Index
> Windows > Is my understanding about PE's File Alignment correct? |
| Author |
|
|
revolution 13 Aug 2024, 10:53
The Windows loader has some restrictions that you need to comply with.
You are correct that the formal PE spec can accommodate different alignments, but the standard Windows loader doesn't accept all of those configurations. |
|||
13 Aug 2024, 10:53 |
|
|
uu 13 Aug 2024, 11:09
revolution wrote: The Windows loader has some restrictions that you need to comply with. Thank you for the answer, I will only take my chance during size coding competition.  |
|||
|
13 Aug 2024, 11:09 |
|
|
revolution 14 Aug 2024, 02:08
There is also the native PE format.
Code: ~ cat test.asm format pe TYPE entry $ ret ~ fasm -d TYPE=native test.asm flat assembler version 1.73.31 (16384 kilobytes memory) 1 passes, 448 bytes. ~ fasm -d TYPE=gui test.asm flat assembler version 1.73.31 (16384 kilobytes memory) 1 passes, 1024 bytes. ~ fasm -d TYPE=console test.asm flat assembler version 1.73.31 (16384 kilobytes memory) 1 passes, 1024 bytes. ~ |
|||
|
14 Aug 2024, 02:08 |
|
|
uu 14 Aug 2024, 05:11
revolution wrote: There is also the native PE format. Small, but native is generating .SYS file, which is driver I think.  |
|||
|
14 Aug 2024, 05:11 |
|
|
revolution 14 Aug 2024, 05:35
Tell the competition organiser to run your code as a kernel mode driver.
Nothing can possibly go wrong. |
|||
|
14 Aug 2024, 05:35 |
|
|
Mat Quasar 15 Dec 2024, 10:01
I ran a test on ChatGPT and its answer to SectionAlignment was correct, according to my understanding. Its description is also good, although short.
My prompt: Quote: Does section alignment field in PE header mean memory alignment? If the image base is 0x400000 and section alignment is 8K, what is the memory address of first section and second section? ChatGPT answer: Yes, the Section Alignment field in the PE (Portable Executable) header specifies the alignment of sections in memory once the file is loaded. This alignment determines the starting addresses of sections in memory. Key Points: Section Alignment: It is the granularity (in bytes) to which sections are aligned in memory. Typical values are 4 KB (0x1000) or 8 KB (0x2000), matching common page sizes. Image Base: It is the starting address where the PE image is loaded in memory. In your example, this is 0x400000. First Section: The first section starts immediately after the PE headers. However, its address in memory is rounded up to the nearest multiple of the Section Alignment value. Subsequent Sections: Each section begins at an address that is the previous section's start address plus its size, rounded up to the Section Alignment. Example Calculation Image Base: 0x400000 Section Alignment: 0x2000 (8 KB) Let's assume: The PE header and its associated data are less than the Section Alignment size (e.g., 1 KB). Memory Address of First Section The first section's starting address is aligned to the Section Alignment. Since the PE image base is 0x400000 and alignment is 8 KB, the address of the first section is: Code: 0x400000 + 0x2000 = 0x402000 Memory Address of Second Section Assuming the first section has a size of 0x1000 (4 KB), the second section's starting address is calculated by aligning the end of the first section to the Section Alignment. Since 4 KB is less than 8 KB, the second section will start at the next 8 KB boundary: Code: 0x402000 + 0x2000 = 0x404000 Summary First Section: 0x402000 Second Section: 0x404000 The alignment ensures sections are loaded at predictable memory boundaries, which is important for performance and compatibility with the OS. |
|||
|
15 Dec 2024, 10:01 |
|
|
macomics 15 Dec 2024, 11:47
That's right, but ChatGPT forgot to explain that a separate section will also be created for PE header data in RAM. This can be seen in a memory card, say, x64dbg
|
||||||||||
|
15 Dec 2024, 11:47 |
|
|||||||||
< Last Thread | Next Thread > |
Forum Rules:
|