diff options
| author | Ana María Martínez Gómez <anamaria.martinezgom@FireEye.com> | 2020-08-19 12:02:36 +0200 |
|---|---|---|
| committer | Ana María Martínez Gómez <anamaria.martinezgom@FireEye.com> | 2020-08-19 14:09:23 +0200 |
| commit | f4d8e8b5aba18ef6fd1461f0d587841dfb5d672b (patch) | |
| tree | 6fd53478b89dafa43b99c5b5e3b1dece179dc02a /miasm/jitter/loader/pe.py | |
| parent | 49e1fbe364df5b378576a8213065cade2d687daf (diff) | |
| download | focaccia-miasm-f4d8e8b5aba18ef6fd1461f0d587841dfb5d672b.tar.gz focaccia-miasm-f4d8e8b5aba18ef6fd1461f0d587841dfb5d672b.zip | |
Remove duplicated ordinals in get_export_name_addr_list
Remove duplicated ordinals in
`miasm.jitter.loader.pe.get_export_name_addr_list` and update
documentation to include ordinals.
Ordinal exports are added twice and consequently duplicated in the
output. For example, for `Lab17-02.dll` from
https://github.com/mikesiko/PracticalMalwareAnalysis-Labs:
```
[('InstallRT', 268490823), ('InstallSA', 268492481), ('InstallSB', 268494994),
('PSLIST', 268464165), ('ServiceMain', 268488496), ('StartEXS', 268467915),
('UninstallRT', 268497925), ('UninstallSA', 268495365),
('UninstallSB', 268497208), (1, 268490823), (2, 268492481), (3, 268494994),
(4, 268464165), (5, 268488496), (6, 268467915), (7, 268497925), (8, 268495365),
(9, 268497208), (1, 268490823), (2, 268492481), (3, 268494994), (4, 268464165),
(5, 268488496), (6, 268467915), (7, 268497925), (8, 268495365), (9, 268497208)]
```
Diffstat (limited to 'miasm/jitter/loader/pe.py')
| -rw-r--r-- | miasm/jitter/loader/pe.py | 15 |
1 files changed, 5 insertions, 10 deletions
diff --git a/miasm/jitter/loader/pe.py b/miasm/jitter/loader/pe.py index 723cb06b..28010b74 100644 --- a/miasm/jitter/loader/pe.py +++ b/miasm/jitter/loader/pe.py @@ -137,10 +137,12 @@ def is_redirected_export(pe_obj, addr): def get_export_name_addr_list(e): - """Collect names and addresses of symbols exported by the given PE. + """Collect names/ordinals and addresses of symbols exported by the given PE. @e: PE instance - Returns a list of tuples (symbol name string, virtual address). - + Returns a list of tuples: + (symbol name string, virtual address) + (ordinal number, virtual address) + Example: pe = miasm.analysis.binary.Container.from_string(buf) @@ -159,13 +161,6 @@ def get_export_name_addr_list(e): out.append((f_name, e.rva2virt(addr.rva))) # add func ordinal - for i, o in enumerate(e.DirExport.f_nameordinals): - addr = e.DirExport.f_address[o.ordinal] - # log.debug('%s %s %s' % (o.ordinal, e.DirExport.expdesc.base, - # hex(e.rva2virt(addr.rva)))) - out.append( - (o.ordinal + e.DirExport.expdesc.base, e.rva2virt(addr.rva))) - for i, s in enumerate(e.DirExport.f_address): if not s.rva: continue |