parsing a PE file to find the export table address using CFF explorer and msdn doc

Question

I work on a PE file and I try to interpret this line in IDA :

v4 = *(_DWORD *)((char *)LibraryA + *((_DWORD *)LibraryA + 15) + 120);

LibraryA is the base address of the PE file

*((_DWORD *)LibraryA + 15) is equivalent to *(LibraryA + 60) = *(LibraryA + 0x3C) = *(LibraryA + e_lfanew) = 0x100 = PEOffset

Thus *((_DWORD *)LibraryA + 15) + 120 points to the export directory according to CFF Explorer

When I use CFF explorer > Nt header > Optional header > Data directories > Export table address = 0x178 = 0x100 (PE offset) + 0x78 (export table address)

But when I use the msdn doc https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#optional-header-data-directories-image-only I see the PE offset for the Export Table is 96 (0x60) instead of the value found in CFF Explorer : 120 (0x78)

I think I'm wrong when I use the msdn doc but I don't figure out where ?

Answer 1

(Thanks to Kz2023 for your suggestions; I didn't know this site, godbolt.org.)

The answer to my problem is quite simple : in the msdn the offset given for the export table address is related to the OptionalHeader and in the code the offset is related to the PE COFF header

Reminder : the size of the PE COFF header is 0x18 bytes which is the difference I noticed between the 96 bytes (0x60) of msdn and the 120 bytes (0x78) in the code

Answer 2

I was mistaken when finding the debug directory (see Strange entry type 4194304 while reading debug directory for more information) and this will apply for another directory entry, for example, import directory, export directory, etc.

That's the offset to data directory entry, not the section entry or offset to export table. For getting the export section content, use the answers in that question.