什么是pe阅读器上的物理地址?

逆向工程 拆卸 视窗 部件 ollydbg 聚乙烯
2021-07-10 11:03:30

Pe文件上的物理地址是什么?我在微软网站上搜索过关于 pe 文件的文章,但没有找到任何东西。

阅读器

1个回答

正如我评论似乎您使用的滥用一个名称的工具
段头是记录这样

可以看出,结构的第二个成员是 Union Misc

union {
    DWORD PhysicalAddress;
    DWORD VirtualSize;
  } Misc;

所以你的工具可能应该将它用作 Misc.PhysicalAddress
或者它应该简单地将它用作 VirtualSize 因为 PhysicalAddress 与用户模式可执行文件无关(它曾经用于 obj 文件)

ollydbg 部分显示

013001F0    2E 74 65 78>ASCII ".text"        ; SECTION
013001F8    8C6D0100    DD 00016D8C          ;  VirtualSize = 16D8C (93580.)
013001FC    00100000    DD 00001000          ;  VirtualAddress = 1000
01300200    006E0100    DD 00016E00          ;  SizeOfRawData = 16E00 (93696.)
01300204    00040000    DD 00000400          ;  PointerToRawData = 400
01300208    00000000    DD 00000000          ;  PointerToRelocations = 0
0130020C    00000000    DD 00000000          ;  PointerToLineNumbers = 0
01300210    0000        DW 0000              ;  NumberOfRelocations = 0
01300212    0000        DW 0000              ;  NumberOfLineNumbers = 0
01300214    20000060    DD 60000020          ;  Characteristics = CODE|EXECUTE|READ

windbg 部分显示

SECTION HEADER #1
   .text name
   16D8C virtual size
    1000 virtual address
   16E00 size of raw data
     400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         (no align specified)
         Execute Read

Dumpbin 或visualStudio Linker 显示部分

:\>dumpbin /section:.text cdb.exe
Microsoft (R) COFF/PE Dumper Version 14.16.27035.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file cdb.exe

File Type: EXECUTABLE IMAGE

SECTION HEADER #1
   .text name
   16D8C virtual size
    1000 virtual address (00401000 to 00417D8B)
   16E00 size of raw data
     400 file pointer to raw data (00000400 to 000171FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         Execute Read

  Summary

       17000 .text

根据 Matt Pietrek 窥视 pe 文章副本中的情况,该字段的使用情况
(微软只是将所有内容转储到一些排水沟中,并且只推广 Windows 10,因此我找不到 msdn 杂志的原件)

union {  

    DWORD   PhysicalAddress  

    DWORD   VirtualSize  

} Misc;  

This field has different meanings, in EXEs or OBJs. In an EXE, 
it   holds the actual size of the code or data. This is the size 
before   rounding up to the nearest file alignment multiple. The   
SizeOfRawData field (seems a bit of a misnomer) later on in the   
structure holds the rounded up value. The Borland linker reverses   
the meaning of these two fields and appears to be correct. For OBJ   
files, this field indicates the physical address of the section. The      
first section starts at address 0. To find the physical address in   
an OBJ file of the next section, add the SizeOfRawData value to the   
physical address of the current section.
其它你可能感兴趣的问题
上一篇如何计算堆栈段(SS)内的值 下一篇使用 IDA Pro 7.5 批量反编译