flat assembler
Message board for the users of flat assembler.

Index > Windows > PE Format - SizeOfImage

Author
Thread Post new topic Reply to topic
wyvern



Joined: 08 Dec 2011
Posts: 27
wyvern
Hi, im trying to understand how to calculae the SizeOfImage value. From what i have read in different places:

First i have: "SizeOfImage = SectionAlignment * NumberOfSections" (assuming the sections are equal size). But in a PE from scratch in this forum i saw this:
Code:
;SA = SectionAlignment = 0x1000
;NA = NumberOfSections = 3
.SizeOfImage            dd SA*(NS+1)
    

The result here is: 16384 bytes
But why the "+1" ?? Is adding another section or this is for the round up?

Second i have: "SizeOfImage = VirtualAddress * VirtualSize" (values for the last section). But this doesnt return the same result than the first... so i dont know what to believe. However, In the PE Tools app i noted a "?" button next to the "SizeOfImage" data field, when i click it the value decreases and match this formula.

Can somebody explain me which is the correct method, or what i am doing wrong?. Thanks[/quote]

_________________
Thanks
Post 15 Dec 2011, 02:07
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17662
Location: In your JS exploiting you and your system
revolution
I presume NS == NA? Assuming that is so, then you add one (+1) because the initial section (the first section, the header) is not included in the NA (NS) value.
Post 15 Dec 2011, 02:15
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
> I presume NS == NA?

SS === SA ???

> Hi, im trying to understand how to calculae the SizeOfImage value.

Sum of all section sizes (every section padded up to multiple of 4 KiB) + 4 KiB.

> "SizeOfImage = SectionAlignment * NumberOfSections"

Consider a section > 4 KiB Shocked

Note: section alignment is always 4 KiB in EXE and DLL (Ring0 SYS at your own risk).

_________________
Bug Nr.: 12345

Title: Hello World program compiles to 100 KB !!!

Status: Closed: NOT a Bug
Post 15 Dec 2011, 05:48
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17662
Location: In your JS exploiting you and your system
revolution
DOS386 wrote:
SS === SA ???
I don't see SS in the post. To what are you referring?
Post 15 Dec 2011, 05:57
View user's profile Send private message Visit poster's website Reply with quote
wyvern



Joined: 08 Dec 2011
Posts: 27
wyvern
DOS386 wrote:

Sum of all section sizes (every section padded up to multiple of 4 KiB) + 4 KiB.


Please, can you show me an example of that?
Post 15 Dec 2011, 11:48
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
why don't you check my examples?

Code:
org $0040'0000 ; RVA=0 | AVA=$0040'0000
; bullshit (up to 4 KiB, some versions of Windaube do
; mmap the MZ stub and PE headers too for no valid reason)
org $0040'1000 ; RVA=$1000 | AVA=$0040'1000 
; a section with $1001 useful Byte's
  ...
  call dword [GetVirusEx]
  int1
  ...
; $0FFF Byte's wasted
org $0040'3000 ; RVA=$3000 | AVA=$0040'3000
; a section with $0800 useful Byte's
  ...
  . db "NTOSKRNL.EXE",0
  . db "LSASS.EXE",0
  ...
; $0800 Byte's wasted
org $0040'4000 ; RVA=$4000 | AVA=$0040'4000
; end of program
; we got 2 sections and SizeOfImage $4000 = 16 KiB Shocked
    
Post 17 Dec 2011, 01:52
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.