XaiJu
oalabs
oalabs

patreon


Understanding PE Parsing for Reverse Engineers Part 4 - Data Directory and Exports

This is the final tutorial in our four-part series on PE parsing from a reverse engineering perspective. In this tutorial we explore parsing the PE export table. We conclude the tutorial with a complete PEB walk example parsing the exports from NTDLL.

Code References

The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and patterns that can be used in IDA when marking up pseudocode.

Further Reading

Hands-On Example

Attached to this post is the compiled example from the tutorial (64-bit) and a 32-bit version of the same example. See if you can replicate the pseudocode markup from the tutorial with both samples.

Understanding PE Parsing for Reverse Engineers Part 4 - Data Directory and Exports

Comments

Only 20 lines of code away from knowing the answer!!

OALABS

I can perform the approach with Proccess Injection and create a child that inherits Virtual Address Descriptor and do the PE parsing with NtQueryVirtualMemory and then detect the memory pages with IMAGE_NT_HEADERS* ntHeaders = (IMAGE_NT_HEADERS*)(pAddress + dosHeader->e_lfanew); if (ntHeaders->SIGNATURE != IMAGE_NT_SIGNATURE) and achieve the same? I mean it would be more complicated but can it be done? If I read a valid Signature I can go through its EXPORT_DIRECTORY to see if it matches any hashing and know that I am inside the dll I want.

anests1a

I don't understand. Could you explain more?

성일 배

Took me a while to figure out why there would be a "." 10 bytes into ntdll, kind of surprised there's not a way to make it show that it's the 6th character

June

For more complete content, I think you should do the Part 5 - Data Directory and Relocation

m4n0w4r


More Creators