Closed optimizedaway closed 5 years ago
Yup, those are imports by ordinals. Not commonly used anymore, but ws2_32.dll is an exception. Will try and figure out a way to get from ordinals back to a symbol name (since that would be necessary to link in modified source code files which reference any functions from ws2_32.dll).
Target process crashes with access violation during initial remote thread injection:
I debugged target process. Symbols from dxgi.dll and d3d11 are properly initialized, but process fails on access to
import->Name
from WS2_32.dll, content of import_name_table[k].u1.AddressOfData looks very suspicious (0x800000000000006f). Addresses from other libraries are OK.Output from debugger:
I "fixed" the problem by ignoring symbol addresses with highest bit set:
I tried to dig through PE spec but didn't find anything useful. Maybe this is a lookup by ordinal number? Any ideas?
Win10 x64 Pro v1803 (17134.471), Windows SDK 10.0.17763.0