Add an option to not parse the content of ExportedDirectory when target dll is an image, because:
The ExportedDirectory (VA) is an address in .rdata;
The address is de-referenced in the getExportedAddressTable and 3 other assembly functions;
parseDLL() is called on the raw_beacon_dll, which is an image;
However, this address may not exist on an image (because this may be a big address, but image is not loaded) thus may trigger an access violation. Specifically, when "ExportedDirectoryRVA" > "imageSize".
(Not sure if there is a better solution)
The modification should not effect other code, i.e when parsing an in-memory dll; but will parse only the header when the dll is an image (probably another solution is to add auto-detection of image-only header (e.g PE\0\0) but it could be an extra point of failure?) because the data will be garbage anyway and may trigger an alarm.
Add an option to not parse the content of
ExportedDirectory
when target dll is an image, because:.rdata
;getExportedAddressTable
and 3 other assembly functions;parseDLL()
is called on theraw_beacon_dll
, which is an image;