0

I want to read an image of a module (loaded in the memory of a process), into a buffer, using the Win32 C++ API. After reading I want to change all VAs in from the buffer, into RVAs.

I've found the ImageRvaToVa function on MSDN, however, I would need the reverse mapping, i.e. ImageVaToRva and I would need to apply it for all VAs inside of the given image. However, I couldn't find such a function or anything similar to it. Does such a function exist in Win32?

One way to do what I want would be to parse the .reloc section of the image. However, I didn't find any straightforward way to do this. Are there any Win32 API functions that can easily parse the .reloc section?

Any other suggestions for approaches to solving this problem would be appreciated.

Benny
  • 607
  • 7
  • 20
  • What do you need this for? – jalf Mar 18 '14 at 17:03
  • I want to check if any code loaded into process memory has changed. For this I need to ignore any relocations that occurred when the PE file was mapped. – Benny Mar 18 '14 at 17:18
  • why would it change? The code is marked read-only. It can only be modified by a user with sufficient privileges to change memory permissions in other processes. And users who can do that can also cheat whatever other mechanisms you come up with to check that nothing has been tampered with. – jalf Mar 18 '14 at 18:27
  • Sure you are totally right. My mistake, I actually want to compute a hash of the code of each loaded module and I can only verify the result if nothing inside the loaded image changes. Otherwise the result is different. – Benny Mar 18 '14 at 19:18
  • Why not just hash the executable file? – Alan Stokes Mar 18 '14 at 19:56
  • I can hash the file, but I have to check if the hash of an image loaded in process memory matches the hash of the file. The loaded image and the original file don't necessarily need to have the same name and path. – Benny Mar 18 '14 at 20:06

0 Answers0