A question about IMAGE_EXPORT_DIRECTORY [Archive] - RCE Messageboard's Regroupment

View Full Version : A question about IMAGE_EXPORT_DIRECTORY

MathewMickle

December 1st, 2008, 23:47

View the IED of a dll file , as followings,

Code:



  ...

  Base:1

  NumberOfFunctions:3

  NumberOfNames:3  

  ...

Code:



   ...

  AddressOfFunction          :    1032   1036    1042

  AddressOfName              :    2050   205E    2069

  AddressOfNameOrdinals    :       0       1      2

  ...

Some tutorials say: the Base member holds the starting value and the loader
subtracts the ordinal numbers from it to obtain the true index into the EAT.

Q: If The first ordinal 0 (AddressOfNameOrdinals : 0 ,1 , 2) subtracts the Base 1,it will get 0xFFFFFFFF.The index must be wrong,so could anyone explain it to me?

Thanks!

Nacho_dj

December 2nd, 2008, 03:43

Hello MathewMickle:

It doesn't work exactly in that way.

Each element of the array of AddressOfNameOrdinals is a word that indicates the order of the name of a function in the AddressOfName, where first name of function would give order=zero, second name of function would give order=1, and so on...
So, in your example, the first element of the array, 0, indicates this is the first element of the array AddressOfName.

The ordinal of the function is gotten by the position of that word in the AddressOfNameOrdinals array, starting with first position -->ordinal zero, second position --> ordinal=1, then we must add nBase to that position to get the ordinal.

In our example, 0 word is in the first position of that array, so its ordinal will be: position(0) + nBase(1) = 1.

I hope this makes sense...

Best regards

Nacho_dj

MathewMickle

December 2nd, 2008, 07:46

According to your explanation,EAT[0] (EAT looks like an array,and EAT[0] is the first member of the array) will NEVER be used because nBase is equel to 1 in general.

Is it right?

Thanks!

Nacho_dj

December 2nd, 2008, 08:06

No, no... To better understand the export table, let's reverse the things:

We would like to get the function of 'X' module with ordinal=1.

First, we have to subtract to this ordinal nBase, let's say it is 1, then we get ordinal(1) - nBase(1) = 0.

Now we go to the AddressOfNameOrdinals and we search for the word 0 in that table. In our example, it is at the first position in the array (there are cases where it is not in the first position).

OK, let's go to AddressOfName array and get the name at first position, that is the name function with ordinal 1 in this module for this example.

So, as you can see the word at first position of AddressOfNameOrdinals is used, of course...

Best regards

Nacho_dj