dllexportportable-executableuser32shell32

What is the reason for null entries in address export table of a windows pe file?


I have a project I have built that inspects a Windows PE file. When processing certain files, such as User32 and Shell32, I notice there are entries in the export address table that are 0. What is the purpose of having a null (0) entry in the export address table? (An entry of 0 does not resolve to a valid virtual address)

FYI - Using applications like NikPEViewer and Dll Export Viewer will not show these entries at all, DumpBin shows exports that are not contained in the export name table and ordinal table but it skips the null entries.


Solution

  • i have only partial response. assume we write next exports.def (win 8.1 x64 user32.dll) file:

    EXPORTS
    ...
    wvsprintfW          @2412 
    NtUserDelegateInput @2503 NONAME
    ...
    

    and have no any ordinals between @2412 and @2503 - so linker, for preserve your ordinal order will be need generate 90 zero entries in Export Address Table. so reason for linker is clear - it fulfills our designation. but this redirect our for another question - what is the reason wrote this kind of def file ? think this is somehow related to rewrite this file from version to version. say in user32.dll from win7 x64 - higest ordinal is @2502 (compare to NtUserDelegateInput @2503)

    in win 10 x64 user32.dll can view:

    ...
    NtUserUpdateWindowTrackingInfo  @2585 NONAME
    
    ; interval [@2586, @2700) is zero
    
    GetDialogBaseUnits96            @2700 NONAME
    
    ; @2701 is zero
    
    EnablePerMonitorMenuScaling     @2702 NONAME
    

    new API set export begin from ordinal @2700 (space [@2586, @2700) is reserved ?). but user32.dll not in general export known(stable) ordinals - so it must not be preserve from version to version. so reason at all direct set ordinals in DEF file for me unclear