Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja
https://binary.ninja/
MIT License
921 stars 208 forks source link

Binary Ninja fails to resolve ws2_32.dll import by negative(?) ordinal #5402

Open bsendpacket opened 5 months ago

bsendpacket commented 5 months ago

Version and Platform (required):

Bug Description: While viewing decompilation of a function that utilizes a ws2_32.dll import, Binary Ninja seems to not be able to deduce the correct imported function. The ordinal is also shown to be negative within the output. I had my friend compare this output within an instance of IDA Pro, and he was able to confirm that the functions are ws2_32!socket and ws2_32!gethostbyname.

Steps To Reproduce: Please provide all steps required to reproduce the behavior:

  1. Download sample (MALICIOUS) from https://bazaar.abuse.ch/sample/f3c124dcce2659610bab08861feebcfe353eb45d1001ccee04db1b9ca7311917/
  2. Extract file, password is "infected"
  3. Navigate to sub_4016D0
  4. Decompile the function and observe the imported ws2_32 calls

Expected Behavior: The first call should be resolved to socket, and the second call should be resolved to gethostbyname.

Screenshots: image image

plafosse commented 5 months ago

Unclear if this is a PE parsing issue or a Type Library issue