Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can there be an option that "Don't compact raw data"? #49

Open
lifenjoiner opened this issue Sep 17, 2019 · 0 comments
Open

Can there be an option that "Don't compact raw data"? #49

lifenjoiner opened this issue Sep 17, 2019 · 0 comments

Comments

@lifenjoiner
Copy link

Don't compact raw data means keep the RawOffset/RawSize the same as VirutalOffset/VirutalSize.

Why?
In most case, we are researching the dumped file. Keep the same address/offset makes it easier to locate the data in hex editors, debuggers and other PE tools.
Of course, we can compact raw data giving a smaller final PE file.

Related code:

Scylla/Scylla/PeParser.cpp

Lines 1083 to 1092 in 0ca2c1a

for (WORD i = 0; i < getNumberOfSections(); i++)
{
listPeSection[i].sectionHeader.VirtualAddress = alignValue(listPeSection[i].sectionHeader.VirtualAddress, sectionAlignment);
listPeSection[i].sectionHeader.Misc.VirtualSize = alignValue(listPeSection[i].sectionHeader.Misc.VirtualSize, sectionAlignment);
listPeSection[i].sectionHeader.PointerToRawData = alignValue(newFileSize, fileAlignment);
listPeSection[i].sectionHeader.SizeOfRawData = alignValue(listPeSection[i].dataSize, fileAlignment);
newFileSize = listPeSection[i].sectionHeader.PointerToRawData + listPeSection[i].sectionHeader.SizeOfRawData;
}

https://github.com/NtQuery/Scylla/search?q=alignAllSectionHeaders&unscoped_q=alignAllSectionHeaders

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant