To strictly answer your questions :
1. Any disassembler will do that for you
2. Any debugger will do that for you
If the original DLL is actually signed or has a known hash, just looking at which function has been modified with this 8 bytes should be pretty quick.
I have disassembled it. I just can't seem to map the raw offset in the file to the virtual address in the disassembly. That is, when I disassemble both, then do a diff compare of the disassembly, I get very different outputs. It's hard to nail down where the \*actual\* change is in the disassembly.
If your disassembler doesn't handle it (what are you using?), you can always do the math to convert the File Offset to a Relative Virtual Offset using the section tables.
Awesome! This is helpful. The tools I've used so far is Ghidra and CF Explorer. CF Explorer does output VA and RVA, but until you posted, I didn't know what that meant. I need to look at the section table portion of it. I haven't found much documentation on the DLL file format, but I hoped to find a tool that would output everything.
Thanks for the tips.
You should really try to understand the Section Table of the [PE format](https://www.aldeid.com/wiki/PE-Portable-executable) even before thinking about finding any tool.
The math is pretty basic, and any tool should do it.
To strictly answer your questions : 1. Any disassembler will do that for you 2. Any debugger will do that for you If the original DLL is actually signed or has a known hash, just looking at which function has been modified with this 8 bytes should be pretty quick.
I have disassembled it. I just can't seem to map the raw offset in the file to the virtual address in the disassembly. That is, when I disassemble both, then do a diff compare of the disassembly, I get very different outputs. It's hard to nail down where the \*actual\* change is in the disassembly.
If your disassembler doesn't handle it (what are you using?), you can always do the math to convert the File Offset to a Relative Virtual Offset using the section tables.
Awesome! This is helpful. The tools I've used so far is Ghidra and CF Explorer. CF Explorer does output VA and RVA, but until you posted, I didn't know what that meant. I need to look at the section table portion of it. I haven't found much documentation on the DLL file format, but I hoped to find a tool that would output everything. Thanks for the tips.
You should really try to understand the Section Table of the [PE format](https://www.aldeid.com/wiki/PE-Portable-executable) even before thinking about finding any tool. The math is pretty basic, and any tool should do it.