PE file structure (four) output table

PE file Structure (iv)

References

Book: "Encryption and decryption"

Video: Small Turtle decryption Series video

output Table

In general, the output table exists in the DLL. The output table provides the name of the function in the file and the address of these functions, and the PE loader changes the IAT through the output table.

Datadirectory[0 in Image_optional_header] provides the RVA of the output table. The output table is started with a image_export_directory structure.

Image_export_directory structure:

typedef struct _IMAGE_EXPORT_DIRECTORY {    DWORD   characteristics;         No    DWORD timedatestamp is used   ;           The time that the file was generated by    WORD    MajorVersion;            The major version. Typically 0    WORD    minorversion;            Minor version, typically 0    DWORD   Name;                    The RVA DWORD Base that points to the DLL name   ;                    Base, generally 1 (that is, from 1)    DWORD   numberoffunctions;       Addressoffunctions the number of elements of the array pointed to by    DWORD   numberofnames;           Addressofnames the number of elements of the array pointed to by    DWORD   addressoffunctions;     Function Address Array ent of the RVA    DWORD   addressofnames;         The RVA DWORD addressofnameordinals of the function name array eat   ;  The RVA of the output sequence number array, which is an array of image_export_directory, *pimage_export_directory, in Word, which is used to function the array of concatenated function names.

The output table is mainly to the PE loader to change the IAT, that is, to find the entry address of the function. The PE loader looks for the address of the function in two ways, from the ordinal lookup to the function name.

1. Find function entry address from ordinal

The PE loader knows the serial number by int. Use this sequence number directly to find the function address array eat is able to.

2. Find the function entry address from the function name

Through the function name, find the function an array group ENT, find the function name in the array ordinal n (from 0), and then take the output sequence number of the nth value of the array (from 0).

Then the value of the function address array with the ordinal value of the Eat is the entry address of the function.

ent[output sequence number array [n]]

Example Analysis:

For example, find User32.dll adjustwindowrect this function.

Look at the binaries for user32.dll first. Its image_optional_header structure is:

Picture 1

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvymlsbhzzbwu=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

From which you can know:

name:rva 55c0h          file offset value: 49c0h  
Base:1
numberoffunctions:02dch  
Numberofnmae:02dch
addressoffunctions:  RVA 3928h          file offset value: 2d28h
addressofnames:  RVA 4498h              file offset value: 3898h
Addressofnameordinals:rva 5008h         file offset value: 4408h

View the string that the ENT array points to. To know that Adjustwindowrect is a 2nd element.

So. View the 2nd element of an array of output serial numbers pointed to by addressofnameordinals and be able to discover a value of 1.

Picture 2

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvymlsbhzzbwu=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

The value of the element with the ordinal 1 in the Eat (i.e. the 2nd element) is 021140h, and this is the RVA of the Adjustwindowrect function.

Picture 3

Copyright notice: This article blog original articles, blogs, without consent, may not be reproduced.

PE file structure (four) output table