Undocumented 32 bit Winnt API's
ImageRvaToVa()
Description:LPVOID ImageRvaToVa(
PIMAGE_NT_HEADERS NtHeaders,
LPVOID Base,
DWORD Rva,
PIMAGE_SECTION_HEADER *LastRvaSection
); PARAMETERS| NtHeaders | Pointer to an IMAGE_NT_HEADERS structure. This structure represents the PE header and is defined in the WINNT.h file. A pointer to the PE header within a PE file can be obtained using the ImageNtHeader() function exported by IMAGEHLP.DLL. |
| Base | Base address where the PE file is mapped into memory using the Win32 API for the memory mapping of files. |
| Rva | Given relative virtual address. |
| LastRvaSection | Last RVA section. This is an optional parameter, and you can pass NULL. When specified, it points to a variable that contains the last section value used for the specified image to translate an RVA to a VA. This is used for optimizing the section search, in case the given RVA also falls within the same section as the one for the previous call to the function. The LastRVASection is checked first, and the regular sequential search for the section is carried out only if the given RVA does not fall within the LastRVASection. |
RETURN VALUES
If the function succeeds, the return value is the virtual address in the mapped file; otherwise, it is NULL. The error number can be retrieved using the GetLastError() function.
ImageNtHeader()
The ImageRvaToVa() function needs a pointer to the PE header. The ImageNtHeader exported from the IMAGEHLP.DLL can provide you this pointer.
PIMAGE_NT_HEADERS ImageNtHeader(
LPVOID ImageBase
); PARAMETERS| ImageBase | Base address where the PE file is mapped into memory using the Win32 API for the memory mapping of files. |
RETURN VALUES
If the function succeeds, the return value is a pointer to the IMAGE_NT_HEADERS structure within the mapped file; otherwise, it returns NULL.
MapAndLoad()
The IMAGEHLP.DLL can also take care of memory mapping a PE file for you. The MapAndLoad() function maps the requested PE file in memory and fills in the LOADED_IMAGE structure with some useful information about the mapped file.
BOOL MapAndLoad(
LPSTR ImageName,
LPSTR DllPath,
PLOADED_IMAGE LoadedImage,
BOOL DotDll,
BOOL ReadOnly
); PARAMETERS| ImageName | Name of the PE file that is loaded. |
| DllPath | Path used to locate the file if the name provided cannot be found. If NULL is passed, then normal rules for searching using the PATH environment variable are applied. |
| LoadedImage | The structure LOADED_IMAGE is defined in the IMAGEHLP.H file. The structure has the following members: |
| ModuleName | Name of the loaded file. |
| hFile | Handle obtained through the call to CreateFile. |
| MappedAddress | Memory address where the file is mapped. |
| FileHeader | Pointer to the PE header within the mapped file. |
| LastRvaSection | The function sets it to the first section (see ImageRvaToVa). |
| NumberOfSections | Number of sections in the loaded PE file. |
| Sections | Pointer to the first section header within the mapped file. |
| Characteristics | Characteristics of the PE file (this is explained in more detail later in this chapter). |
| fSystemImage | Flag indicating whether it is a kernel-mode driver/DLL. |
| fDOSImage | Flag indicating whether it is a DOS executable. |
| Links | List of loaded images. |
| SizeOfImage | Size of the image. |
The function sets the members in the structure appropriately after loading the PE file.
| DotDll | If the file needs to be searched and does not have an extension, then either the .exe or the .dll extension is used. If the DotDll flag is set to TRUE, the .dll extension is used; otherwise, the .exe extension is used. |
| ReadOnly | If the flag is set to TRUE, the file is mapped as read-only. |
0 comments:
Post a Comment