Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't add import section #46

Open
ohjeongwook opened this issue Aug 19, 2020 · 2 comments
Open

Don't add import section #46

ohjeongwook opened this issue Aug 19, 2020 · 2 comments
Labels
low-priority
Milestone
2020-11-29

Comments

@ohjeongwook
Copy link
Owner

No description provided.

@ohjeongwook
Copy link
Owner Author

ohjeongwook commented Oct 1, 2020
edited
Loading

srv2\binaries\10.0.00010240.00016384

  • Name: __imp_SrvNetGetServerNameFlags
enum {
    CALL,       // 0: 
    CREF_FROM,  // 1:
    CREF_TO,    // 2: no
    DREF_FROM,  // 3: 
    DREF_TO,    // 4:
    CALLED      // 5: no
};
  • ControlFlows: "4" (DREF_TO) "244344" "337286"
    1C003BA78 -> 1C0052586
.idata:00000001C003BA78                 extrn __imp_SrvNetGetServerNameFlags:qword

00000001C0052586 FF 15 EC 94 FE FF       call    cs:__imp_SrvNetGetServerNameFlags
  • ControlFlows: "0" (CALL) "337240" "244344"
    1C0052558 -> 1C003BA78
00000001C0052558 41 0F B7 06             movzx   eax, word ptr [r14]
...
00000001C0052586 FF 15 EC 94 FE FF       call    cs:__imp_SrvNetGetServerNameFlags

  • ControlFlows: "3" (DREF_FROM) "337286" "244344"

    1C0052586 -> 1C003BA78

00000001C0052586 FF 15 EC 94 FE FF       call    cs:__imp_SrvNetGetServerNameFlags

@ohjeongwook
Copy link
Owner Author

ohjeongwook commented Oct 1, 2020
edited
Loading

I found some issues introduced during refactoring of IDAAnalyzer::AnalyzeBlock with wrong basic block address.

5a27b8b

Except that, I think import section data can be beneficial in overall matching work. It has 0 length instruction hash, so it will not interfere with instruction hash match. It hash CALL/DREF_TO/DREF_FROM control flows and it might help in control flow match. We might want to exclude import function from showing in UI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
low-priority
Projects
None yet
Milestone
2020-11-29
Development

No branches or pull requests
1 participant
@ohjeongwook