You may remember from the PECOFF specification that the sections of a PE file have some meta-data associated with them. In particular the IMAGE_SECTION_HEADER. This section has the name, the VirtualSize, address of the section in the image as well as the address of where it will be when the image loads, also known as the VirtualAddress. This is the important part. Because what is on disk versus what is loaded into memory is quite different due to section alignment. Here's what the files look like side-by-side in 010editor.
|The difference between the file from disk (left) and the one dumped from memory (right)|
|The file that was dumped from memory, rebased, but the DriverEntry is totally wrong.|
|Fixing the values for each section for (updating PointerToRawData values)|
|Looks "ok" but some offsets are pointing to the wrong place!|
After all that, I finally got the driver dumped from memory to look like the one extracted from the disk.
|The image with all sections correctly resolved and displayed.|