Skip to content
This repository has been archived by the owner on Jan 27, 2020. It is now read-only.

Suspicious virtual address arithmetic #1

Closed
ladislav-zezula opened this issue Apr 13, 2018 · 3 comments
Closed

Suspicious virtual address arithmetic #1

ladislav-zezula opened this issue Apr 13, 2018 · 3 comments
Labels
O-windows

Comments

@ladislav-zezula
Copy link
Contributor

In the DelayImportDirectory::read() function (DelayImportDirectory.h), there is a suspicious arithmetic which possibly subtracts a 64-bit image base from a 32-bit value:

	if (std::abs(static_cast<int>(uiDelayImportsVa - rec.NameRva)) <
	    std::abs(static_cast<int>(uiDelayImportsRva - rec.NameRva)))
	{
		rec.NameRva -= peHeader.getImageBase();
	}

The meaning of the entire block is a mystery to me (perhaps parsing files that are memory image dumps?). However, it may lead to undefined results, as image bases in 64-bit PE files are also 64-bit and typically exceed the 4 GB boundary (default image base for files produces by MSVC linker is 00000001-40000000).
@metthal
Copy link
Member

metthal commented Apr 25, 2018

The mentioned code probably tries to solve this in the very hacky way. We should use the attribute mentioned in the SO answer to recognize whether delayed import directory contains VAs or RVAs.

@s3rvac
Copy link
Member

s3rvac commented Apr 25, 2018

Possibly related to avast/retdec#282.

ladislav-zezula pushed a commit that referenced this issue Apr 26, 2018
Support for delayed-import by ordinal
ba7126d 
Fixed #1
@ladislav-zezula
Copy link
Contributor Author

Fixed in commit ba7126d

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
O-windows
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@metthal @ladislav-zezula @s3rvac