0

I work on a PE file and I try to interpret this line in IDA :

v4 = *(_DWORD *)((char *)LibraryA + *((_DWORD *)LibraryA + 15) + 120);

LibraryA is the base address of the PE file

*((_DWORD *)LibraryA + 15) is equivalent to *(LibraryA + 60) = *(LibraryA + 0x3C) = *(LibraryA + e_lfanew) = 0x100 = PEOffset

Thus *((_DWORD *)LibraryA + 15) + 120 points to the export directory according to CFF Explorer

When I use CFF explorer > Nt header > Optional header > Data directories > Export table address = 0x178 = 0x100 (PE offset) + 0x78 (export table address)

But when I use the msdn doc https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#optional-header-data-directories-image-only I see the PE offset for the Export Table is 96 (0x60) instead of the value found in CFF Explorer : 120 (0x78)

I think I'm wrong when I use the msdn doc but I don't figure out where ?

Improve this question
3
  • 3
    I agree with your assumptions about the equivalency of offsets, but I didn't do a hard check on every item you mention. It's deep! Instead, I would encourage you to apply that same pointer math/expression to a buffer you declare and populate with known data. Then see if the data returned by the pointer expression matches the data you know to be at the expected buffer offset. Right? In this way, you could at least be sure about the pointer arithmetic and related offsets -- then maybe you could know if CFF Explorer is in error or not. Commented Oct 1, 2023 at 11:22
  • 1
    Thanks for your comment, I tried CFF Explorer on another sample and it gives again the good offset for the export table address, it is my way to use the info giben by msdn which is wrong, I d'ont know exaclty where for the moment, I will search again these days Commented Oct 1, 2023 at 18:23
  • 2
    Hi @Nerios -- I got very curious about this problem (and I love coding) so I set you up with the initial test bed as suggested. You can add to this code -- testing every kind of pointer math and assumption about the offsets that you have. The problem is one of 3 places: 1.) CFF Explorer 2.) Your pointer arithmetic or 3.) Your understanding of the msdn specification. I hope this helps you narrow it down all the way. Commented Oct 2, 2023 at 0:22

2 Answers 2

Reset to default
2

(Thanks to Kz2023 for your suggestions; I didn't know this site, godbolt.org.)

The answer to my problem is quite simple : in the msdn the offset given for the export table address is related to the OptionalHeader and in the code the offset is related to the PE COFF header

Reminder : the size of the PE COFF header is 0x18 bytes which is the difference I noticed between the 96 bytes (0x60) of msdn and the 120 bytes (0x78) in the code PE layout

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I was mistaken when finding the debug directory (see Strange entry type 4194304 while reading debug directory for more information) and this will apply for another directory entry, for example, import directory, export directory, etc.

That's the offset to data directory entry, not the section entry or offset to export table. For getting the export section content, use the answers in that question.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.