kkent030315
commented
1 week ago @m4b Thank you for the review! This PR is ready to go.
Closed kkent030315 closed 4 days ago
kkent030315
commented
1 week ago @m4b Thank you for the review! This PR is ready to go.
kkent030315
commented
4 days ago @m4b I'm the specialist in PE and I'd confident that it's totally fine to use lookup table in static binary parsers like goblin.
Yet the code behaves semantically what it was before, but only make exceptions such as the issue describes.
As I originally posted my request to provide the original binary in question, however that sample is 99%―mostly be specially crafted (packed) with private PE packers that no one else knows. First thunk (address table) is zero, means that it semantically does nothing other than Windows loader loads that dependency at execution but does not resolves the symbol. That is what makes me believe it is specially crafted and not for the usual cases where proprietary linkers do.
Anyways, thanks for the heads up!
Sample: sample.zip
OFTs (Original First Thunk, aka lookup table) are kept as raw when mapped into virtual memory; FTs (First Thunk, aka address table) are rewritten to the absolute address where the import function is located when mapped into virtual memory.
Static Import parsing would work fine on both cases, so use OFTs if FTs are zero, but keep FTs preffered.