[PE Structure Analysis] 9. Export table IMAGE_EXPORT_DIRECTORY, dockerexportimage

[PE Structure Analysis] 9. Export table IMAGE_EXPORT_DIRECTORY, dockerexportimage

Typedef struct _ IMAGE_EXPORT_DIRECTORY {DWORD Characteristics; // unused, total 0

DWORD TimeDateStamp; // file creation timestamp WORD MajorVersion; // unused, total 0

WORD MinorVersion; // not used, always 0 DWORD Name; // point to an rva dword Base that represents the Name of this DLL; // The start sequence of the function, DWORD NumberOfFunctions; // total number of exported Functions

DWORD NumberOfNames; // total number of functions exported by name

DWORD AddressOfFunctions; // rva dword AddressOfNames pointing to the output function address; // rva dword AddressOfNameOrdinals pointing to the output function name; // RVA pointing to the output function serial number

} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;

AddressOfFunctions points to an array element in 4 bytes. Each element represents the function entry.

AddressOfNames points to an array element in 4 bytes. Each element represents an RVA pointing to a string.

AddressOfNamesOrdinals points to an array element in 2 bytes. Each element represents the number of numbers of corresponding names in AddressOfFunctions.

The numbers of AddressOfNames and AddressOfNamesOrdinals must be the same. If they are not the same, an error occurs.

There are two methods to find the function entry address:

A. Search for the function entry address from the serial number

1. Locate the PE File Header
2. Retrieve the data directory table from the IMAGE_OPTIONAL_HEADER32 structure in the PE file header, and obtain the RVA of the exported table from the first data directory.
3. Obtain the Starting sequence number from the Base field of the exported table.
4. subtract the start sequence number Base from the exported sequence number to obtain the index of the function in the entry address table. check whether the index value is greater than the value of the NumberOfFunctions field in the exported table, the Input Serial number is invalid.
5. use this index value to retrieve the corresponding project from the export function entry Address Table pointed to by the AddressOfFunctions field. This is the RVA value of the function entry address. When the function is loaded into the memory, this RVA value is added with the base address actually loaded by the module, and the real entry address of the function is obtained.

B. Find the entry address from the function name

Let me record the following points:If the function name is used for searching, the Base value does not make any sense now.

1. first obtain the address of the exported table
2. obtain the total number of named functions from the NumberOfNames field of the exported table, and use this number as the number of cycles to construct a loop, starting from the AddressOfNames field pointing to the first item of the obtained function name address table, the function name defined for each item in the loop is compared with the function name to be searched, if no function name is correct, it indicates that no function is specified in the file.
3. if a defined function name matches the name of the function to be searched, write down the index value of this function name in the string address table, then, retrieve the value of the array item with the same index value in the array pointed to by AddressOfNamesOrdinals. We assume that the value is x
4. Finally, use the value of x as the index value to obtain RVA in the function entry Address Table pointed to by the AddressOfFunctions field. This RVA is the function entry address.

Attachment: