template <class T> ULONG peDumpExportsInternal(PBYTE pImageBase, T * pNTHeader, BOOL noname) { PIMAGE_EXPORT_DIRECTORY pExportDir; PIMAGE_SECTION_HEADER header; DWORD i; PDWORD pdwFunctions = NULL; PDWORD pszFuncNames = NULL; PWORD pwOrdinals = NULL; DWORD exportsStartRVA, exportsEndRVA; exportsStartRVA = GetImgDirEntryRVA(pNTHeader,IMAGE_DIRECTORY_ENTRY_EXPORT); exportsEndRVA = exportsStartRVA + GetImgDirEntrySize(pNTHeader, IMAGE_DIRECTORY_ENTRY_EXPORT); // Get the IMAGE_SECTION_HEADER that contains the exports. this is usually the .edata section, but doesn't have to be. header = peGetEnclosingSectionHeader( exportsStartRVA, pNTHeader ); if ( !header ) { return ERROR_NOT_FOUND; } pExportDir = (PIMAGE_EXPORT_DIRECTORY)peGetPtrFromRVA(exportsStartRVA, pNTHeader, pImageBase); pdwFunctions = (PDWORD)peGetPtrFromRVA( pExportDir->AddressOfFunctions, pNTHeader, pImageBase ); pwOrdinals = (PWORD) peGetPtrFromRVA( pExportDir->AddressOfNameOrdinals, pNTHeader, pImageBase ); pszFuncNames = (PDWORD)peGetPtrFromRVA( pExportDir->AddressOfNames, pNTHeader, pImageBase ); if (!pExportDir || !pdwFunctions || !pwOrdinals || !pszFuncNames) { // this may (?) happen if the file is packed..... return ERROR_INVALID_DATA; } for ( i=0; i < pExportDir->NumberOfFunctions; i++, pdwFunctions++ ) { // see if this function has an associated name exported for it. for ( unsigned j=0; j < pExportDir->NumberOfNames; j++ ) { // rva to va ULONG_PTR va = pszFuncNames[j] - header->VirtualAddress + header->PointerToRawData; PCHAR name = (PCHAR)(pImageBase + va); if ( pwOrdinals[j] == i ) { if (noname) { printf ("\t%s @%d NONAME\r\n",name,i); } else { printf ("\t%s @%d\r\n",name,i); } } } } return 0; }
// // Top level routine called to dump out the entire resource hierarchy // void DumpResourceSection(DWORD base, PIMAGE_NT_HEADERS pNTHeader) { DWORD resourcesRVA; PIMAGE_RESOURCE_DIRECTORY resDir; resourcesRVA = GetImgDirEntryRVA(pNTHeader, IMAGE_DIRECTORY_ENTRY_RESOURCE); if ( !resourcesRVA ) return; resDir = (PIMAGE_RESOURCE_DIRECTORY) GetPtrFromRVA( resourcesRVA, pNTHeader, base ); if ( !resDir ) return; printf("Resources (RVA: %X)\n", resourcesRVA ); DumpResourceDirectory(resDir, (DWORD)resDir, 0, 0); printf( "\n" ); if ( !fShowResources ) return; if ( cStrResEntries ) { printf( "String Table\n" ); DumpStringTable( base, pNTHeader, (DWORD)resDir, pStrResEntries, cStrResEntries ); printf( "\n" ); } if ( cDlgResEntries ) { printf( "Dialogs\n" ); DumpDialogs( base, pNTHeader, (DWORD)resDir, pDlgResEntries, cDlgResEntries ); printf( "\n" ); } }