|
Bitsum Technologies | ||||||
| Discussion Board | Links | ||||||
While developing our portable executable tools, we've noted several errata in commonly used Portable Executable documentation distributed by Microsoft. We've listed these errata here in the hopes that we can save other programmers time and energy.
Document: Peering
Inside the PE: A Tour of the Win32 Portable Executable File Format by Matt
Pietrek - Included in MSDN
Errata: While describing the exports directory, Pietrek makes several
errors. He incorrectly deduces that the Ordinal Table, Name Pointer Table,
and Export Address Table as parallel. He even makes a comment to the effect
that it is an odd structure. In fact, there is a good reason to have three
arrays -- and they are NOT at all parallel in all cases. The Ordinal Table
and the Name Pointer Table are parallel, but the Export Address Table is
not. The Ordinal Table and Nam Pointer Table are sorted based ascendingly
based on the name of the API so that a binary search can be performed. The
ordinal (with ordinal base already subtracted, see below) found in the
Ordinal Table is the index into the Export Address Table and is not at all
guaranteed to be the same value as the index used for the corresponding
export in the other two tables.
Document: Microsoft Portable Executable and
Common Object File Format Specification by Microsoft Corporation (revision
6.0, 1999) - Included in MSDN
Errata: While describing the export tables, the documentation suggests
that the Ordinal Table contains ordinals whose value already include the
ordinal base. In fact, this table includes ordinals with the base value
already subtracted. The errant lookup formula is given as:
i = Search_ExportNamePointerTable (ExportName);
ordinal = ExportOrdinalTable [i];
SymbolRVA = ExportAddressTable [ordinal - OrdinalBase];
The corrected lookup formula is:
i = Search_ExportNamePointerTable (ExportName);
ordinal = ExportOrdinalTable [i] + OrdinalBase;
SymbolRVA = ExportAddressTable [ordinal - OrdinalBase];
- Bitsum Technologies