How to get offset in physics file ?
9 views
Skip to first unread message
jl y
Jul 6, 2009, 10:35:33 PM7/6/09
to pef...@googlegroups.com
How to get a item's offset to the file ?
for example: (in a pe file)
0x0000 MZ
......
0x0021 4096 # OPTIONAL_HEADER.FileAlignment
......
0x0123 4194304 # OPTIONAL_HEADER.ImageBase
......
print pe.OPTIONAL_HEADER.ImageBase
can get the value of ImageBase: 419304
but how can I get the offset in the physics file: 0x0123 ???
Thank you !
--
小yú
for example: (in a pe file)
0x0000 MZ
......
0x0021 4096 # OPTIONAL_HEADER.FileAlignment
......
0x0123 4194304 # OPTIONAL_HEADER.ImageBase
......
print pe.OPTIONAL_HEADER.ImageBase
can get the value of ImageBase: 419304
but how can I get the offset in the physics file: 0x0123 ???
Thank you !
--
小yú
Ero Carrera
Jul 8, 2009, 1:09:03 AM7/8/09
to pefile
There's no way right now of getting that information directly but the
following might be helpful:
pe = pefile.PE('your_file.exe')
# The sizeof() method in the different structures/headers will return
the size of the structure
pe.OPTIONAL_HEADER.sizeof()
# The get_file_offset() method in the different structures/headers
will return the offset of the structure in the file
pe.OPTIONAL_HEADER.get_file_offset()
What you could do is to search for the value of interest in the range
between the offset and offset+size. Alternatively, the most elegant
solution would be to extend pefile's Structure class to process the
size of the different fields and provide their offsets.
--
ero
Reply all
Reply to author
Forward
0 new messages