Page 1 of 1

Virtual Size = Raw Size (Why?)

Posted: Sun May 17, 2009 6:09 pm
by karmany
When I add a new section Stud_PE said this:
"VirtualSize must be greater or equal than raw size" Why???

This is not correct, Virtual Size can be smaller and greater than RawSize. Some compilers put the value of Virtual Size as the exact number of bytes of code.
Virtual Size may be less than Raw Size, is very normal. Virtual Size < Raw Size can help us to know where the code ends.

For example:
Image Base = 400000

Section .text
Virtual Offset = 00001000
Virtual Size = 00000076
Raw Offset = 00000200
Raw Size = 00000200

With these data, it is very possible that in the address 400000+1000+76 = 401076, no code. (address > 401076), it is possible that all the bytes are 0 (o another). vacuum source that can be used. However, (Raw Size = 200) while (Virtual Size = 76) because File Alignment=200!!!

In the above example, Virtual Size = 200, is correct but is not correct.

Un saludo.

Posted: Wed May 20, 2009 7:33 am
by CGSoftLabs
well don't remember; it's a long time ago from when I did this :)

your example could work..or not; have you checked what windows loader says on various versions of windows, with your example? it's easy to say..oh it works on vista, but you must check all previous windows because the loader differs from one build to another.

however you could edit later the virtuual size and raw size in section's properties.

Posted: Thu May 21, 2009 7:24 pm
by karmany
First thanks for answering. Stud_PE is a good program. I do not speak English - translator online...

Look at this example: the same Stud_PE
Stud_PE is compiled with Microsoft Visual C + + (6, 7...)

The first section is as follows:
Name = .text
VirtualSize = 00086F01
VirtualOffset = 00001000
RawSize = 00087000
RawOffset = 00001000

VirtualSize (86F01) < RawSize (87000)
For Stud_PE is a problem!!

As I said before, some compilers put the value of "VirtualSize" as the value of byte code. Look!: (Stud_PE)

00487EEF lea ecx,[ebp-10]
00487EF2 jmp 0046A37B
00487EF7 mov eax,Stud_PE.004A2F18
00487EFC jmp 0045A7B8
00487F01 db 00
00487F02 db 00
00487F03 db 00
00487F04 db 00

487F01 = 400000 (Image Base) + 1000 (VirtualOffset) + 86F01 (VirtualSize)

--------------------------------------------------------------------------

Anyway, you can modify VirtualSize but you have to do it depending on SectionAlignment:
VirtualSize -> SectionAlignment
RawSize -> FileAlignment

For example:
Bytes_code = 300
SectionAlignment = 1000
FileAlignment = 200
RawSize = 400

VirtualSize = 300 -> M. Visual 6 C++, MASM32 for example...
VirtualSize = 400 -> StudPE
VirtualSize = 1000 (SectionAlignment) -> Some Borland C++ etc...

VirtualSize = 300 or VirtualSize = 400 or VirtualSize = 1000 is correct.
For me it is not problem but Stud_PE should not change "VirtualSize" = "RawSize".

Un saludo.

Posted: Thu May 21, 2009 10:45 pm
by CGSoftLabs
you can edit later virtual size...since it's just a dword inside section's header