Skip to content

Commit

Permalink
[BUGFIX] Treat as a new IAT only those that have more than 1 thunk (I…
Browse files Browse the repository at this point in the history
…ssue #89)
  • Loading branch information
hasherezade committed Sep 4, 2021
1 parent 783ff31 commit 7ccc63a
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 10 deletions.
4 changes: 2 additions & 2 deletions include/pe_sieve_version.h
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
namespace pesieve {
#endif

const char PESIEVE_VERSION[] = "0.3.0.3";
const DWORD PESIEVE_VERSION_ID = 0x00030003; // 00 03 00 03
const char PESIEVE_VERSION[] = "0.3.0.4";
const DWORD PESIEVE_VERSION_ID = 0x00030004; // 00 03 00 04
const char PESIEVE_URL[] = "https://github.com/hasherezade/pe-sieve";

#ifdef __cplusplus
Expand Down
10 changes: 5 additions & 5 deletions postprocessors/imp_rec/iat_block.h
Original file line number Diff line number Diff line change
Expand Up @@ -110,19 +110,19 @@ namespace pesieve {
return true;
}

bool isCovered()
bool isCovered() const
{
return isCoverageComplete;
}

bool isValid()
bool isValid() const
{
//allow for every block with complete coverage
return isCovered();
}

//how many functions the IAT has
size_t countThunks()
size_t countThunks() const
{
return functions.size();
}
Expand Down Expand Up @@ -159,8 +159,8 @@ namespace pesieve {
bool is64bit;
bool isCoverageComplete;

std::map<ULONGLONG, const peconv::ExportedFunc*> functions; //TODO: this will be deleted or refactored
std::map<ULONGLONG, ULONGLONG> addrToFunctionVA; //TODO: this will be deleted or refactored
std::map<ULONGLONG, const peconv::ExportedFunc*> functions;
std::map<ULONGLONG, ULONGLONG> addrToFunctionVA;

friend class ImpReconstructor;
};
Expand Down
8 changes: 6 additions & 2 deletions postprocessors/imp_rec/imp_reconstructor.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -35,16 +35,20 @@ BYTE* pesieve::ImportTableBuffer::getDllSpaceAt(const DWORD rva, size_t required

//---

bool pesieve::ImpReconstructor::hasNewImportTables()
bool pesieve::ImpReconstructor::hasNewImportTables() const
{
bool has_new_table = false;
std::map<DWORD, IATBlock*>::const_iterator iats_itr;
for (iats_itr = foundIATs.cbegin(); iats_itr != foundIATs.cend(); ++iats_itr) {
const IATBlock* iblock = iats_itr->second;
if (iblock->isTerminated && !iblock->isMain) {
if (!iblock->isMain
&& iblock->isTerminated
&& iblock->countThunks() > 1)
{
has_new_table = true;
break;
}

}
return has_new_table;
}
Expand Down
2 changes: 1 addition & 1 deletion postprocessors/imp_rec/imp_reconstructor.h
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@ namespace pesieve {
IATBlock* findIAT(IN const peconv::ExportsMapper* exportsMap, size_t start_offset);

//! has more IATs that the main one (dynamically loaded)
bool hasNewImportTables();
bool hasNewImportTables() const;

bool findImportTable(IN const peconv::ExportsMapper* exportsMap);
size_t collectIATs(IN const peconv::ExportsMapper* exportsMap);
Expand Down

0 comments on commit 7ccc63a

Please sign in to comment.