开发者

finding the section of a PE's entrypoint

开发者 https://www.devze.com 2023-04-08 21:19 出处：网络

I\'m trying to find what section the PE entrypoint points to. I have two questions: Is it correct to say that this section is the one such that section.PointerToRawData <开发者_运维百科; AddressOf

相关专题：portable-executable

I'm trying to find what section the PE entrypoint points to. I have two questions:

Is it correct to say that this section is the one such that section.PointerToRawData <开发者_运维百科; AddressOfEntryPoint < section.PointerToRawData + section.SizeOfRawData ?
I see some PE's that have AddressOfEntryPoint > total size of file. How is this possible? Is the AddressOfEntryPoint value wrong?

thanks

Is it correct to say that this section is the one such that section.PointerToRawData < AddressOfEntryPoint < section.PointerToRawData + section.SizeOfRawData ?

Not quite, the section you want should be the one such that: section.VirtualAddress < AddressOfEntryPoint < section.VirtualAddress+ section.VirtualSize

Then to find the position in the file, use: AddressOfEntryPoint - section.VirtualAddress + section.PointerToRawData