ; RVA=\$4000 | AVA=\$0040'4000
; end of program
; we got 2 sections and SizeOfImage \$4000 = 16 KiB
```
17 Dec 2011, 01:52
 Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First

 Jump to: Select a forum Official----------------AssemblyPeripheria General----------------MainTutorials and ExamplesDOSWindowsLinuxUnixMenuetOS Specific----------------MacroinstructionsOS ConstructionIDE DevelopmentProjects and IdeasNon-x86 architecturesHigh Level LanguagesProgramming Language DesignCompiler Internals Other----------------FeedbackHeapTest Area

Forum Rules:
 You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum