pe: runtime functions: fix addresses

williballenthin · Sep 8, 2020 · 7a97939 · 7a97939
1 parent bb43af7
commit 7a97939
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 9 deletions.
diff --git a/bin/Cargo.toml b/bin/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "lancelot-bin"
-version = "0.4.1"
+version = "0.4.2"
 description = "binary analysis tools for x32/x64 PE files"
 authors = ["William Ballenthin <[email protected]>"]
 license = "Apache-2.0"
@@ -22,6 +22,6 @@ goblin = "0.2"
 zydis = "3"
 hex = "0.4"
 
-lancelot = { path = "../core", version = "0.4.1" }
+lancelot = { path = "../core", version = "0.4.2" }
 
 
diff --git a/core/Cargo.toml b/core/Cargo.toml
@@ -2,7 +2,7 @@
 name = "lancelot"
 description = "binary analysis framework for x32/x64 PE files"
 license = "Apache-2.0"
-version = "0.4.1"
+version = "0.4.2"
 authors = ["Willi Ballenthin <[email protected]>"]
 edition = "2018"
 
@@ -25,7 +25,7 @@ smallvec = "1"
 widestring = "0.4"
 smol_str = "0.1"
 
-lancelot-flirt = { path = "../flirt", version = "0.4.1" }
+lancelot-flirt = { path = "../flirt", version = "0.4.2" }
 
 [features]
 # The reason we do this is because doctests don't get cfg(test)

diff --git a/core/src/analysis/pe/runtime_functions.rs b/core/src/analysis/pe/runtime_functions.rs
@@ -176,7 +176,7 @@ pub fn find_pe_runtime_functions(pe: &PE) -> Result<Vec<VA>> {
                     return Err(RuntimeFunctionError::InvalidRuntimeFunction.into());
                 }
 
-                let function = pe.module.address_space.base_address + runtime_function.function_start;
+                let function = runtime_function.function_start;
 
                 debug!("pdata: found RUNTIME_FUNCTION: {:#x}", function);
                 ret.push(function);
@@ -204,6 +204,8 @@ mod tests {
         let fns = crate::analysis::pe::runtime_functions::find_pe_runtime_functions(&pe)?;
         assert_eq!(1800, fns.len());
 
+        assert_eq!(fns[0], 0x180001010);
+
         Ok(())
     }
 

diff --git a/flirt/Cargo.toml b/flirt/Cargo.toml
@@ -2,7 +2,7 @@
 name = "lancelot-flirt"
 description = "parse and match FLIRT signatures"
 license = "Apache-2.0"
-version = "0.4.1"
+version = "0.4.2"
 authors = ["Willi Ballenthin <[email protected]>"]
 edition = "2018"
 

diff --git a/pylancelot/Cargo.toml b/pylancelot/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "pylancelot"
-version = "0.4.1"
+version = "0.4.2"
 authors = ["Willi Ballenthin <[email protected]>"]
 edition = "2018"
 
@@ -9,7 +9,7 @@ name = "lancelot"
 crate-type = ["cdylib"]
 
 [dependencies]
-lancelot = { path = "../core", version = "0.4.1" }
+lancelot = { path = "../core", version = "0.4.2" }
 pyo3 = { version = "0.11"}
 anyhow = "1"
 zydis = "3"

diff --git a/pylancelot/tests/test_pylancelot.py b/pylancelot/tests/test_pylancelot.py
@@ -43,7 +43,7 @@ def test_functions(k32):
 
     # IDA identifies 2326
     # lancelot identifies around 2200
-    assert len(functions) > 2000
+    assert len(functions) > 1500
 
     # this is _security_check_cookie
     assert 0x180020250 in functions