[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Misinterpretation of PE export address table entries

From: Pavel Kankovsky
Subject: Misinterpretation of PE export address table entries
Date: Mon, 25 Jul 2005 10:39:12 +0200 (CEST)


I found objdump -x from binutils 2.16.1 produces silly results on 
msvbvm60.dll [1]. It marks most export address table entries as 
"Forwarder RVA" and adds some binary junk (instead of meaningful
symbol names; in fact those "names" looked like machine code at the 
first glance).

As far as I can tell, there are no forwarder RVAs in that file
(regardless of the way RVAs are interpreted the file contains no strings 
forwarders could point at).

It appears BFD is confused export tables being are located in the middle
of .text (don't ask me why MS likes to put exports into random sections of
executable files... .text here, .rdata there...):

ImageBase               73420000

Idx Name          Size      VMA       LMA       File off  Algn
  0 .text         000fdcc4  73421000  73421000  00001000  2**2

The Data Directory
Entry 0 00049bc0 0000511e Export Directory [.edata (or where ever we found it)]

There is an export table in .text at 0x73469bc0

(BTW: import tables of that DLL are in .text as well.)

pe_print_edata() thinks the RVA is a forwarder when it points between the 
start of export tables (from the data dictionary) and the end of the 
*whole section* containing the tables. This is wrong. It should use the 
length in the data directory to determine the end of area occupied by 
export tables.

See the attached patch.

[1] msvbvm60.dll, size 1392671, date 2004-11-03,
    sha1 a4241fd4850a6e2fa36ef788a34283a23b85fbbb

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Attachment: peXXigen2.diff
Description: Text document

reply via email to

[Prev in Thread] Current Thread [Next in Thread]