7etsuo/ExportFunctionAddressFinder.ps

## ExportFunctionAddressFinder.ps
# This pseudocode assumes the existence of data structures for the export directory table
# and functions to read from these structures based on Relative Virtual Addresses (RVA).

# Structure definitions (simplified)
struct ExportDirectoryTable {
    NamePointerTable namePointerTable;
    OrdinalTable ordinalTable;
    ExportAddressTable exportAddressTable;
}

struct NamePointerTable {
    list<RVA> pointersToNames;
}

struct OrdinalTable {
    list<int> ordinals;
}

struct ExportAddressTable {
    list<RVA> functionAddresses;
}

# Function to find the address of an exported function by name
function getExportFunctionAddress(dllHandle, functionName):
    exportDirectory = getExportDirectoryTable(dllHandle)

    # Step 1: Look up the function name in the Export Name Pointer Table to find its RVA
    for i in range(exportDirectory.namePointerTable.pointersToNames.length):
        nameRVA = exportDirectory.namePointerTable.pointersToNames[i]
        exportedName = readStringAtRVA(dllHandle, nameRVA)

        # If the exported name matches the function we want, proceed
        if exportedName == functionName:
            # Step 2: Find the ordinal associated with the function name
            functionOrdinal = exportDirectory.ordinalTable.ordinals[i]

            # Step 3: Use the ordinal as an index to get the function's address from the Export Address Table
            functionAddressRVA = exportDirectory.exportAddressTable.functionAddresses[functionOrdinal]

            # Convert the function's RVA to an actual address in the DLL's memory space
            functionAddress = convertRVAToActualAddress(dllHandle, functionAddressRVA)
            return functionAddress

    # Function name not found
    return null

# Let's say we want to call a function named "LoadLibraryAddress" from a loaded DLL
dllBase = loadDLL("kernel32.dll")
LoadLibraryAddress = getExportFunctionAddress(dllBase, "LoadLibrary")
GetProcAddress = getExportFunctionAddress(dllBase, "GetProcAddress")

if LoadLibraryAddress is not null:
    do something
...
	# This pseudocode assumes the existence of data structures for the export directory table
	# and functions to read from these structures based on Relative Virtual Addresses (RVA).

	# Structure definitions (simplified)
	struct ExportDirectoryTable {
	NamePointerTable namePointerTable;
	OrdinalTable ordinalTable;
	ExportAddressTable exportAddressTable;
	}

	struct NamePointerTable {
	list<RVA> pointersToNames;
	}

	struct OrdinalTable {
	list<int> ordinals;
	}

	struct ExportAddressTable {
	list<RVA> functionAddresses;
	}

	# Function to find the address of an exported function by name
	function getExportFunctionAddress(dllHandle, functionName):
	exportDirectory = getExportDirectoryTable(dllHandle)

	# Step 1: Look up the function name in the Export Name Pointer Table to find its RVA
	for i in range(exportDirectory.namePointerTable.pointersToNames.length):
	nameRVA = exportDirectory.namePointerTable.pointersToNames[i]
	exportedName = readStringAtRVA(dllHandle, nameRVA)

	# If the exported name matches the function we want, proceed
	if exportedName == functionName:
	# Step 2: Find the ordinal associated with the function name
	functionOrdinal = exportDirectory.ordinalTable.ordinals[i]

	# Step 3: Use the ordinal as an index to get the function's address from the Export Address Table
	functionAddressRVA = exportDirectory.exportAddressTable.functionAddresses[functionOrdinal]

	# Convert the function's RVA to an actual address in the DLL's memory space
	functionAddress = convertRVAToActualAddress(dllHandle, functionAddressRVA)
	return functionAddress

	# Function name not found
	return null

	# Let's say we want to call a function named "LoadLibraryAddress" from a loaded DLL
	dllBase = loadDLL("kernel32.dll")
	LoadLibraryAddress = getExportFunctionAddress(dllBase, "LoadLibrary")
	GetProcAddress = getExportFunctionAddress(dllBase, "GetProcAddress")

	if LoadLibraryAddress is not null:
	do something
	...