search

nanonyme / pefile

Automatically exported from code.google.com/p/pefile
Other
0 stars 0 forks source link

pefile will print the symbol name with ordinal as none for import table symbols #41

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. just read the Safari.dll file under Ubuntu:
pe = pefile.PE(pe_file_path, fast_load=False)
2. then read the import table information:
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
        for entry in pe.DIRECTORY_ENTRY_IMPORT:
            print entry.dll
            for imp in entry.imports:
                print '\t', hex(imp.address), imp.name, imp.ordinal, entry.dll
3. I wish to get all the symbols, its address and its ordinal.

What is the expected output? What do you see instead?
Wrong output:
WS2_32.dll
    0x1052b548 None 8 WS2_32.dll
    0x1052b54c None 9 WS2_32.dll
    0x1052b550 getaddrinfo None WS2_32.dll
    0x1052b554 None 57 WS2_32.dll
    0x1052b558 None 14 WS2_32.dll
    0x1052b55c freeaddrinfo None WS2_32.dll
    0x1052b560 None 15 WS2_32.dll
Expected output:
The symbol name should be not none, since I can read them via IDAPro. 
And I found that if there is no ordinal associated with the symbols, then 
pefile can print it right, but for the symbols with ordinal, the pefile just 
cannot find its name. This is a little wired.

What version of the product are you using? On what operating system?
pefile version: pefile-1.2.10-114 and pefile-1.2.10-121
OS:Ubuntu 12.04

Please provide any additional information below.
None.

Original issue reported on code.google.com by linfengl...@gmail.com on 11 Sep 2012 at 11:12

GoogleCodeExporter commented 9 years ago 
A good new to this question after I searched in the discussion group, and 
luckily I found that Romain already give an solution to my question, and now I 
can get all function names imported by ordinals.

But unfortunately after detailed investigation, I noticed that his solution is 
not a complete solution.
Because it currently just work for pe.DIRECTORY_ENTRY_IMPORT , and it still 
cannot work for delay import table [which is pe.DIRECTORY_ENTRY_DELAY_IMPORT], 
and I tried to revise pefile python code [parse_delay_import_directory function 
and parse_imports function ] to implement it but failed with dead looping 
seemingly, because the code seems to enter into an infinite loop.

Currently I got the following results: OLEAUT32.dll is belong to 
DIRECTORY_ENTRY_IMPORT and WS2_32.dll is belong to DIRECTORY_ENTRY_DELAY_IMPORT.

OLEAUT32.dll
    0x10493f0c SysFreeString 6 OLEAUT32.dll
    0x10493f10 SysAllocString 2 OLEAUT32.dll
    0x10493f14 SysStringLen 7 OLEAUT32.dll
    0x10493f18 SysAllocStringLen 4 OLEAUT32.dll
    0x10493f1c VariantClear 9 OLEAUT32.dll
    0x10493f20 VariantTimeToSystemTime 185 OLEAUT32.dll
    0x10493f24 SafeArrayLock 21 OLEAUT32.dll
    0x10493f28 SafeArrayGetLBound 20 OLEAUT32.dll
    0x10493f2c SafeArrayGetUBound 19 OLEAUT32.dll
    0x10493f30 SafeArrayUnlock 22 OLEAUT32.dll
    0x10493f34 SafeArrayDestroy 16 OLEAUT32.dll
    0x10493f38 SafeArrayCreateVector 411 OLEAUT32.dll

WS2_32.dll
    0x1052b548 None 271075289 8 WS2_32.dll
    0x1052b54c None 271075262 9 WS2_32.dll
    0x1052b550 getaddrinfo 271075309 None WS2_32.dll
    0x1052b554 None 271075299 57 WS2_32.dll
    0x1052b558 None 273211143 14 WS2_32.dll
    0x1052b55c freeaddrinfo 271075319 None WS2_32.dll
    0x1052b560 None 273211153 15 WS2_32.dll

Obviously the existent solution just did not work for the delayed import table, 
such as WS2_32.dll.
And for my purpose, I would have to parse the WS2_32.dll again to get its 
export table then matching with the ordinal number.

Here, I just want to point to this problem, and hope that there is an solution, 
which like IDAPro.
Thanks in advance!

Original comment by linfengl...@gmail.com on 18 Sep 2012 at 11:46

GoogleCodeExporter commented 9 years ago 
When symbols are imported by ordinal there will be no names and viceversa, when 
imported by name there will be no ordinal.
IDA displays the information because it knows the names that correspond to the 
ordinals for some common DLLs.  pefile will be able to do something similar.

Original comment by ero.carr...@gmail.com on 4 Dec 2013 at 5:36

GoogleCodeExporter commented 9 years ago 
There is now support to resolve symbols from 'ws2_32.dll' / 'wsock32.dll' and 
'oleaut32.dll' thanks to a patch contributed by Mandiant (revision 134).

Original comment by ero.carr...@gmail.com on 11 Dec 2013 at 10:47