Exetools  

Go Back   Exetools > General > Community Tools
Reload this Page PE Anatomist
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #8  
Old 03-13-2022, 22:42
DavidXanatos DavidXanatos is offline
Family
  
Join Date: Jun 2018
Posts: 183
Rept. Given: 3
Rept. Rcvd 47 Times in 33 Posts
Thanks Given: 59
Thanks Rcvd at 363 Times in 120 Posts
DavidXanatos Reputation: 47
I think the loading of exports for arm 32 bit is not quite right:
for my win 11 test machine \SysArm32\ntdll.dll's LdrLoadDll has according tho the PEAnatomist the RVA or 0x2F9F1 and the image base is 0x4B280000, however when stepping through a arm32 project LdrLoadDll is in my instance at 0x7723F9F0 with base at 0x77210000 so the RVA seams to be 0x2F9F0, 1 less than what PEAnatomist shows, also checking with IDA it says the address of that function is 0x4B2AF9F0, that minus the base address gives also 0x2F9F0 as the correct RVA.
Now that Said the peview of process hacker makes the same mistake :/
its strange that the values in the file are all off by exactly 1, its teh same for all functions I checked.
Cheep fix add -1 to the RVA if its an arm image, but I woudl preffer to understand why its so ans have a proper fix.
Reply With Quote
The Following 4 Users Say Thank You to DavidXanatos For This Useful Post:
Abaddon (03-15-2022), binarylaw (03-13-2022), niculaita (03-13-2022), tonyweb (07-23-2022)
 

Tags
coff, ms pdb, pe32

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 20:47.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )