Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed the bug where the program crashed due to the presence of "?.DLL” after import reconstruction #91

Open
wants to merge 1 commit into
base: capemon
Choose a base branch
from
Open

Fixed the bug where the program crashed due to the presence of "?.DLL” after import reconstruction #91

wants to merge 1 commit into from

Conversation

shuiyc
Copy link
Contributor

@shuiyc shuiyc commented Feb 28, 2025

Although I don't know why "?.DLL" appeared — it shouldn't have been in the IAT in the first place. So, when I commented out addNotFoundApiToModuleList , the "?.DLL" no longer appeared, and the program ran normally. I think if an API is not found, it should not be added to the modulelist. This approach would prevent invalid entries like "?.DLL" from causing crashes in the repaired program. #90

@kevoreilly
Copy link
Owner

Hi shuiyc! Thanks a lot for looking into this. It's a strange problem - I was planning to reply to your issue to say that it is not always a problem - at least in my testing I have not seen any apis not found. But I haven't really tested very many examples!

So I am of course willing to consider making this change to just remove the call to addNotFoundApiToModuleList, I do think it's worth being careful and asking the question: where did this unfound api originate from? It seems that since there is even a dedicated function in Scylla called addNotFoundApiToModuleList it must serve a purpose.

So before I think we should proceed to just comment out this call, we should first answer these two questions:

  • what is the reason for the presence of unfound apis in only some samples?
  • what is the purpose for the addNotFoundApiToModuleList function and would this be needlessly undermined by these changes when the root of the problem might exist elsewhere?

If you can share the example you are testing with that would be really helpful. If you also have the original sample prior to packing with upx that would be even more helpful!

@shuiyc
Copy link
Contributor Author

shuiyc commented Feb 28, 2025

Sure! I would like to share my sample. I compiled sample.c using Visual Studio to generate a 32-bit sample.exe. They and the UPX-packed sample-upx32packed.exe are all in sample.zip.
sample.zip

@kevoreilly
Copy link
Owner

It's getting late for me now but already in IAT parsing finished, found 41 valid APIs, missed 1 APIs we can see a problem as the original exe only imports 41 functions! I suspect there is an off-by-one bug in there somewhere, and I will find it! It just might have to wait until after the weekend!

Thank you 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shuiyc @kevoreilly