• Welcome to Valhalla Legends Archive.
 

Finding the EAT of a PE

Started by brew, December 22, 2007, 09:22 PM

Previous topic - Next topic
Print
|
Go Down Pages1
User actions

brew

December 22, 2007, 09:22 PM Last Edit: December 22, 2007, 09:26 PM by brew
Well? How do I do it?
I know that one of the elements of the DataDirectory[16] array (the last member of the PE32OptHeader struct) contains an RVA to the exports section but i really have no idea what one. help please! If i can find the correct one, i can add the base address of the dll with the export table's RVA then get the address of the IMAGE_EXPORT_DIRECTORY struct... then i can get to the EAT.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Hdx

#1
December 25, 2007, 11:32 AM
If i recall correctly, IMAGE_DIRECTORY_ENTRY_EXPORT is the 1st element of that array. so the *DataDirectory = Pefile.DataDirectory[0].VirtualAddress
*DataExportDir = DataDirectory.VirtualAddress
Then DataExportDir.AddressOfFunctions
Something like that. Can't think straight.
~Hdx

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

brew

#2
December 27, 2007, 12:38 PM
Quote from: Hdx on December 25, 2007, 11:32 AM
If i recall correctly, IMAGE_DIRECTORY_ENTRY_EXPORT is the 1st element of that array. so the *DataDirectory = Pefile.DataDirectory[0].VirtualAddress
*DataExportDir = DataDirectory.VirtualAddress
Then DataExportDir.AddressOfFunctions
Something like that. Can't think straight.
~Hdx
Thanks, hdx.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P
Print
|
Go Up Pages1
User actions