Error in mapping Raw Size to Virtual Size (when Virtual Size is smaller)
hasherezade opened this issue · comments
Test cases:
- cfccf5e157c00dc7104a750b2f9a8fc00fd323507277e8d616536c9084dc7586
- db15546979b765590bf7bac648143b3837a0caf743fd37e16d53756c5ec24423
Both samples have Virtual Size smaller than the Raw Size. It means not the whole Raw Size is going to be mapped.
However, Bearparser mistakenly uses the Raw Size as defined in the headers, over the Virtual Size. This leads to further errors in interpretation of the addresses.
What is really mapped in memory?
Example: cfccf5e157c00dc7104a750b2f9a8fc00fd323507277e8d616536c9084dc7586
This sample has Virtual Size defined as: 24B5
and Raw Size defined as 9400
.
What is really mapped in memory is not exactly the Virtual Size, but the Virtual Size rounded up to File Alignment:
So, 24B5
rounded up to the File Alignment is 3000
. We can make an experiment by appending a test string at the end of the section in the raw format:
And this is the end of the section in memory:
As we can see, indeed whole 3000
bytes from the file has been mapped in this section.