-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PE: handle empty import address table #371
Comments
If you understand the issue and might be willing to fix, a PR would be appreciated :) |
@williballenthin Hi there, I'm addressing this issue in #430. Due to the fact that I do not have an access to VT memberships, so if you do not mind, mind share the sample It looks like a malware which I am capable to handle and at the time I assume the import entries in question are added intentionally by something other than generic linkers, since OFTs from the last valid FT entry My asseumption could be probed by looking at the real use of those entries ( Please do not heistate to point out if I am wrong. Please correct me :). Thanks! TODO: CRT never generates only 5 entries in IAT and only OFTs are valid are weird at all, so I am pretty sure it is PE packers work where it is purposely puts IAT stubs around the first imports and let Windows loader load the dependencies at the mapping time so the image will be guaranteed to be loaded at the code executes and it can do like For similar cases, VMProtect do the similar, it leaves only one import entries for each DLLs to keep the original behaviours as possible as it can for compatibility. I guess similar but more "bad" PE packers like how idiot malware developers do. |
This PE file has a valid import lookup table but the pointer to the import address table is 0x0:
goblin currently supports handling empty import lookup tables but not empty import address tables:
goblin/src/pe/import.rs
Lines 189 to 191 in 9f7fb6b
Could we extend goblin to handle the above case (parse synthentic entries from the import lookup table when the import address table is 0x0)?
The text was updated successfully, but these errors were encountered: