Home > OS >  In kernel32. DLL search address why the imagebase Export function and actual from
In kernel32. DLL search address why the imagebase Export function and actual from

Time:10-03

Reading "reverse engineering core principles", chapter 13 for export function of virtual address out of the question, the problem is as follows:
the NT optional header in the file of the head offset 0 x108, according to the offset  imagebase file offset 0 x124
value of x77de0000 [0] but OD inside the  all is 0 x75 beginning?
And if want to find the function name is AddAtomW, according to the offset of optional header found the RVA of the EXPORT Directory value namely IMAGE_EXPORT_DIRECTORY structure address members find AddressOfNames, according to the AddAtomW inside the name array index to find ordinalarray array value, according to the ordinal value as the index function of the relative virtual address address for x000430ed [0], again in OD AddAtomW find function according to the name of the virtual address
Then according to the words in this way, the correct image=0 x754f30ed x754b0000 x000430ed=0 and 0 0 x77de0000, is this why? Please comment, orz

CodePudding user response:

Is not the same as the actual load address, is said to be the high version of Windows viruses, trojans and other malicious software; You can try your program, each loaded base may be different,
  • Related