Added function for handling manually mapped binaries#6
Added function for handling manually mapped binaries#6T00fy wants to merge 2 commits intoergrelet:masterfrom
Conversation
ergrelet
left a comment
ergrelet
left a comment
There was a problem hiding this comment.
Hi, thanks for the MR! 😊
LGTM overall, but the initAsDll call in ScyllaIatFixManualW seems unwarranted.
|
Hi, @T00fy @ergrelet adding this function would be great ! Sometimes,the unpacked binary is injected to the custom section in original pe,or just use virtualalloc to create a new area and inject it. We can sepcify our custom base image and extract it would be fine,maybe this function is the last puzzle of scylla (i guess |
| return SCY_ERROR_PROCOPEN; | ||
| } | ||
|
|
||
| ProcessAccessHelp::getProcessModules(ProcessAccessHelp::hProcess, ProcessAccessHelp::ownModuleList); |
There was a problem hiding this comment.
Turns out tomorrow was 3 months later ;)
@ergrelet This was the problem line! I had used mistakenly moduleList instead of ownModuleList.
initAsDll() was basically a workaround hack as it called getProcessModules on ownModuleList. I've tidied that up now.
3 participants
Maybe this might be useful for the project. Currently there's no way to dump/fix the IAT like you can with the GUI in the case that the binary you are dumping is manually mapped and requires a manually specified image address. This adds a few functions to support that