PE file section RVA calculation

Question

I'm currently looking through a PE file's section table, both from the raw data on the disk, and through a couple of PE analysers. I'm a little confused over how some addresses are being interpreted.

For example. From the raw PE image on disk, I see this:

.text    virtualSize: 0x1A0F71  virtualAddress: 0x1000  rawSize: 0x1A1000

However, when using some PE analysers (LordPE, pedump.me), I see this:

.text    virtualSize: 0x114d41  virtualAddress: 0x1000  rawSize: 0x114e00

I'm not sure how these values are being interpreted. It is something to do with alignment, and the image's base address?

Any input would be appreciated.

Thanks

Answer 1

This requires psychic debugging, the size of a section isn't affected by RVA. The crystal ball says that you are actually looking at two different files. And your PE dumper utilities are 32-bit programs that you run on a 64-bit operating system.

You have to understand the File System Redirector. A 32-bit process will be redirected from c:\windows\system32 to c:\windows\syswow64 and from c:\program files to c:\program files (x86). So your PE dumper utilities could well be opening the 32-bit version of an executable instead. And yes, the .text section will be substantially smaller.

Copy the file to a directory that's not affected by redirection, like your Documents folder.

Answer 2

Maybe this would help you to solve the problem: