PE export table design

Question

I was just going through [1] and I noticed the following excerpt:

"the requirements for exporting a function are a name, an address, and an export ordinal. You'd think that the designers of the PE format would have put all three of these items into a structure, and then have an array of these structures." "Instead, each component of an exported entry is an element in an array. There are three of these arrays (AddressOfFunctions, AddressOfNames, AddressOfNameOrdinals), and they are all parallel to one another."

I'm curious about why its implemented as three different arrays rather than a structure of three pointers.

Thanks!

[1] [http://msdn.microsoft.com/en-us/library/ms809762.aspx][1]

Answer 1

Yes, this structure is somewhat complicated. Apart from historical reasons, it was probably optimized for accessing the imported symbols by ordinals (rather than names).

If I remember correctly, the AddressOfFunctions is an RVA (pointer relative to the image base) to an array containing RVAs of exported symbols. The ordinal is an index within this array. So that if you have it you can quickly identify the symbol.

OTOH if you have the symbol name only, the AddressOfNames is an RVA to an array containing pointers to ascii string symbol names. You have to find the symbol, then use the found index in the array pointed by AddressOfNameOrdinals, this gives you the symbol ordinal.