PE size calculation

Programming, for all ages and all languages.
Post Reply
freqseeker
Posts: 1
Joined: Thu Aug 12, 2010 7:58 am

PE size calculation

Post by freqseeker »

Hi there all. I have a somewhat non-standard problem I’m trying to work through. Any help will get you free drinks of your choice at whatever conference we’re both at next! (Heck, at this point, I might even drop some in the mail, but shhhhh... Don’t tell the post master general.) ;-)

Anyways...

I have long streams of bytes I’m working with. In those streams, PE files are embedded inside. I can identify the PE file and am parsing/validating headers etc... So far, I'm only’ up to the optional headers, which might be the problem leading to this question, but...

Question is:
How can I calculate where the end of the PE file is in the stream of bytes?

The SizeOfImage characteristic rarely seems to match the actual size of the file in bytes, so I’m guessing there’s some kind of trickery and magic I need to do with other values to find the actual end of file.

Thank you in advance for any help!!!
User avatar
Primis
Member
Member
Posts: 62
Joined: Fri May 14, 2010 3:46 pm
Libera.chat IRC: Primis
Location: New York, NY
Contact:

Re: PE size calculation

Post by Primis »

A PE image contains not only executable code, but also data, so the image will be bigger than the code, simply due to the fact PE likes to have padding. I suggest looking in a hex editor to confirm / deny my theory.
"On two occasions I have been asked, 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."
Image
Gigasoft
Member
Member
Posts: 856
Joined: Sat Nov 21, 2009 5:11 pm

Re: PE size calculation

Post by Gigasoft »

SizeOfImage refers to the size in memory after being loaded. You should look at the very last section header, and add the PointerToRawData and SizeOfRawData fields together. This will give you the file size.
Post Reply