ESET NOD32 emulator fails if you modify .idata after imports

[GoogleCodeExporter]

If you import _encode_pointer from MSVCR90 and then modify the IAT in your 
code, the emulator gets very confused.

Verify like so:

$ nasm -f bin modifyidata.asm -o modifyidata
$ esets_scan modifyidata
Segmentation Fault

This seems likely to be remotely exploitable.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 30 Jun 2015 at 10:04

Attachments:

• modifyidata.asm

[GoogleCodeExporter]

Original comment by scvi...@google.com on 1 Jul 2015 at 2:42

• Added labels: Reported-2015-Jun-30
• Removed labels: Reported-20-Jun-15

[GoogleCodeExporter]

ESET report that this vulnerability was fixed in version 1156, and had already 
been discovered via internal testing.

It's my understanding that the fix was rolled out the same day I had reported 
it.

Original comment by tav...@google.com on 1 Jul 2015 at 5:03

• Changed state: Fixed
• Removed labels: Restrict-View-Commit