Skip to main content

Posts

Showing posts from November, 2019

When Windows gets confused: Sometimes a RVA is not a RVA

Today we do a deep dive into a portion of the Portable Executable (PE) file format and discover some rather broken behavior in the Microsoft Windows OS that causes some processes to not start up because the Windows loader gets confused about what a RVA is.

The PE file format is how all executables (i.e. EXEs) and things containing executable code (e.g. DLLs) are loaded into memory and run. It's a highly structured file format and has many features not found in other executable formats for other OSes and has many nuances and details surrounding it, some of which are intentionally obscured. One of the more complicated concepts for someone coming into the PE file format to understand is the Relative Virtual Address, or RVA for short. Microsoft defines the RVA as:

"The address of an item after it is loaded into memory, with the base address of the image file subtracted from it in an image file."

Another way of saying it is that a RVA is the offset from the base address…