The MASM Forum

General => The Laboratory => Topic started by: ragdog on April 06, 2017, 04:54:12 AM

Title: PE Export table
Post by: ragdog on April 06, 2017, 04:54:12 AM
Hello

I write a little tool to parse the Pe Export table (Dll) .
I look on the kernel32.dll Win7 with Cff explorer or Ida Free and see this.

BaseThreadInitThunk
InterlockedPushListSList
AcquireSRWLockExclusive
...
.


The AddressOfNames is the RVA of this name table but the pointer on aAcquiresrwlock.


AddressOfNamesTable    dd rva aAcquiresrwlock, rva aAcquiresrwlo_0, rva aActivateactctx
                                       dd rva aAddatoma, rva aAddatomw, rva aAddconsolealia, rva aAddconsoleal_0 ; "AcquireSRWLockExclusive"
                                       dd rva aAddintegrityla, rva aAddlocalaltern, rva aAddlocalalte_

..
.

aKernel32_dll   db 'KERNEL32.dll',0   
aAcquiresrwlock db 'AcquireSRWLockExclusive',0
aAcquiresrwlo_0 db 'AcquireSRWLockShared',0
aActivateactctx db 'ActivateActCtx',0 


I test it with dumbin c:\masm32\bin\dumpbin /exports kernel32.dll > c:\kernel32.txt
all works fine

What is now correct play this tools foul?

Regards,