Another from a set of functions i made on rosasm board
;;
RVAtoOffset Function
Routine Description:
This function locates the raw offset of a PE through a inputed RVA value.
Arguments:
Offset [in] - The RVA to be calculated.
pPEHdr [in] - A pointer to an IMAGE_NT_HEADERS structure ('PE' signature). This structure can be obtained by
calling the ImageNtHeader function.
Return Value:
If the function suceeds it retuns the offset related to that RVA
If the function fails, it retunr FALSE.
Example:
call RVAtoOffset 02400, D@PeOrigin
Reference: http://hi.baidu.com/ximo2006/blog/item/cbf745f82f19ffd2b58f315c.html
http://forum.exetools.com/showthread.php?t=6042
www.ntcore.com/files/netint_injection/SectComp.cff
Author:
Gustavo Trigueiros (aka: Beyond2000! or Guga)
;;
Proc RVAtoOffset:
Arguments @InputRVA, @pPEHdr
Uses edx, ecx, edi, esi
mov edx D@pPEHdr
movzx ecx W$edx+PeHeader.FileHeader.NumberOfSectionsDis
mov edi D@InputRVA
add edx SizeOf_PeHeader ; point to IMAGE_SECTION_HEADER
.While ecx <> 0 ; check all sections
mov eax D$edx+SectionsHeaders.VirtualAddressDis
add eax D$edx+SectionsHeaders.SizeOfRawDataDis
.If_And edi >= D$edx+SectionsHeaders.VirtualAddressDis, edi < eax
; 0EF3 = 0C00 +02F3 = RawOffset + (inputRVA-RVA)
; RVA = PointerToRawData + (InRVA-VirtualAddress)
sub edi D$edx+SectionsHeaders.VirtualAddressDis
add edi D$edx+SectionsHeaders.PointerToRawDataDis
mov eax edi
ExitP
.End_If
add edx SizeOf_SectionsHeaders
dec ecx
.End_While
xor eax eax
EndP