Normally it would work for resources, because they're often their own section .rsrc, though they could be anywhere (even outside of any section).
Bram van Kampen wrote:
By the way, would you have a link to an article about these latest versions of PE Files.
That's not really going to work, because the problem is not so much a version difference, but some made-up non-binding conventions - apparently they changed, they're also not exactly consistent across different linkers. I don't think that's really important though, it was always the case that the only reliable thing is following the RVAs from the data directory list in the NT header. Section names don't mean anything, in fact stuff can be outside of any section, then there isn't even a name..
Well I agree that section names are meaningless. and that different Compilers and Linkers have their own ways and means.
However, there must be documentation about what
expect a PE File to look like, and what it natively expects. It is that sort of documentation that I am after.
The Section Table still serves a useful purpose. The PE File is not a memory image of the loaded executable. Trivial areas, such as the BSS, are typically left out of the File, but included in the memory image. The Section table informs the loader where to load each section, irrespective of the Name. The User (Program Writer) may also include Zero Set named sections of interest, for instance an unlimited number of named data sections which are shared between instances (Ouch..., but apparently Allowed). After this loading the Data Directory List points indeed to the correct RVA for each item. The thing is here too, that if something is allowed by the specification, however daft, some one some where in the world may just try that at some time.
So, in essence when we get an RVA from the data directory, it appears that we have to decide whether the RVA points into a section,(in which case we need an adjustment to compensate for the loading position vs file position) or, it is an RVA into the File. To muddy the waters further, we may have absolute or relative addressing in a File. In the former case, a relocation may be applied to the RVA. To muddy it further again, DllMain() may modify a lot of daft things.
I will probably end up using LoadLibrary() to dig deeper, but, at least as a first sanity check, I need to load the file manually, if for no other reason as to investigate why for instance LoadLibrary() fails on a PE File.
Afterall, the purpose of the tool I'm trying to write is not to show that everything is working perfectly, it is to provide a rich environment in which to take things apart to get to the bottom of a problem.
Here's some documentation from microsoft: http://go.microsoft.com/fwlink/p/?linkid=84140
But it doesn't really go into the corner cases. It's more focused on documenting how they think the PE format should be used than on documenting just what sort of insanity is actually accepted by the loader (which of course varies per version of windows). As far as I know MS doesn't even document that, I've only seen it in places such as corkami's github and places that talk about analysis of malware. For example, sections can actually overlap each other in virtual space (wat), with sections that are later in the section table apparently just overwriting the mapping created for an earlier section that extends further than where the later section begins - MS does not even seem to acknowledge that such a thing is possible.
Here's an other description of the PE format by corkami, including a lot of useful practical notes (or gory details..) and references to the POCs in the list I linked before: docs/PE.md at master · corkami/docs · GitHub
Thanks for the links. However, it leads either to Old Documentation (1999), or CE formats.
I have the Old Formats already, via the books of Matt Pietrek. Other persons have also contributed, and I have now written a suite of functions that extract imports and exports. The next step is to extract and show resources. Matt Pietrek found that too trivial an issue to pass any remarks on. I suppose it wil take a bit more hard slogging.
I am avoiding LoadLibrary(..), EnumerateResources(..), LoadResource()and similar kernel functions, because I am trying to write a tool that can analyse what went wrong where any of these kernel functions fail. The Kernel functions on an end user computer do not allow for debugging there and then.
They are nothing to do with the kernel, but part of the Windows API.
If you click your mouse to the left of the document name on the picture page until a sort of square appears, you then get the Next button lighting up so the download works. Took me a couple of seconds to figure out.
I Agree that some of the mentioned functions are actually part of the Windows API. Nevertheless, I still want to load a PE File and analyse it on my own terms for my stated reasons. By the way, LoadLibrary() is definitely a Kernel function (in as my Program shows, Kernel32.dll).
When clicking the Download button on the MS Website, I get a screen which states that I have No File selected for downloading.
You have not selected any file(s) to download. Total Size=0)
I have a List:
Maybe post the compilation errors that you are seeing along with the pertinent code.
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
I am working LDPC encoding and decoding for hardware implementation.Through Vivado HLS, I need to transform a parity-check matrix H (that only consists of ones and zeros) from a non-standard to a standard form through C/C++ programming language. Here below you may find samples of non-standard parity check matrices in which Gauss-Jordan elimination (over GF(2)) can be applied.
Initially, i am trying encoding part via C/C++ programming logic. please help me if you do have any idea about LDPC. I would need a method that works out with matrices of any dimension.
thisis, express it as
Hsys = [I| P]
This is my H matrix
H=[1 1001010010111100 1];
Expected Systematic H matrix
Hsys=[1 0010101011100101 1];
int main() //THIS CODE WORKS ONLY FOR THE GIVEN MATRIX BUT I NEED A METHOD THAT WORKS OUT WITH MATRICES OF ANY DIMENSION
// encodingint i,j;
H_Matrix[j] = temp[j];
H_Matrix[j] = temp[j];
H_Matrix[j] = temp[j];
We have a MFC application with a structure that constitutes int, float and char array members. We have declared a global pointer to this struture. This application creates a shared memory using createfilemapping function and assigns the shared memory to this global variable using mapviewfile function.
The same structure is used in a console application1 which is used for doing certain calculations. This console application shares the memory created by the MFC application using openfilemapping and mapviewfile functions.
I want to create another console application2 in which the dimension of the array members of the struture to be modified. If I run the MFC application based on the selection 1 dynamically, it should create the shared memory for console application1. Similarly for selection 2 dynamically, the MFC application has to create shared memory for console application2.
Please suggest me how to do it dynamically when I run the MFC application
Note: When the MFC application is run, it invokes the console application after creating the shared memory. It invokes one console application during its each run based on the user selection.
Yes it is possible but now you need another global variable to tell which structure it points to. Better to have some flag in the structure, preferably the first item, which tells the rest of the code which one it is. But really using global ob jects/pointers in this way is not good design.
Last Visit: 31-Dec-99 19:00 Last Update: 3-Dec-21 8:56