A200K
commented
2 months ago @BehindTheCode1337 may I ask why you closed that? The idea looks good, to be honest
Closed BehindTheCode1337 closed 2 months ago
A200K
commented
2 months ago @BehindTheCode1337 may I ask why you closed that? The idea looks good, to be honest
BehindTheCode1337
commented
2 months ago saw before I left that it introduced a new bug in siq scanner, wanted to check it out first before suggesting it!
BehindTheCode1337
commented
2 months ago to get this to work i had to change FindSignatureOccurencesQis somewhat.
auto fileOffset = ((currentPtr - FILE_BUFFER.data()) + occurence);
// Convert file offset to RVA
ea_t rva = OffsetToRva(fileOffset);
if (rva != BADADDR) {
// Map RVA to EA using the image base address
ea_t ea = get_imagebase() + rva;
results.push_back(ea);
}
else {
msg("Failed to convert file offset %08X to RVA.\n", fileOffset);
}
currentPtr = FILE_BUFFER.data() + fileOffset + 1; This contains the changes.
ea_t OffsetToRva(ea_t fileOffset) {
auto ntHeaders = GetNTHeaders();
PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(ntHeaders);
for (int i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i, ++section) {
// Check if the file offset falls within the section's raw data range
if (fileOffset >= section->PointerToRawData && fileOffset < section->PointerToRawData + section->SizeOfRawData) {
// Calculate RVA: adjust for the difference between raw offset and VA
ea_t rva = (fileOffset - section->PointerToRawData) + section->VirtualAddress;
return rva;
}
}
return BADADDR; // Couldn't find a matching section
}You can check my fork, its a poc for some ideas. It all works, but its a mess
I noticed that on bigger binaries this takes up to 13 seconds.
In my fork I changed it to:
Which resulted in loading speeds as fast as 120ms (from 13 seconds before). For me this method also had other benefits, like easy access to PE Header, but that's probably less relevant for this project.