I have a DLL file (64-bits) and try to find the source code instructions of an exported function named write in it.
With the use of DUMPBIN.EXE I can see the exported label write with RVA 24A0H.
00000000 characteristics
FFFFFFFF time date stamp
0.00 version
1 ordinal base
3 number of functions
3 number of names
ordinal hint RVA name
1 0 00002140 Close = Close
2 1 000020F0 Open = Open
3 2 000024A0 write = write
This RVA resides in section .text of the DLL file as it is shown from the dump of the file that RVA 24A0H is between 0000000180001000 to 0000000180006628:
SECTION HEADER #1
.text name
5629 virtual size
1000 virtual address (0000000180001000 to 0000000180006628)
5800 size of raw data
400 file pointer to raw data (00000400 to 00005BFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
Calculating the file offset of the write function has been done with
offset = RVA - Virtual address of the section + Pointer to raw data
offset = 24A0H - 1000H + 400H = 18A0H
Should I now, go to this offset from the start of DLL file to see the instructions (or byte codes) of the exported function?
Thanks.
