We currently use the pclntab magic to find the pclntab, then use that VA to locate the moduledata. Once we have the moduledata, we read the .text base from a member of that table and re-parse all pclntab candidates with this correct VA. This is slow.
To fix:
Verify pclntab scan is stable with incorrect .text sections (should be). We heavily rely on a correct pclntab VA now.
Prune the candidate set so that any pclntab candidate with a SecStart != moduledata.text is removed.
Reparse the candidates left
Pick first valid candidate satisfying all of these. In practice, should only have one left.
stevemk14ebr
commented
11 months ago
We currently use the pclntab magic to find the pclntab, then use that VA to locate the moduledata. Once we have the moduledata, we read the .text base from a member of that table and re-parse all pclntab candidates with this correct VA. This is slow.
To fix:
SecStart!= moduledata.text is removed.