RVAtoOffset

[guga]

Another from a set of functions i made on rosasm board

Code Select Expand

;;
    RVAtoOffset Function

    Routine Description:

        This function locates the raw offset of a PE through a inputed RVA value.

    Arguments:

        Offset [in] - The RVA to be calculated.
        pPEHdr [in] - A pointer to an IMAGE_NT_HEADERS structure ('PE' signature). This structure can be obtained by
                      calling the ImageNtHeader function.

    Return Value:
                    If the function suceeds it retuns the offset related to that RVA
                    If the function fails, it retunr FALSE.

    Example:
   
                call RVAtoOffset 02400, D@PeOrigin

    Reference:  http://hi.baidu.com/ximo2006/blog/item/cbf745f82f19ffd2b58f315c.html
                http://forum.exetools.com/showthread.php?t=6042
                www.ntcore.com/files/netint_injection/SectComp.cff

    Author:
        Gustavo Trigueiros (aka: Beyond2000! or Guga)
;;

Proc RVAtoOffset:
    Arguments @InputRVA, @pPEHdr
    Uses edx, ecx, edi, esi

    mov edx D@pPEHdr
    movzx ecx W$edx+PeHeader.FileHeader.NumberOfSectionsDis
    mov edi D@InputRVA
    add edx SizeOf_PeHeader ; point to  IMAGE_SECTION_HEADER
   
    .While ecx <> 0 ; check all sections
       
        mov eax D$edx+SectionsHeaders.VirtualAddressDis
        add eax D$edx+SectionsHeaders.SizeOfRawDataDis
        .If_And edi >= D$edx+SectionsHeaders.VirtualAddressDis, edi < eax
            ; 0EF3 = 0C00 +02F3 = RawOffset + (inputRVA-RVA)
            ; RVA = PointerToRawData + (InRVA-VirtualAddress)
            sub edi D$edx+SectionsHeaders.VirtualAddressDis
            add edi D$edx+SectionsHeaders.PointerToRawDataDis
            mov eax edi
            ExitP
        .End_If
        add edx SizeOf_SectionsHeaders
        dec ecx
    .End_While

    xor eax eax

EndP