Skip to main content

Windows PE Export Directory Table (windbg)

·2 mins
OffensiveSecurity ExploitDev debugger
Table of Contents

Steps to inspect IMAGE DATA DIRECTORY (EXPORT Directory TABLE) structure using windbg debugger. Before we need to find the value of e_elfanew (0x3c) and offset to IMAGE OPTIONAL HEADERS (0x18). You can check the previous post Windows PE File structure (windbg It give access to the IMAGE NT HEADERS. If you want to know more about AddressOfNames and NumberofNames

IMAGE OPTIONAL HEADER #

Here we can dump the IMAGE OPTIONAL HEADER at offset 0x18. Here the field _IMAGE_DATA_DIRECTORY.

0:003> dt ntdll!_IMAGE_OPTIONAL_HEADER 756f0000 + 0xe8 + 0x18
   +0x000 Magic            : 0x10b
   +0x002 MajorLinkerVersion : 0xe ''
   +0x003 MinorLinkerVersion : 0x14 ''
   +0x004 SizeOfCode       : 0x86000
   +0x008 SizeOfInitializedData : 0x13000
   +0x00c SizeOfUninitializedData : 0
   +0x010 AddressOfEntryPoint : 0x1cfa0
   +0x014 BaseOfCode       : 0x1000
   +0x018 BaseOfData       : 0x87000
   +0x01c ImageBase        : 0x756f0000
   +0x020 SectionAlignment : 0x1000
   +0x024 FileAlignment    : 0x1000
   +0x028 MajorOperatingSystemVersion : 0xa
   +0x02a MinorOperatingSystemVersion : 0
   +0x02c MajorImageVersion : 0xa
   +0x02e MinorImageVersion : 0
   +0x030 MajorSubsystemVersion : 0xa
   +0x032 MinorSubsystemVersion : 0
   +0x034 Win32VersionValue : 0
   +0x038 SizeOfImage      : 0x9a000
   +0x03c SizeOfHeaders    : 0x1000
   +0x040 CheckSum         : 0xa9760
   +0x044 Subsystem        : 3
   +0x046 DllCharacteristics : 0x4140
   +0x048 SizeOfStackReserve : 0x40000
   +0x04c SizeOfStackCommit : 0x1000
   +0x050 SizeOfHeapReserve : 0x100000
   +0x054 SizeOfHeapCommit : 0x1000
   +0x058 LoaderFlags      : 0
   +0x05c NumberOfRvaAndSizes : 0x10
   +0x060 DataDirectory    : [16] _IMAGE_DATA_DIRECTORY

IMAGE DATA DIRECTORY #

We see above the Data Directory is at offset 0x60, we can sum the offsect of optional header 0x18. ? 0x60 + 0x18 -> 0x78. The RVA is 0x788b0. We can check Address of Export Directory Table with following command: !dh -f kernel32

0:003> dt ntdll!_IMAGE_DATA_DIRECTORY 756f0000 + 0xe8 + 0x78
   +0x000 VirtualAddress   : 0x788b0
   +0x004 Size             : 0xdc44

VMA OF EXPORT DIRECTORY TABLE #

The VMA (Virtual Memory Address) is 0x757688b0

0:003> ? 756f0000 + 0x788b0
Evaluate expression: 1970702512 = 757688b0