Hello
I write a little tool to parse the Pe Export table (Dll) .
I look on the kernel32.dll Win7 with Cff explorer or Ida Free and see this.
BaseThreadInitThunk
InterlockedPushListSList
AcquireSRWLockExclusive
...
.
The AddressOfNames is the RVA of this name table but the pointer on aAcquiresrwlock.
AddressOfNamesTable dd rva aAcquiresrwlock, rva aAcquiresrwlo_0, rva aActivateactctx
dd rva aAddatoma, rva aAddatomw, rva aAddconsolealia, rva aAddconsoleal_0 ; "AcquireSRWLockExclusive"
dd rva aAddintegrityla, rva aAddlocalaltern, rva aAddlocalalte_
..
.
aKernel32_dll db 'KERNEL32.dll',0
aAcquiresrwlock db 'AcquireSRWLockExclusive',0
aAcquiresrwlo_0 db 'AcquireSRWLockShared',0
aActivateactctx db 'ActivateActCtx',0
I test it with dumbin c:\masm32\bin\dumpbin /exports kernel32.dll > c:\kernel32.txt
all works fine
What is now correct play this tools foul?
Regards,