3

I'm having trouble with IMAGE_EXPORT_DIRECTORY values, whenever I'm calculating address of it, it gives me wrong values (like Name, NumberOfNames, AddressOfNames, etc..). I'm calculating it by the following code.

IMAGE_EXPORT_DIRECTORY *export_directory = (IMAGE_EXPORT_DIRECTORY*)(nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress + (DWORD)dos_header);

Following in debugger, the address is right, there must be a IMAGE_EXPORT_DIRECTORY, but why it gives me wrong results? Can't access any of the elements from it, because it says bad ptr.. Tried and works fine with kernel32.dll, but fails on user32.dll when extracting names from AddressOfNames.

Using Windows 8 x86.

Jens Björnhager
  • 5,632
  • 3
  • 27
  • 47
Nika
  • 1,864
  • 3
  • 23
  • 44
  • VirtualAddress is only the *preferred* load address for a section. It doesn't commonly actually load there, a DLL will be relocated if its preferred load address is already in use. And it may be randomized by the ASLR feature. Cast the return value of GetModuleHandle to void* to find the actual load address. – Hans Passant Nov 12 '12 at 16:21
  • I'm not yet using relocations, I'm using ReadFile to buffer instead of GetModuleHandle. – Nika Nov 12 '12 at 16:34
  • This has already been answered here: http://stackoverflow.com/questions/2975639/resolving-rvas-for-import-and-export-tables-within-a-pe-file – Nathan Moinvaziri Nov 13 '12 at 00:53
  • Thanks, at first try I don't understood that answer, but then idk how but I understood it. I'm beginner in C/C++. – Nika Nov 13 '12 at 13:02
  • You need to subtract the actual location of the section on disk vs the section (when expanded) in ram. – meawoppl Jun 25 '15 at 03:58

0 Answers0