RVA_To_FOA
作者:互联网
#define SIZEOF_SECTIONHEADER 0x28
DWORD RVA_To_FOA(LPVOID lpImageBase, DWORD dwImageRVA)
{
//1.判断文件对齐与内存对齐是否一样 判断 dwRVA与ImageBase的大小 是否为正确的虚拟地址
//2.获得在内存中的RVA (dwVirtualAddress-dwImageBase)
//3.判断RVA在哪个节中(循环判断 循环次数为节表的数量 节表中的virtualaddress RVA要大于一个节的开始地址 小于下一个节的起始地址)
//4.用内存中的RVA -virtualaddress 得到相对于节的偏移
//5.返回 PointerToRawData+(RVA -virtualaddress)
if (!lpImageBase)
{
return 0;
}
DWORD lfanew = *(DWORD*)((PCHAR)lpImageBase + 0x3c) + (DWORD)lpImageBase;
DWORD SectionTable = (DWORD)(&PIMAGE_NT_HEADERS32(lfanew)->OptionalHeader.Magic) + sizeof(IMAGE_OPTIONAL_HEADER32);
if (!SectionTable)
{
return -1;
}
WORD dwNumberOfSection = PIMAGE_NT_HEADERS32(lfanew)->FileHeader.NumberOfSections;
int i = 0;
DWORD dwRVA = 0;
while (i < dwNumberOfSection)
{
DWORD dwSecVir = *((DWORD*)SectionTable + 0xc / 4 + i * SIZEOF_SECTIONHEADER / 4);
DWORD dwSizeofSec = *((DWORD*)SectionTable + 0x10 / 4 + i * SIZEOF_SECTIONHEADER / 4);
if (dwImageRVA >= dwSecVir && dwImageRVA < dwSecVir + dwSizeofSec)
{
dwRVA = dwImageRVA - *((DWORD*)SectionTable + 0xc / 4 + i * SIZEOF_SECTIONHEADER / 4);
DWORD PointerToRawData = *((DWORD*)SectionTable + 0x14 / 4 + i * SIZEOF_SECTIONHEADER / 4);
return PointerToRawData + dwRVA;
}
i++;
}
return -1;
}
标签:RVA,SECTIONHEADER,FOA,lpImageBase,DWORD,SIZEOF,SectionTable 来源: https://blog.csdn.net/qq_41490873/article/details/113094603