On Wed Apr 24 15:30:39 2024 +0000, Alexandre Julliard wrote:
Note that you can't compare RVAs to find out which is last, because the security directory address is a raw file offset, not an RVA.
got it... sorry for the noise :-(
it's clearer here https://www.sciencedirect.com/science/article/pii/S2666281720300123?via%3Dih...
The digital signature data in an embedded Authenticode-signed Windows PE file is appended to the file. The offset and size of the embedded signature is stored in the Security directory entry within the Data directories array of the PE optional header. The Data directories array contains offsets and sizes of different structures within the PE file, such as the export, import, or relocation directories, among others. All directories but the security directory store their offsets as relative virtual address (RVA) offsets, which means that they are the virtual addresses from the PE file once it is loaded into memory. On the contrary, the security directory stores its offset as a file offset.