1, the data table of the first member directed export table IMAGE_DATA_DIRECTORY [1] -> IMAGE_DIRECTORY_ENTRY_EXPORT.
. 1 struct _IMAGE_EXPORT_DIRECTORY 2 { . 3 0x00 DWORD Characteristics; . 4 0x04 DWORD TimeDateStamp The; . 5 0x08 WORD MajorVersion; . 6 0x0A WORD MinorVersion; . 7 0x0C DWORD the Name; // the name of the DLL string Rva . 8 0x10 DWORD Base; // number base . 9 0x14 DWORD NumberOfFunctions ; // address of a function exported number 10 0x18 DWORD NumberOfNames; // number of exported function name . 11 0x1C DWORD the AddressOfFunctions; // address Rva array elements 4 bytes = 12 is 0x20DWORD AddressOfNames; // name of the table element array Rva = 4 byte 13 is 0x24 DWORD AddressOfNameOrdinals; // Rva array element number table 2 bytes = 14 };
2. Example: obtaining export function address table MessageBox
Name exported 2.1
. 1 " the MessageBox " = the AddressOfNames [I]; // get the function name in the name table index 2 nIndex = AddressOfNameOrdinals [I]; // Get the name index by index number . 3 pMessageBox the AddressOfFunctions = [nIndex]; // indexed by get the function address Rva, when ImageBase + Rva = function call address
No. Export 2.2
1 If the function exported ID: 2 is acquired directly exporting function address number obtained by subtracting Base nIndex // -Base index number acquired by the number 3 function address = AddressOfFunctions [nIndex] // Get Rva address by indexing function, when used ImageBase + Rva = function call address