PE size calculation

[freqseeker]

Hi there all. I have a somewhat non-standard problem I’m trying to work through. Any help will get you free drinks of your choice at whatever conference we’re both at next! (Heck, at this point, I might even drop some in the mail, but shhhhh... Don’t tell the post master general.)

Anyways...

I have long streams of bytes I’m working with. In those streams, PE files are embedded inside. I can identify the PE file and am parsing/validating headers etc... So far, I'm only’ up to the optional headers, which might be the problem leading to this question, but...

Question is:
How can I calculate where the end of the PE file is in the stream of bytes?

The SizeOfImage characteristic rarely seems to match the actual size of the file in bytes, so I’m guessing there’s some kind of trickery and magic I need to do with other values to find the actual end of file.

Thank you in advance for any help!!!

[Primis]

A PE image contains not only executable code, but also data, so the image will be bigger than the code, simply due to the fact PE likes to have padding. I suggest looking in a hex editor to confirm / deny my theory.

[Gigasoft]

SizeOfImage refers to the size in memory after being loaded. You should look at the very last section header, and add the PointerToRawData and SizeOfRawData fields together. This will give you the file size.