3

I've looked at an export table of a specific DLL and Iv'e seen some strange entries in the table so I tried to find an answer to this issue in the pecoff specification and didn't find any and I hope that someone maybe have one.

I ran a dumpbin on a certain DLL (Qt5Core.dll) and found that the exports table have entries that are not functions - > there are entries that their addresses point to the .data section and the .rdata sections... for example:

const QAbstractState::`vftable' 67366E0C 1470 QMetaObject const QEventTransition::staticMetaObject 673C15A8 6160 QCoreApplication * QCoreApplication::self 6746180C 5504

It seems like some c++ variables and I wondered why are they in the exports table? Thanks!

Aviv
  • 516
  • 1
  • 3
  • 21
sborpo
  • 928
  • 7
  • 15

2 Answers2

2

NumberOfFunctions Total number of functions/symbols that are exported by this module.

NumberOfNames Number of functions/symbols that are exported by name. This value is not the number of ALL functions/symbols in the module. For that number, you need to check NumberOfFunctions. This value can be 0. In that case, the module may export by ordinal only. If there is no function/symbol to be exported in the first case, the RVA of the export table in the data directory will be 0.

From the above we conclude that the ordinal table lists only the number of exports that actually have a name.

Source: http://win32assembly.programminghorizon.com/pe-tut7.html

Muhammad Hashim Shafiq
  • 651
  • 7
  • 32
1

Export entries does not have to be functions. You can take a look at my stackoverflow thread: PE - Distinguish data from function export

The conclusion was clear, data can be exported from a PE file as well. There is no perfect way to distinguish the two from one another, but some heuristics and runtime operations can help you in this issue. Refer to my above post for further details (also read the comments).

Community
  • 1
  • 1
Aviv
  • 516
  • 1
  • 3
  • 21