-
Notifications
You must be signed in to change notification settings - Fork 0
/
Export.h
63 lines (53 loc) · 1.83 KB
/
Export.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#pragma once
#include "stdafx.h"
class PeFile;
struct ExportSummary
{
DWORD ExportRVAOrForwarderRVA;
BOOL IsForwardeRVA;
string FunctionName;
string ForwarderName;
WORD Ordinal;
};
struct Export
{
// Computed Fields
DWORD64 FileAddress;
DWORD BlockSize = 40;
vector<ExportSummary> ExportSummaryTable;
// Fields in Export Directory Table
DWORD ExportFlags;
DWORD TimeStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD ExportNameRVA;
DWORD OrdinalBase;
DWORD NumberOfAddressTableEntries;
DWORD NumberOfNamePointers;
DWORD AddressTableRVA;
DWORD NameTableRVA;
DWORD OrdinalTableRVA;
// This contains the actual address(RVA) of the exported
// functions in code and data sections Or
// Forwarder RVA of a string which is in the format of
// "otherdll.dll.expfunc" or "otherdll.dll.#ordinal"
// if the value of this field lies with in the export
// section then it is a forwarder RVA else its a ExportRVA
// in to code or data section
vector<DWORD> AddressTable;
// This contains the RVA address of the function names
// each address here denotes the address where we can
// find function name
vector<DWORD> NamePointerTable;
// This indicates the index in to ExportAddressTable.
// These are not straight indexes in to it.
// We need to substract OrdinalBase to get the actual index
vector<WORD> OrdinalTable;
UINT ReadExport(const PeFile& peFile, DWORD64 fileOffset);
void DumpExport(const PeFile& peFile);
private:
UINT ReadExportAddressTable(const PeFile& peFile, DWORD64 fileOffset);
UINT ReadExportNamePointerTable(const PeFile& peFile, DWORD64 fileOffset);
UINT ReadExportOrdinalTable(const PeFile& peFile, DWORD64 fileOffset);
UINT PopulateExportSummaryTable(const PeFile& peFile);
};