question

Vd3-7070 avatar image
0 Votes"
Vd3-7070 asked StriveSun-MSFT commented

Relocating PE Resource

I've spent hours trying to understand how windows PE resource structure works. and I cannot figure this out, I think this should be easy for people who have worked with pe resource table. I found this code snippet

 void RelocateRSRC(PBYTE prsrc, PIMAGE_RESOURCE_DIRECTORY pird, LONG Delta)
 {
     if (DWORD NumberOfEntries = pird->NumberOfNamedEntries + pird->NumberOfIdEntries)
     {
         PIMAGE_RESOURCE_DIRECTORY_ENTRY pirde = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pird + 1);
    
         do 
         {
             if (pirde->DataIsDirectory)
             {
                 RelocateRSRC(prsrc,
                     (PIMAGE_RESOURCE_DIRECTORY)(prsrc + pirde->OffsetToDirectory),
                     Delta);
             } 
             else 
             {
                 PIMAGE_RESOURCE_DATA_ENTRY data = 
                     (PIMAGE_RESOURCE_DATA_ENTRY)(prsrc + pirde->OffsetToData);
    
                 data->OffsetToData += Delta;
             }
    
         } while (pirde++, --NumberOfEntries);
     }
 }

from: https://stackoverflow.com/questions/49066842/resourceentries-rvas-of-a-resource-table-need-relocation-upon-copying-it-to-a-di

for an executable to be able to load it's resource after it's relocated, the resource table needs to be modified. but I cannot figure out what the Delta (third parameter) is, at first I thought that it is the difference between base address of the mapped executable and the base address DWORD delta = (DWORD)image - nt->OptionalHeader.ImageBase; but it doesn't work.

I have read the pe resource structure and cannot figure out what the post author meant by DWORD Diff = newRVA - oldRVA; // calc once OffsetToData += Diff;

what is newRVA and oldRVA is referring to? How do I get those values?

windows-apic++
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

StriveSun-MSFT avatar image
0 Votes"
StriveSun-MSFT answered StriveSun-MSFT commented

Hello, @Vd3-7070

what is newRVA and oldRVA?


From PE Format,

RVA: In an image file, this is the address of an item after it is loaded into memory, with the base address of the image file subtracted from it. The RVA of an item almost always differs from its position within the file on disk (file pointer).
In an object file, an RVA is less meaningful because memory locations are not assigned. In this case, an RVA would be an address within a section (described later in this table), to which a relocation is later applied during linking. For simplicity, a compiler should just set the first RVA in each section to zero.

The link you provided also explain,

oldRVA - rva where rsrc placed in current image.

newRVA - rva where rsrc will be placed in new image.

but I cannot figure out what the Delta (third parameter) is,

Actually, Delta is newRVA - oldRVA

Because RtlPointerToOffset returns the offset from a given base address of a given pointer.

You can pass newRVA into the` CopyRSRC` function to get Delta.




Thank you!

If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I think I didn't word my question properly. Actually, how do I figure out newRVA and oldRVA? I do know about RVAs but have zero idea what this two is referring to.

0 Votes 0 ·

The answer can explain your question.

oldRVA - rva where rsrc placed in current image. => You need to find the address of rsrc.

newRVA - rva where rsrc will be placed in new image.

0 Votes 0 ·