THE DATA DIRECTORY
DataDirectory is the final 128 bytes of OptionalHeader which is the final member of IMAGE_NT_HEADERS.
DataDirectory is an array of 16 IMAGE_DATA_DIRECTORY structures. Each array refers to a predefined item such as the import table. The structure has 2 members which contain the location and the size of the data structure in question.
VirtualAddress is the relative virtual address (RVA) of the data structure
iSize contains the size in bytes of the data structure.
The 16 directories to which these structures refer are defined in windows.inc
A file may not have all the 16 members. Some of them might be unused. For e,g, our example as seen in LordPE has only 4 members.
For e.g. in the picture, the "import table" fields contain the RVA and the size of IMAGE_IMPORT_DESCRIPTOR array - the Import directory. The picture below shows the PE header with the data directory outlined in red.
To locate a particular directory, you determine the relative address from the data directory. Then use the virtual address to determine which section the directory is in. once you determine which section contains the directory, the section header for that section is used to find the exact offset.
In the next post we move on to the Section Table
No comments:
Post a Comment