Search code examples
c++winapidllmingwportable-executable

Where is the string table in a Windows DLL?

I have written a routine to dump the symbols and sections from a DLL loaded with LoadLibrary but not sure how to decode MinGW DLLs that have section names that are longer than IMAGE_SIZEOF_SHORT_NAME

For example, a MinGW DLL outputs the follwing sections if I print them as strings:

[".text", ".data", ".rdata", ".pdata", ".xdata", ".bss", ".edata", ".idata",
 ".CRT", ".tls", ".reloc", "/4", "/19", "/31", "/45", "/57", "/70", "/81",
 "/92"]

The other sections as objdump.exe gets them:

.debug_aranges
.debug_info
.debug_abbrev
.debug_line
.debug_frame
.debug_str
.debug_loc
.debug_ranges

Which are all longer than IMAGE_SIZEOF_SHORT_NAME. MSDN explains that:

For longer names, this member contains a forward slash (/) followed by an ASCII representation of a decimal number that is an offset into the string table.

So I have the following code:

  Char buffer[IMAGE_SIZEOF_SHORT_NAME + 1];
  std::strncpy(buffer, reinterpret_cast<const Char * const>(section_header_ptr[i].Name), IMAGE_SIZEOF_SHORT_NAME);
  buffer[IMAGE_SIZEOF_SHORT_NAME] = '\0';
  const Char * name = buffer;
  if (name[0] == '/') {
    const Long rva = std::strtol(name + 1, NULL, 10);
    if ((LONG_MAX == rva) || (LONG_MIN == rva) || ((0 == rva) && (name[0] != '0'))) {
      static const Char * const failure = "failed to convert offset";
      name = failure;
    }
    // -- How do I get the string table here? and use the offset? --
  }

Reading the COFF spec I see that the string table is after the symbol entries so it should be

HMODULE handle = LoadLibrary("some_mingw_library.dll");
PIMAGE_DOS_HEADER idh = (PIMAGE_DOS_HEADER)(handle);
PIMAGE_NT_HEADERS inh = (PIMAGE_NT_HEADERS)(((const uint8_t*)(idh)) + idh->e_lfanew)
PIMAGE_FILE_HEADER ifh = &inh->FileHeader;
PIMAGE_SYMBOL is = (PIMAGE_SYMBOL)(((const uint8_t*)(idh)) + ifh->PointerToSymbolTable)
const char * const string_table = &is[ifh->NumberOfSymbols];

But I get something that is definitely not the string table. I can see the string table in my hex editor. Where is the string table in a portable executable?

Solution

  • When an executable file is mapped into memory it is not loaded as one contiguous lump. Sections are scattered about as described in the section headers.

    Symbols are not necessarily mapped into memory at all.

    PointerToSymbolTable is (I think) a file offset, not a memory offset (and, as described above, they are not the same thing).

    EXEs and DLLs shouldn't have COFF symbols at all, though this file plainly does.

    The answers to most such questions can be found in PEDUMP.