Author Topic: PE Export table  (Read 321 times)

ragdog

  • Member
  • ****
  • Posts: 515
PE Export table
« on: April 06, 2017, 04:54:12 AM »
Hello

I write a little tool to parse the Pe Export table (Dll) .
I look on the kernel32.dll Win7 with Cff explorer or Ida Free and see this.

Code: [Select]
BaseThreadInitThunk
InterlockedPushListSList
AcquireSRWLockExclusive
...
.

The AddressOfNames is the RVA of this name table but the pointer on aAcquiresrwlock.


AddressOfNamesTable    dd rva aAcquiresrwlock, rva aAcquiresrwlo_0, rva aActivateactctx
                                       dd rva aAddatoma, rva aAddatomw, rva aAddconsolealia, rva aAddconsoleal_0 ; "AcquireSRWLockExclusive"
                                       dd rva aAddintegrityla, rva aAddlocalaltern, rva aAddlocalalte_

..
.

aKernel32_dll   db 'KERNEL32.dll',0   
aAcquiresrwlock db 'AcquireSRWLockExclusive',0
aAcquiresrwlo_0 db 'AcquireSRWLockShared',0
aActivateactctx db 'ActivateActCtx',0 


I test it with dumbin c:\masm32\bin\dumpbin /exports kernel32.dll > c:\kernel32.txt
all works fine

What is now correct play this tools foul?

Regards,