Don't compact raw data means keep the RawOffset/RawSize the same as VirutalOffset/VirutalSize.
Why?
In most case, we are researching the dumped file. Keep the same address/offset makes it easier to locate the data in hex editors, debuggers and other PE tools.
Of course, we can compact raw data giving a smaller final PE file.
Related code:
|
for (WORD i = 0; i < getNumberOfSections(); i++) |
|
{ |
|
listPeSection[i].sectionHeader.VirtualAddress = alignValue(listPeSection[i].sectionHeader.VirtualAddress, sectionAlignment); |
|
listPeSection[i].sectionHeader.Misc.VirtualSize = alignValue(listPeSection[i].sectionHeader.Misc.VirtualSize, sectionAlignment); |
|
|
|
listPeSection[i].sectionHeader.PointerToRawData = alignValue(newFileSize, fileAlignment); |
|
listPeSection[i].sectionHeader.SizeOfRawData = alignValue(listPeSection[i].dataSize, fileAlignment); |
|
|
|
newFileSize = listPeSection[i].sectionHeader.PointerToRawData + listPeSection[i].sectionHeader.SizeOfRawData; |
|
} |
https://github.com/NtQuery/Scylla/search?q=alignAllSectionHeaders&unscoped_q=alignAllSectionHeaders
Don't compact raw datameans keep theRawOffset/RawSizethe same asVirutalOffset/VirutalSize.Why?
In most case, we are researching the dumped file. Keep the same address/offset makes it easier to locate the data in hex editors, debuggers and other PE tools.
Of course, we can compact raw data giving a smaller final PE file.
Related code:
Scylla/Scylla/PeParser.cpp
Lines 1083 to 1092 in 0ca2c1a
https://github.com/NtQuery/Scylla/search?q=alignAllSectionHeaders&unscoped_q=alignAllSectionHeaders