2 years ago

#61296

test-img

functionhunter

Deciphering values of symbol table - PE file format

According to MSDN documentation:

The symbol table is an array of records, each 18 bytes long. Each record is either a standard or auxiliary symbol-table record. A standard record defines a symbol or name and has the following format.

And from the COFF file header, one can obtain two variables: PointerToSymbolTable, which is the offset from the start of the mapped file to the symbol table, and NumberOfSymbols, which describes the number of symbols in the table.

My goal is to parse this symbol table, in order to find specific functions in my code, and their addresses. Therefore, I wrote the following code as a test, to find the "Type" value of the first record of the symbol table:

    //This part is correct, no errors.
        LPBYTE lpFile = (LPBYTE)MapViewOfFile(hMapping, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, dwFileSize);
        PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)lpFile;
        PIMAGE_NT_HEADERS coffHeader = (PIMAGE_NT_HEADERS)((DWORD)dosHeader + dosHeader->e_lfanew);

//Part in which I am not getting the expected values
    LPBYTE symBuff = (LPBYTE) malloc(18);
    LPBYTE startPoint = lpFile + coffHeader->FileHeader.PointerToSymbolTable;
    memcpy(symBuff, startPoint, 18);
    DWORD symType = (*symBuff << 14) >> 17;
    printf("symType: %02x", symType);
    if (symType >> 1 == 0x20) {
        printf("Is a function");
    }
    if (symType >> 1 == 0x00) {
        printf("Is not a function");
    }

The objective here is to move the mapped file pointer to the location of the symbol table, and obtain the Type value of its first record, which is located on the 14th position of the table and is defined as such:

A number that represents type. Microsoft tools set this field to 0x20 (function) or 0x0 (not a function). For more information, see Type Representation.

When printed, however, I get the value 0x05, which I did not expect, because my code isolates the most significant byte.

The most significant byte specifies whether the symbol is a pointer to, function returning, or array of the base type that is specified in the LSB. Microsoft tools use this field only to indicate whether the symbol is a function, so that the only two resulting values are 0x0 and 0x20 for the Type field. However, other tools can use this field to communicate more information.

c++

c

winapi

portable-executable

0 Answers

Your Answer

Accepted video resources

Posts

Questions

Blogs

Jobs