[PATCH] COFFObjectFile imports fix for compressed binaries

Bandzi Michal via llvm-commits llvm-commits at lists.llvm.org
Thu Jul 7 02:29:44 PDT 2016


> Can you actually strip a lookup table safely? I thought that both tables
> are defined as parallel arrays, and both are mandatory if one is present.

Yes and no. It is mainly problem of compressed/packed binaries as info  
is redundant it is easy to remove it and then restore it again before  
actual loading. Later I even found binaries that were not compressed  
and had lookuptable removed (tested over 10K binaries, over 10% have  
lut removed).

Are those binaries valid? They are not, PE specification is clear in  
this case but I think we should be able to read them anyway.

> On Thu, Jun 30, 2016 at 8:39 AM, Bandzi Michal via llvm-commits <
> llvm-commits at lists.llvm.org> wrote:
>
>> COFFObjectFile import iterators do not work for some compressed binaries.
>> Before loading, binary contains two identical structures containing
>> imports: Look-up Table and Address Table. LLVM uses only Look-up
>> table which is often stripped by packers due to its redundancy.
>>
>> Proposed solution in patch (attachment) adds Address Table as
>> fall-back option to read imports in case Look-up Table does not exist.
>>
>> _______________________________________________
>> llvm-commits mailing list
>> llvm-commits at lists.llvm.org
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits
>>
>>
>





More information about the llvm-commits mailing list