The structure of PE file

I was a rookie, virtual size and the original size in the PE file structure in what is called the festival? Seeking advice

Started by Christina at February 10, 2016 - 7:02 PM

The original size should refer to is the section (you say Festival) in file size.
The virtual size is mapped into virtual memory size of section.
These two different alignment methods, so the size is not the same.

Posted by Sheryl at February 25, 2016 - 7:25 PM

Thank you, clear

Posted by Christina at March 04, 2016 - 7:49 PM

You can have a look of Luo Yunbin's book

Posted by Arlen at March 14, 2016 - 7:59 PM


Posted by Brant at March 19, 2016 - 8:05 PM

1 floor: the two alignment size can be the same. Especially from the memory in the dump PE file, manual repair, usually made of aligned the same size.

Posted by Ulysses at December 08, 2016 - 2:04 PM

The virtual size is to be loaded into memory of the original size, relative to the disk file.

Memory is paged, x86 default page size of 4KB, loading the program into memory, are loaded according to page. For example, sections of code and data sections have different attributes, but the memory is also page management. So, sections of code and data sections on different pages, are distributed or aligned to a page.

Disk file is based on the sector, the minimum is 512 bytes, so the original size may be 0x200, and the virtual size is 0x1000.

Posted by Brant at December 16, 2016 - 2:37 PM

The alignment file size alignment size and memory is not the same out these two concepts, of course, these two values can be set to the same.

Posted by Angelo at December 22, 2016 - 3:36 PM

Thank you, prawns

Posted by Christina at January 01, 2017 - 4:32 PM

Posted by Abigail at January 02, 2017 - 7:01 PM

WindowsPE: The Definitive Guide

Posted by Eleanor at January 13, 2017 - 6:07 PM

This book is very detailed~~

Posted by Marvin at January 15, 2017 - 5:09 PM