I have figured out how to get the Dyn. Relocs Table with which we can get the alternate export directory from an image on disk:
Code:
IMAGE_LOAD_CONFIG_DIRECTORY64 LoadConfig;
IMAGE_DATA_DIRECTORY* dir10 = &opt_hdr_64->DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG];
if (resolve_ec && dir10->VirtualAddress && dir10->Size >= FIELD_OFFSET(IMAGE_LOAD_CONFIG_DIRECTORY64, CHPEMetadataPointer) + sizeof(ULONGLONG)) {
status = ReadDll(hProcess, FindImagePosition(dir10->VirtualAddress, nt_hdrs_64, DllBase), &LoadConfig, min(sizeof(LoadConfig), dir10->Size), NULL);
}
typedef struct _DYN_RELOC_TABLE {
ULONG Unknown1;
ULONG Unknown2;
ULONG Unknown3;
ULONG Unknown4;
ULONG TableSize;
UCHAR Entries[];
} DYN_RELOC_TABLE;
DYN_RELOC_TABLE* DynamicValueRelocTable = NULL;
if (DllBase == 0 && (resolve_ec || resolve_exp)) { // only for images on disk, on linve images we take the actuallly used export directory
PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(nt_hdrs);
nt_hdrs->FileHeader.NumberOfSections;
section += (LoadConfig.DynamicValueRelocTableSection - 1);
ULONG pos = FindImagePosition(section->VirtualAddress, nt_hdrs_64, DllBase);
status = ReadDll(hProcess, pos, Buffer2, min(sizeof(Buffer2), section->Misc.VirtualSize), NULL);
DynamicValueRelocTable = (DYN_RELOC_TABLE*)(Buffer2 + LoadConfig.DynamicValueRelocTableOffset);
//dir0->VirtualAddress = 0x308810;
}
for (UCHAR* TablePtr = DynamicValueRelocTable->Entries; TablePtr < DynamicValueRelocTable->Entries + DynamicValueRelocTable->TableSize; ) {
struct {
ULONG Offset;
ULONG Size;
} *Section = TablePtr;
TablePtr += 8;
Section->Size -= 8;
for (UCHAR* EntryPtr = TablePtr; TablePtr < EntryPtr + Section->Size; ) {
struct {
USHORT
RVA : 12,
Unknown: 1,
Size : 3;
} *Entry = TablePtr;
TablePtr += 2;
ULONGLONG Value = 0;
memcpy(&Value, TablePtr, Entry->Size);
TablePtr += Entry->Size;
DbgPrintf("%08x -> %08x\n", Section->Offset + Entry->RVA, (ULONG)Value);
}
}
there are a couple unknown values so if anyone has an idea what they are please share.