Understanding PE Parsing for Reverse Engineers Part 4 - Data Directory and Exports (Patreon)

This is the final tutorial in our four-part series on PE parsing from a reverse engineering perspective. In this tutorial we explore parsing the PE export table. We conclude the tutorial with a complete PEB walk example parsing the exports from NTDLL.

Code References

The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and patterns that can be used in IDA when marking up pseudocode.

• ShellcodeExports.cpp
• pebase.h

Further Reading

• PE file diagram from Corkami 
• An In-Depth Look into the Win32 Portable Executable File Format (Inside Windows) 
• An In-Depth Look into the Win32 Portable Executable File Format Part 2 (Inside Windows) 
• Example PE parsing from iredteam 
• VERGILIUS 
• GetModuleHandle translation to base address (Stack Overflow) 
• _IMAGE_DATA_DIRECTORY 
• Export Hashing ( in4k ) 
• Zeus PE Walk 2010 
• Original PEB Walk 
• Export Parsing Example (TitanHide) 
• Forwarded Export 

Hands-On Example

Attached to this post is the compiled example from the tutorial (64-bit) and a 32-bit version of the same example. See if you can replicate the pseudocode markup from the tutorial with both samples.