Calculating Memory offset of any Section of a Win PE File from Disk offset

Question

Suppose I have a PE file(E.G. Notepad.exe). Suppose when the file is saved in hard-disk, the .text section of notepad.exe is at 0xabcdefgh offset.

So, how can I calculate/predict the offset of .text section when the same executable (notepad.exe) will be loaded into memory at the time of its execution, assuming ASLR is not enabled?

Thanks in Advance.

Answer 1

PE files are not position independent. Instead, they have a preferred load address, and if the OS is unable (because the address space is already used, or because ASLR is in effect) to load it in this address, it has to relocate it. See here:

http://en.wikipedia.org/wiki/Portable_Executable#Relocations

So, if ASLR (Address Space Layout Randomization) is not enabled, it should load at the offset specified by the preferred load address specified in the header. This may not be the case for DLLs, but for executables it should be.

You can get more info on the file format here:

http://www.wotsit.org/list.asp?fc=5