Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BN: parse forwarded exports #1646

Closed
williballenthin opened this issue Jul 18, 2023 · 8 comments · Fixed by #2017
Closed

BN: parse forwarded exports #1646

williballenthin opened this issue Jul 18, 2023 · 8 comments · Fixed by #2017
Labels
binary-ninja enhancement New feature or request

Comments

@williballenthin
Copy link
Collaborator

williballenthin commented Jul 18, 2023

implement support for forwarded export featueres #1624 for Binary Ninja.

fyi @xusheng6

@williballenthin
Copy link
Collaborator Author

the Binary Ninja UI doesn't show symbols for the forwarded exports in ea2876e9175410b6f6719f80ee44b9553960758c7d0f7bed73c0fe9a78d8e669, so i'm not sure if this will be easy/feasible without manually parsing the input file/export table.

@xusheng6
Copy link
Contributor

Some relevant info on export forwarding: https://devblogs.microsoft.com/oldnewthing/20121116-00/?p=6073

@xusheng6
Copy link
Contributor

Honestly this is the first time I have heard about DLL export forwarding. I will see if BN's PE parser actually support this (unlikely), and what would be the best way to handle it

@xusheng6
Copy link
Contributor

image

@williballenthin If you go to the Triage view, and view the Exports, you can see the exports are marked with __forwarder_name. This means BN parses the info correctly.

@williballenthin
Copy link
Collaborator Author

ah great, i'll study the API a bit further with this background and propose an implementation. thanks @xusheng6

@williballenthin
Copy link
Collaborator Author

sidebar: forwarded exports are not really something that probably have much use for a code inspection tool like BN, but it's nice that the parser does handle them already.

@xusheng6
Copy link
Contributor

xusheng6 commented Jul 25, 2023

ah great, i'll study the API a bit further with this background and propose an implementation. thanks @xusheng6

Thanks for looking into that. The code that adds the symbol is here: https://github.com/Vector35/view-pe/blob/0efedb740ff54e610f33091f43407a20a03bdafc/peview.cpp#L2124. Looks like you can add some code when export functions are processed and scan for such names

@xusheng6
Copy link
Contributor

@williballenthin and this can be closed as well :)

@xusheng6 xusheng6 mentioned this issue Feb 29, 2024
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
binary-ninja enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants