Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Import reconstruction misses some entries #131

Open
hasherezade opened this issue Feb 1, 2025 · 1 comment
Open

Import reconstruction misses some entries #131

hasherezade opened this issue Feb 1, 2025 · 1 comment
Assignees
@hasherezade
Labels
bug

Comments

@hasherezade
Copy link
Owner

hasherezade commented Feb 1, 2025
edited
Loading

Sample

win10.zip

Issue

Two imports are missing from the reconstructed import table:

Image

However, they have been correctly recognized, because they are present in the report:

1dee14,76375d30,user32.CallWindowProcW #1538
1dee18,7637bca0,user32.CallNextHookEx #1536
1dee1c,76381a60,user32.BeginPaint #1522
1dee20,7636e110,user32.AdjustWindowRectEx #1509  <== missing
1dee24,76381680,user32.ActivateKeyboardLayout #1505 <== missing
1dee2c,76164800,gdi32.UnrealizeObject #1954

Import reconstruction option: /imp A.
Complete imports listing:

400000.win10.exe.imports.txt

Complete dumped material:

process_2480.zip

The dump has been made with the executable being paused at OEP, RVA = 0x1D14B0.
@hasherezade hasherezade added the bug label Feb 1, 2025
@hasherezade hasherezade self-assigned this Feb 1, 2025
hasherezade added a commit that referenced this issue Feb 2, 2025
@hasherezade
[BUGFIX] Fixed reconstructing IAT when some of the functions repeat (…
a914597 
…Issue #131)
@hasherezade
Copy link
Owner Author

After the patch applied, the missing entries are filled in:

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hasherezade hasherezade

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hasherezade