PE file structure (4) output table

PE file structure (4)

Reference

Book: encryption and decryption

Video: Little Turtle decryption series video

Output table

Generally, the output table exists in the DLL. The output table provides the name of the function in the file and the address of these functions. The PE Loader modifies the IAT through the output table.

Datadirectory [0] In image_optional_header provides the RVA of the output table. The output table starts with an image_export_directory structure.

Image_export_directory structure:

Typedef struct _ image_export_directory {DWORD characteristics; // The time when the DWORD timedatestamp is not used; // The time when the file is generated is word majorversion; // The main version number, which is generally 0 word minorversion; // the version number, it is generally 0 DWORD name; // The rva dword base pointing to the DLL name; // The base, generally 1 (starting from 1) DWORD numberoffunctions; // addressoffunctions the number of elements in the array directed to DWORD numberofnames; // The number of elements in the array pointed to by addressofnames DWORD addressoffunctions; // The rva dword addressofnames of the function address array ent; // function name array rva dword addressofnameordinals of eat; // RVA of the output serial number array, which is in the unit of word and used to connect the function name array to the function address array} image_export_directory, * pimage_export_directory;

The output table is mainly used to modify the IAT for the PE Loader, that is, to find the function entry address. The PE Loader can search for the address of a function by serial number or function name.

1. Search for the function entry address from the serial number

The PE Loader knows the serial number through Int. You can use this serial number to find the function address array eat.

2. Find the function entry address from the function name

Find the function name array ent by using the function name, and find the number N of the function name in the array (starting from 0 ), then, the nth value of the output serial number array (starting from 0) is obtained ). Then, the value of the function address array eat whose value is the serial number is the entry address of the function.

That is, the ent [Output serial number array [N]

Instance analysis:

For example, find the adjustwindowrect function in user32.dll.

First, check the binary file of user32.dll. Its image_optional_header structure is:

Image 1

We can know that:

Name: RVA 55c0h file offset value: 49c0h
Base: 1
Numberoffunctions: 02dch
Numberofnmae: 02dch
Addressoffunctions: RVA 3928 H file offset value: 2d28h
Addressofnames: RVA 4498 H file offset value: 3898 H
Addressofnameordinals: RVA 5008 H file offset value: 4408 H

View the string pointed to by the ent array. You can see that adjustwindowrect is 2nd elements. Therefore, you can view the 2nd elements in the output serial number array pointed to by addressofnameordinals. The value can be 1.

Image 2

Then, check that the value of the element with the serial number 1 (2nd elements) in the eat is 021140 H. This is the rva of the adjustwindowrect function.

Image 3

PE file structure (4) output table