From c5d005bdeb8c696adfe85fef3f5fd0a1e54831ca Mon Sep 17 00:00:00 2001
From: Matt Nadareski <mnadareski@outlook.com>
Date: Sat, 5 Nov 2022 21:37:54 -0700
Subject: [PATCH] Add PE export address table entries

---
 .../PortableExecutable/Executable.cs          |  2 +-
 .../ExportAddressTableEntry.cs                | 37 +++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 BurnOutSharp.Models/PortableExecutable/ExportAddressTableEntry.cs

diff --git a/BurnOutSharp.Models/PortableExecutable/Executable.cs b/BurnOutSharp.Models/PortableExecutable/Executable.cs
index cb0cb249..b9f0e22f 100644
--- a/BurnOutSharp.Models/PortableExecutable/Executable.cs
+++ b/BurnOutSharp.Models/PortableExecutable/Executable.cs
@@ -56,6 +56,6 @@ namespace BurnOutSharp.Models.PortableExecutable
         /// </summary>
         public DelayLoadDirectoryTableEntry[] DelayLoadDirectoryTable { get; set; }
 
-        // TODO: Left off at "Export Address Table"
+        // TODO: Left off at "Import Directory Table"
     }
 }
diff --git a/BurnOutSharp.Models/PortableExecutable/ExportAddressTableEntry.cs b/BurnOutSharp.Models/PortableExecutable/ExportAddressTableEntry.cs
new file mode 100644
index 00000000..9ba28ed0
--- /dev/null
+++ b/BurnOutSharp.Models/PortableExecutable/ExportAddressTableEntry.cs
@@ -0,0 +1,37 @@
+using System.Runtime.InteropServices;
+
+namespace BurnOutSharp.Models.PortableExecutable
+{
+    /// <summary>
+    /// The export address table contains the address of exported entry points
+    /// and exported data and absolutes. An ordinal number is used as an index
+    /// into the export address table.
+    /// 
+    /// Each entry in the export address table is a field that uses one of two
+    /// formats in the following table. If the address specified is not within
+    /// the export section (as defined by the address and length that are
+    /// indicated in the optional header), the field is an export RVA, which is
+    /// an actual address in code or data. Otherwise, the field is a forwarder RVA,
+    /// which names a symbol in another DLL.
+    /// </summary>
+    /// <see href="https://learn.microsoft.com/en-us/windows/win32/debug/pe-format"/>
+    [StructLayout(LayoutKind.Explicit)]
+    public class ExportAddressTableEntry
+    {
+        /// <summary>
+        /// The address of the exported symbol when loaded into memory, relative to
+        /// the image base. For example, the address of an exported function.
+        /// </summary>
+        [FieldOffset(0)] public uint ExportRVA;
+
+        /// <summary>
+        /// The pointer to a null-terminated ASCII string in the export section. This
+        /// string must be within the range that is given by the export table data
+        /// directory entry. See Optional Header Data Directories (Image Only). This
+        /// string gives the DLL name and the name of the export (for example,
+        /// "MYDLL.expfunc") or the DLL name and the ordinal number of the export
+        /// (for example, "MYDLL.#27").
+        /// </summary>
+        [FieldOffset(0)] public uint ForwarderRVA;
+    }
+}