TechQA.

PIMAGE_NT_HEADERS Showing different Values

220 views Asked by At

so I am currently attempting to locally map my suspended thread when I pop my program into CFF explorer it says that the value of PIMAGE_NT_HEADERS is 00004550: enter image description here

however while attempting to map it by myself my value comes out to be 00400080: enter image description here

typedef struct pe {
    PIMAGE_DOS_HEADER peDH;
    PIMAGE_NT_HEADERS peNH;


} pe;

PE.peDH = (PIMAGE_DOS_HEADER)imgBase;
PE.peNH = (PIMAGE_NT_HEADERS)((u_char*)PE.peDH + PE.peDH->e_lfanew);
printf("[?] - NT Headers section is located at: 0x%x\n", PE.peNH);
c winapi portable-executable file-mapping nt
Original Q&A
1

There are 1 answers

1
Remy Lebeau On BEST ANSWER

 it says that the value of PIMAGE_NT_HEADERS is 00004550

No, it doesn't. Look at it again more carefully. It actually says the Signature field of the IMAGE_NT_HEADERS struct is 00004550. But you are not printing the Signature, you are printing the PIMAGE_NT_HEADERS pointer itself. Not the same thing.

Change your print to this instead:

printf("[?] - NT Headers Signature is: 0x%08x\n", PE.peNH->Signature);

Related Questions in C

Related Questions in WINAPI

Related Questions in PORTABLE-EXECUTABLE

Related Questions in FILE-MAPPING

Related Questions in NT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions