PE & Coff Document Typos Are Quiet Irritating

Just a quick post to remind myself of this in the future (and hopefully help others!)

Anyways, I’m working on writing a PE parser module. Part of this is listing the relative virtual addresses (RVA) of exported symbols. To figure out how to do this, I was reading the PE & Coff Specification (http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx) document for reference. However, there is some conflicting information in it. For the rest of this post, all section numbers apply to Revision 8.3 (February 6, 2013) unless otherwise noted.

Specifically, Section 5.3.4 contains this listing:

i = Search_ExportNamePointerTable (ExportName);
ordinal = ExportOrdinalTable [i];
SymbolRVA = ExportAddressTable [ordinal - OrdinalBase];

However, Section 5.3.5 contains this line:

Every exported symbol has an ordinal value, which is just the index into the export address table (plus the Ordinal Base value).

So the the table in 5.3.4 should actually be:

i = Search_ExportNamePointerTable (ExportName);
ordinal = ExportOrdinalTable [i + OrdinalBase];
SymbolRVA = ExportAddressTable [ordinal - OrdinalBase];

This caused me several hours of frustration! Hopefully you don’t run into the same problems. I’m going to try to get Microsoft to fix this error if possible.

About samkerr

I'm an eclectic person. I like to dabble in a multitude of things. I'm sure you'll find my blog reflects that.
This entry was posted in Code, Reverse Engineering. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>