Error in mapping Raw Size to Virtual Size (when Virtual Size is smaller)
hasherezade opened this issue · comments
Test cases:
- cfccf5e157c00dc7104a750b2f9a8fc00fd323507277e8d616536c9084dc7586
- db15546979b765590bf7bac648143b3837a0caf743fd37e16d53756c5ec24423
1:
2:
Both samples have Virtual Size smaller than the Raw Size. It means not the whole Raw Size is going to be mapped.
However, Bearparser mistakenly uses the Raw Size as defined in the headers, over the Virtual Size. This leads to further errors in interpretation of the addresses.
What is really mapped in memory?
Example: cfccf5e157c00dc7104a750b2f9a8fc00fd323507277e8d616536c9084dc7586
This sample has Virtual Size defined as: 24B5 and Raw Size defined as 9400.
What is really mapped in memory is not exactly the Virtual Size, but the Virtual Size rounded up to File Alignment:
So, 24B5 rounded up to the File Alignment is 3000. We can make an experiment by appending a test string at the end of the section in the raw format:
And this is the end of the section in memory:
As we can see, indeed whole 3000 bytes from the file has been mapped in this section.
Fixed:
The real mapped sizes are displayed.
It fixes the problem with the interpretation of addresses, and the Entry Point is validly resolved.