[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Misinterpretation of PE export address table entries
From: |
Pavel Kankovsky |
Subject: |
Misinterpretation of PE export address table entries |
Date: |
Mon, 25 Jul 2005 10:39:12 +0200 (CEST) |
Hello!
I found objdump -x from binutils 2.16.1 produces silly results on
msvbvm60.dll [1]. It marks most export address table entries as
"Forwarder RVA" and adds some binary junk (instead of meaningful
symbol names; in fact those "names" looked like machine code at the
first glance).
As far as I can tell, there are no forwarder RVAs in that file
(regardless of the way RVAs are interpreted the file contains no strings
forwarders could point at).
It appears BFD is confused export tables being are located in the middle
of .text (don't ask me why MS likes to put exports into random sections of
executable files... .text here, .rdata there...):
ImageBase 73420000
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 000fdcc4 73421000 73421000 00001000 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
The Data Directory
Entry 0 00049bc0 0000511e Export Directory [.edata (or where ever we found it)]
There is an export table in .text at 0x73469bc0
(BTW: import tables of that DLL are in .text as well.)
pe_print_edata() thinks the RVA is a forwarder when it points between the
start of export tables (from the data dictionary) and the end of the
*whole section* containing the tables. This is wrong. It should use the
length in the data directory to determine the end of area occupied by
export tables.
See the attached patch.
[1] msvbvm60.dll, size 1392671, date 2004-11-03,
sha1 a4241fd4850a6e2fa36ef788a34283a23b85fbbb
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
peXXigen2.diff
Description: Text document
- Misinterpretation of PE export address table entries,
Pavel Kankovsky <=