News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

PE Export table

Started by ragdog, April 06, 2017, 04:54:12 AM

Previous topic - Next topic

ragdog

Hello

I write a little tool to parse the Pe Export table (Dll) .
I look on the kernel32.dll Win7 with Cff explorer or Ida Free and see this.

BaseThreadInitThunk
InterlockedPushListSList
AcquireSRWLockExclusive
...
.


The AddressOfNames is the RVA of this name table but the pointer on aAcquiresrwlock.


AddressOfNamesTable    dd rva aAcquiresrwlock, rva aAcquiresrwlo_0, rva aActivateactctx
                                       dd rva aAddatoma, rva aAddatomw, rva aAddconsolealia, rva aAddconsoleal_0 ; "AcquireSRWLockExclusive"
                                       dd rva aAddintegrityla, rva aAddlocalaltern, rva aAddlocalalte_

..
.

aKernel32_dll   db 'KERNEL32.dll',0   
aAcquiresrwlock db 'AcquireSRWLockExclusive',0
aAcquiresrwlo_0 db 'AcquireSRWLockShared',0
aActivateactctx db 'ActivateActCtx',0 


I test it with dumbin c:\masm32\bin\dumpbin /exports kernel32.dll > c:\kernel32.txt
all works fine

What is now correct play this tools foul?

Regards,