jkolek
commented
7 years ago This issue appears when using pepy?
Closed mwpcheung closed 6 years ago
jkolek
commented
7 years ago This issue appears when using pepy?
jkolek
commented
7 years ago I'm not able to reproduce the issue, dump-prog, pepy test and IDA Pro are outputting the same results to me for ntoskrnl.exe.
mwpcheung
commented
7 years ago I'm very sorry for the win xp sp3 ntkrnl。 my computer was injured by virus. the krnl file is an error pe file.
mwpcheung
commented
7 years ago the bug rehappened to me... export table calc error. function name bool getExports(parsed_pe *p) + 211 lines
::uint32_t symRVA;
if (!readDword(eatSec.sectionData, eatOff + eatIdx, symRVA)) {
return false;
}
bool isForwarded =
((symRVA >= exportDir.VirtualAddress) &&
(symRVA < exportDir.VirtualAddress + exportDir.Size));
if (!isForwarded) {
::uint32_t symVA;
if (p->peHeader.nt.OptionalMagic == NT_OPTIONAL_32_MAGIC) {
symVA = symRVA + p->peHeader.nt.OptionalHeader.ImageBase;
} else if (p->peHeader.nt.OptionalMagic == NT_OPTIONAL_64_MAGIC) {
symVA = symRVA + p->peHeader.nt.OptionalHeader64.ImageBase;
} else {
return false;
}
exportent a;
a.addr = symVA;
a.symbolName = symName;
a.moduleName = modName;
p->internal->exports.push_back(a);exportent.addr is 64bit uint. symVA you defined as uint32_t. uint32t = uint32_t + 64bit imagebase. then bit lose. bug happens to windows x64 ntoskrnl.exe win10 2015 11
jkolek
commented
7 years ago Ok, I will take a look.
ghost
commented
6 years ago This issue has been fixed in parse.cpp since #56. Fixed in pepy since #73 with change to #define PEPY_PARSED_GET.
when I use this lib to test with pe files. compared the reulst with python pefile.
this lib works wrong when I input windows xp sp3 "ntoskrnl.exe" x86 arch.
the export table function entry address is wrong.
function count is different of IDA Pro.
thanks for the author that u've give us a cross-platform libary it works on win32,win64 also unix like system.