Wow, a lot of participation in this thread, nice
Anyway, here is second part...
Getting Name of Function and Ordinal value - Part II
We enter this routine with the handle and the name of the module that the handle belongs to.
Let's work with export table of that module.
We compare
AddressOfNameOrdinals to
AddressOfNames. If they are different, we start a) chapter. Otherwise, go to b) chapter.
a) We first start a loop with
NumberOfNames iterations.
Within the loop, we must go through
AddressOfOrdinals array. This array is composed only by Words. Each Word performs a 'number of order' in
AddressOfFunction array. We take the content in the i-element of the
AddresOfOrdinals array.
That content is the number of element in
AddressOfFunction array, so we get the value of that component. This comes as RVA.
We compare now:
handle(our input) to RVA content + BaseAddress of the module
If they match:
1. If 'number of order' is not equal to zero, then Ordinal of that handle is:
'number of order'+ nBase(parameter in export table) OR IMAGE_ORDINAL_FLAG32(0x80000000)
2. We go through the
AddressOfNameOfFunction array and read the i element. This is an RVA value. Then we read the string at that address and we get the name of the function searched.
b) If 'number of order' is zero (there is no names of functions, just ordinals), we start a loop with
NumberOfFunction iterations.
For every element in the array of
AddressOfFunction, we compare:
handle(our input) to value of element(RVA) + BaseAddress of the module.
If they match, ordinal for that handle is:
(i(iteration) + nBase(parameter in export table)) OR IMAGE_ORDINAL_FLAG32(0x80000000)
To be continued (solving forwarded functions)...