TACIXAT
commented
10 years ago In PEParser.java, readSection: Added the third line here:
if (dad >= vad && dad < vex) {
int off = dad - vad;
off += 32;That fixes the import parsing. The -1 size issue mentioned above is because the data reader is a fixed size and I was keeping the offset the same and jumping 32 forward rather than moving the offset forward by 32. This was resulting in reading passed the end of the buffer, thus the -1s. Now we reach the last null entry and exit the loop properly:
DR POS: 220
ITL RVA: 0
TDS: 0
FC: 0
NAME RVA: 0
IAT RVA: 0I'll see if adding 32 there breaks anything else and f I look into the exact reason for it being off I'll update here.
jonnyzzz
When parsing the import directory, the offset is 32 bytes short of where it should be. I didn't track down the exact math, but this is probably some header not being accounted for.
There may also be an issue with the size used, as the readDoubleWord() function starts returning -1.
I'll update when I have more info on the size issue.
The (clean) sample I'm using to test: 0de3c7622ec33126579b1742260f08c2