0

Relation between ordinal numbers and ordinal bases in PE-files.

Doing some PE-analysis, I cannot recognize what the PE-documentation says in practice:

Thus, when the export name pointer table is searched and a matching string is foundat position i, the algorithm for finding the symbol’s address is:

i = Search_ExportNamePointerTable (ExportName);
ordinal = ExportOrdinalTable [i];
SymbolRVA = ExportAddressTable [ordinal - OrdinalBase];

Having located the ordinal x for e.g. ExitProcess and verified to ordinal base to be 0x01, the RVA for ExitProcess is found at position x within the export address table, and not at position x - 1 as specified by the documentation.

Indeed, to look up the RVA for a function, I compute export_address_base + ordinal * 0x04, and not the advertised export_address_base + (ordinal - 1) * 0x04

Am I missing something here?

Shuzheng
  • 11,288
  • 20
  • 88
  • 186
  • Can you include a quote where `xport_address_base + (ordinal - 1) * 0x04` is advertised? – Margaret Bloom Oct 10 '16 at 10:11
  • The algorithm I quote is from the PE-documentation, the OrdinalBase is 1, and the field size is 0x04. – Shuzheng Oct 11 '16 at 19:31
  • Possible duplicate of [How can \`kernel32.dll\` export an ordinal of 0, when its \`OrdinalBase\` field is set to 1?](http://stackoverflow.com/questions/39996742/how-can-kernel32-dll-export-an-ordinal-of-0-when-its-ordinalbase-field-is-s) – Erlend Graff Oct 29 '16 at 00:45

0 Answers0