Link to home
Start Free TrialLog in
Avatar of r3L4x
r3L4x

asked on

Listing the Export Address Table (EAT) - IMAGE_EXPORT_DIRECTORY

Ok, i have code im trying to write the export address table in C++, and i am utterly confused. I have the Import Address Table listing pretty much down pat, but EAT seems to be different.

Here is code i have so far:

void main()
{

      HINSTANCE hInstance;
      hInstance = GetModuleHandle("kernel32.dll");

      IMAGE_DOS_HEADER *dosHeader;
      dosHeader = (IMAGE_DOS_HEADER *)hInstance;

      if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE)
      {
            MessageBox(0, "1", "", 0);
      //      return NULL;
      }

      IMAGE_NT_HEADERS *ntHeaders = (IMAGE_NT_HEADERS *)(((BYTE *)dosHeader) + dosHeader->e_lfanew);

      if (ntHeaders->Signature != 0x00004550)
      {
            MessageBox(0, "2", "", 0);
      //      return NULL;
      }
IMAGE_OPTIONAL_HEADER *optionalHeader = &ntHeaders->OptionalHeader;
      IMAGE_DATA_DIRECTORY *dataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
      
      IMAGE_EXPORT_DIRECTORY *Exp;
      Exp = (IMAGE_EXPORT_DIRECTORY *)((DWORD)dosHeader + dataDirectory->VirtualAddress);
      
      IMAGE_SECTION_HEADER * section;
      //section = (IMAGE_SECTION_HEADER *);
      
      char blah[100];
      int count = 1;
      //for(count = 1; count == Exp->NumberOfFunctions; count++)
      //{
            //sprintf(blah, "Names: %d", Exp->AddressOfFunctions[count]);
PSTR * Name;
Name      = (PSTR *)((DWORD)Exp->AddressOfNames + dosHeader->e_lfanew);
            sprintf(blah, "Name:%s\nNum of Functs:%d\nBase: %d Addr:%d", &Name, Exp->NumberOfFunctions, Exp->Base, Exp->AddressOfFunctions);
            MessageBox(0, blah, "", 0);
            //Exp++;
            //sprintf(blah, "Poo:%d\nName:%d \nNum of Functs%d\nBase: %d", endExportEntry,Exp->Name, Exp->NumberOfFunctions, Exp->Base);
            //MessageBox(0, blah, "", 0);
            //count++;
      //}
}


sorry if this is incomplete my code so far is extremely messy!

As you can tell with the 500 points, i would REALLY appreciate some help..
Avatar of drichards
drichards

If you're just rtying to get the names, this will do:

    HINSTANCE hInstance;
    hInstance = GetModuleHandle("kernel32.dll");

    IMAGE_DOS_HEADER *dosHeader;
    dosHeader = (IMAGE_DOS_HEADER *)hInstance;

    if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE)
    {
        MessageBox(0, "1", "", 0);
        return 1;
    }

    IMAGE_NT_HEADERS *ntHeaders = (IMAGE_NT_HEADERS *)(((BYTE *)dosHeader) + dosHeader->e_lfanew);

    if (ntHeaders->Signature != 0x00004550)
    {
        MessageBox(0, "2", "", 0);
        return 1;
    }

    IMAGE_OPTIONAL_HEADER *optionalHeader = &ntHeaders->OptionalHeader;
    IMAGE_DATA_DIRECTORY *dataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
     
    IMAGE_EXPORT_DIRECTORY *Exp;
    Exp = (IMAGE_EXPORT_DIRECTORY *)((DWORD)dosHeader + dataDirectory->VirtualAddress);
     
    IMAGE_SECTION_HEADER *section;
     
    char blah[100];
    int count = 1;
    char * Name;
    Name     = (char *)((DWORD)Exp->Name + (DWORD)dosHeader);
    sprintf(blah, "Name:%s\nNum of Functs:%d\nBase: %d Addr:%d\n", Name, Exp->NumberOfFunctions, Exp->Base, Exp->AddressOfFunctions);
    std::cout << blah << std::endl;
   
    for(count = 0; count < Exp->NumberOfNames; count++)  // Can't use number of Functions - may not be the same because may export by ordinal
    {
        Name += ::strlen(Name); // skip current name
        Name += 1;              // skip null terminator
        std::cout << Name << std::endl;
    }

You were quite close - a few typos and a couple of incorrect values.
ASKER CERTIFIED SOLUTION
Avatar of SCDMETA
SCDMETA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of r3L4x

ASKER

Thanks for the help! My question is answered :D