Just a quick post to remind myself of this in the future (and hopefully help others!)
Anyways, I’m working on writing a PE parser module. Part of this is listing the relative virtual addresses (RVA) of exported symbols. To figure out how to do this, I was reading the PE & Coff Specification (http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx) document for reference. However, there is some conflicting information in it. For the rest of this post, all section numbers apply to Revision 8.3 (February 6, 2013) unless otherwise noted.
Specifically, Section 5.3.4 contains this listing:
i = Search_ExportNamePointerTable (ExportName);
ordinal = ExportOrdinalTable [i];
SymbolRVA = ExportAddressTable [ordinal - OrdinalBase];
However, Section 5.3.5 contains this line:
Every exported symbol has an ordinal value, which is just the index into the export address table (plus the Ordinal Base value).
So the the table in 5.3.4 should actually be:
i = Search_ExportNamePointerTable (ExportName);
ordinal = ExportOrdinalTable [i + OrdinalBase];
SymbolRVA = ExportAddressTable [ordinal - OrdinalBase];
This caused me several hours of frustration! Hopefully you don’t run into the same problems. I’m going to try to get Microsoft to fix this error if possible.
