0

I'm trying to parse a PE file, I could extract some info, but not PIMAGE_EXPORT_DIRECTORY. What am I doing wrong? I'm trying to get both offset and value.

bool InfoPE(const char* dllFile)
    {
        IMAGE_NT_HEADERS*       pNtHeaders;
        IMAGE_OPTIONAL_HEADER*  pOptionalHeader;
        IMAGE_FILE_HEADER*      pFileHeader;
        BYTE*                   pTargetBase;

        std::ifstream File(dllFile, std::ios::binary | std::ios::ate);

        auto FileSize = File.tellg();

        std::allocator<BYTE> alloc;
        BYTE* pSrcData = alloc.allocate(static_cast<UINT_PTR>(FileSize));

        File.seekg(0, std::ios::beg);
        File.read(reinterpret_cast<char*>(pSrcData), FileSize);
        File.close();

        pNtHeaders = reinterpret_cast<IMAGE_NT_HEADERS*>(pSrcData + reinterpret_cast<IMAGE_DOS_HEADER*>(pSrcData)->e_lfanew);

        pOptionalHeader = &pNtHeaders->OptionalHeader;
        pFileHeader = &pNtHeaders->FileHeader;

        IMAGE_DATA_DIRECTORY* dataDirectory;
        dataDirectory = pOptionalHeader->DataDirectory;

        DWORD exportDirRVA      = dataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
        DWORD exportDirSize     = dataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;

        // Trying to get offsets and values, but it fails here
auto pimage_export_directory = reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(pSrcData + exportDirRVA);

        return true;
    }

enter image description here

Edit: Oh and there is an export function in the DLL I am testing with:

enter image description here

jubibanna
  • 1,095
  • 9
  • 21
  • 1
    `exportDirRVA` this is rva , not file offset – RbMm May 09 '20 at 14:02
  • ah so this would work if the file was loaded into memory? – jubibanna May 09 '20 at 14:11
  • Does this answer your question? [Resolving RVA's for Import and Export tables within a PE file](https://stackoverflow.com/questions/2975639/resolving-rvas-for-import-and-export-tables-within-a-pe-file) – zett42 May 09 '20 at 14:15
  • Could also be helpful: [ImageDirectoryEntryToDataEx](https://learn.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-imagedirectoryentrytodataex) – zett42 May 09 '20 at 14:16
  • Hmm not quite, but your first link had a nice post about IMAGE_FIRST_SECTION which is also useful! Thanks anyway! – jubibanna May 09 '20 at 14:35

0 Answers0