- Make sure that you have dumped binary from memory
- (optionally) Fix PE headers if necessary
With PE bear
- Open PE-bear > Sections > Section Headers
- Make sure that VA and VS matches RA and RS, so:
- RA[i] = VA[i]
- RS[i] = RA[i+1] - RA[i]
- RS.reloc = 0
- VS[i] = RS[i]
- If you see some red blocks it means that PE is probably misalligned, check: Fix misalligned sections
Fix misalligned sections
- Open binary in hex editor
- Go to the 1st section (on example above to
- Section should start in this place, nulls should be before.
- Append nulls starting from last null seen before 1st section (
0xfdf) to section start address (inconclusive) (
- Review in PE Bear:
Section Headersshould no longer be marked as read.
Image Baseis the same as dumped section address (if not, set it to dumped section address).