Finding the raw offset of .text section in a PE file

StackOverflow https://stackoverflow.com/questions/18859461

Question

In IDA the .text section begins at 0x01001630.

In the file, these bytes are located at a raw offset of 0xA30.

The PointerToRawData field in the Section Table for the .text segment is 0x400, which is the distance between 0xA30 and 0x630.

I'm not sure how to get 0xA30 from the file headers of a PE file. Any help is appreciated.

Was it helpful?

Solution

The first 0x630 bytes of the .text section is the IAT (import address table) which IDA has converted to a new section .idata:

1000 [     630] RVA [size] of Import Address Table Directory

Name   Start    End      
----   -----    ---      
HEADER 01000000 01001000 
.idata 01001000 01001630   <- added by IDA
.text  01001630 01054000 
.idata 01054000 01054004   <- added by IDA
.data  01054004 01059000

If you uncheck [x] Make imports segment in the initial load dialog, you'll get the unmodified section table:

Name   Start    End      
----   -----    ---      
HEADER 01000000 01001000 
.text  01001000 01054000 
.data  01054000 01059000

OTHER TIPS

I believe this is a case of IDA trying to be clever. The .text section does actually start at file offset 0x400 (RVA 0x1000). IDA realises that the start of the .text section contains api import data, so it changes the section name to .idata. If you have a look at all the section names in the PE header, you will see that there is no .idata section.

Take a look at the entire PE header. You will see the import address table starts at RVA 0x1000 and has a size of, you guessed it, 0x630.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top