Menu
▾
▴
#263 PE Analyzer: Missing exports for DLLs with ordinal-only exports
For some DLL's which contain exports by ordinal only, PE Analyzer is unable to display the exports.
Here is an example from mfc140.dll. As you can see, a single export is displayed with an incorrect name and ordinal, but with the correct RVA. All other exports are missing.
PE Analyzer
| Function | RVA | Ord |
|---|---|---|
| ?? | 002781f0 | 0 |
COFF/PE Dumper (objdump.exe)
| ordinal | hint | RVA | name |
|---|---|---|---|
| 256 | 002781F0 | [NONAME] | |
| 257 | 002782F0 | [NONAME] | |
| 258 | 0027C3D0 | [NONAME] | |
| 259 | 0027C440 | [NONAME] | |
| ... | ... | ... | ... |
| 14282 | 0006E6B0 | [NONAME] | |
| 14283 | 00079600 | [NONAME] |
Possible Fix
Something like the following should resolve the issue:
--- pe_analyzer.cpp
+++ pe_analyzer.cpp
@@ -342,6 +342,7 @@
if (!fx.ep)
continue; //Skip over gaps in exported function
fx.idx = (WORD)i;
+ fx.ordinal = static_cast<WORD>(exp_dir->Base + i);
std::string fx_name;
@@ -351,15 +352,15 @@
if (rva_nord[j] == i)
fx_index = j;
}
- fx.ordinal = static_cast<WORD>(exp_dir->Base + i);
+
if (fx_index != 0xffff) {
const auto name = reinterpret_cast<const char*>(data_from_rva(rva_name[fx_index]));
if (name)
fx_name = name;
}
- if (fx_name.empty())
- fx_name = ordinal_name(fx.ordinal);
}
+ if (fx_name.empty())
+ fx_name = ordinal_name(fx.ordinal);
//Check for forwarder
if (rva_func[i] >= edir_start && rva_func[i] < edir_end) {
Discussion
Anonymous
Thanks again.
3.10.25
Thank you. This issue is now resolved.