64-bit import table offset error for PE+ binaries

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Load a 64-bit PE file 
2. Enumerate the import section
3. Address of each import will be off by 4 * thunk offset

Check out the 64-bit version of cmd.exe that comes with Windows 7 to see what I 
mean. The import address for GetProcAddress actually gets mapped to HeapAlloc 
without properly shifting the offset. :)

What is the expected output? What do you see instead?
The expected output is obviously the correct address. What we get is usually 
another function or an invalid offset, e.g. HeapAlloc instead of GetProcAddress.

What version of the product are you using? On what operating system?
1.2.10 r107 on Windows 7 64-bit using Python 2.7.1 64-bit.

Please provide any additional information below.
This is pretty easily fixed. In parse_imports, just add something like this:

        if self.PE_TYPE == OPTIONAL_HEADER_MAGIC_PE:
            ordinal_flag = IMAGE_ORDINAL_FLAG
            imp_offset = 4
        elif self.PE_TYPE == OPTIONAL_HEADER_MAGIC_PE_PLUS:
            ordinal_flag = IMAGE_ORDINAL_FLAG64
            imp_offset = 8

Then fix the assignment to imp_address:

        imp_address = first_thunk + self.OPTIONAL_HEADER.ImageBase + idx * imp_offset

All fixed! I've tested this against cmd.exe and some other 64-bit binaries I'm 
working on, so YMMV-- this will probably require more testing.

Original issue reported on code.google.com by fra...@dc949.org on 11 Jun 2011 at 5:21

[GoogleCodeExporter]

Fixed in revision 111. Thanks for reporting the problem!

Original comment by ero.carr...@gmail.com on 1 Aug 2011 at 7:18

• Changed state: Fixed