fix: issue while parsing PE exports

If OriginalFirstThunk is non-null, but the RVA can't be translated to a file offset, try using the FirstThunk instead.
VirusTotal · Mar 21, 2024 · 6922819 · 6922819
1 parent 2e0acfd
commit 6922819
Show file tree

Hide file tree

Showing 3 changed files with 1,079 additions and 6 deletions.
diff --git a/lib/src/modules/pe/parser.rs b/lib/src/modules/pe/parser.rs
@@ -1629,14 +1629,15 @@ impl<'a> PE<'a> {
                 };
 
             // Use the INT (a.k.a: OriginalFirstThunk) if it is non-zero, but
-            // fallback to using the IAT (a.k.a: FirstThunk) if the RVA to the
-            // INT is zero. That's an uncommon case, but it may happen.
-            // TODO: find a sample file where this happens.
-            let thunks = match if descriptor.import_name_table > 0 {
+            // fallback to using the IAT (a.k.a: FirstThunk).
+            let thunks = if descriptor.import_name_table > 0 {
                 self.data_at_rva(descriptor.import_name_table)
             } else {
-                self.data_at_rva(descriptor.import_address_table)
-            } {
+                None
+            }
+            .or_else(|| self.data_at_rva(descriptor.import_address_table));
+
+            let thunks = match thunks {
                 Some(thunk) => thunk,
                 None => continue,
             };

diff --git a/...pe/tests/testdata/e0952ec0ed536a3cb56999071cca842b9a75e9a7c78560435dfdd1971d8ba283.in.zip b/...pe/tests/testdata/e0952ec0ed536a3cb56999071cca842b9a75e9a7c78560435dfdd1971d8ba283.in.zip