You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been trying to use goblin (through symbolic), but I noticed that there is a difference in the number of export symbols reported by goblin vs other tools (eg rabin2).
For instance, taking the binaries uploaded in attachment (from open source projects like VirtualBox), I notice the following differences in reported symbols:
The missing symbols in goblin look like "legit" symbols, e.g. xmlXPathNAN in libxml2.dll (right between xmlXPathNamespaceURIFunction and xmlXPathNewBoolean), and g_pszRTAssertExpr to g_u32RTAssertLine (right between g_aRTUniUpperRanges and NPAddConnection).
Looking for the root cause, I believe I identified it as being in the function section_read_size in src/pe/utils.rs.
It appears that the computed size is sometimes too small.
Reading from #101, the function was introduced in this PR so that goblin correctly loads quine.exe, so simply reverting is probably not an option.
By introducing the changes in #292, I am able to both find the same number of symbols as rabin2, and still load quine.exe.
However, I'm unsure of the change, since it deviates from the linked reference Stack Overflow post. The rationale for the change is that it makes sense to not take anything smaller than the virtual size, I guess?
EDIT: the changes of #293 appear to fix the problem without having to perform changes I'm unsure of on the computed size.
What do you think?
The text was updated successfully, but these errors were encountered:
Hello, and thank you for making goblin!
I've been trying to use goblin (through symbolic), but I noticed that there is a difference in the number of export symbols reported by goblin vs other tools (eg rabin2).
For instance, taking the binaries uploaded in attachment (from open source projects like VirtualBox), I notice the following differences in reported symbols:
binary | goblin | rabin2
libxml2.dll | 1596 | 1597
VBoxMRXNP.dll | 498 | 504
The missing symbols in goblin look like "legit" symbols, e.g.
xmlXPathNANinlibxml2.dll(right betweenxmlXPathNamespaceURIFunctionandxmlXPathNewBoolean), andg_pszRTAssertExprtog_u32RTAssertLine(right betweeng_aRTUniUpperRangesandNPAddConnection).Looking for the root cause, I believe I identified it as being in the function
section_read_sizeinsrc/pe/utils.rs.It appears that the computed size is sometimes too small.
Reading from #101, the function was introduced in this PR so that goblin correctly loads quine.exe, so simply reverting is probably not an option.
By introducing the changes in #292, I am able to both find the same number of symbols asrabin2, and still loadquine.exe.However, I'm unsure of the change, since it deviates from the linked reference Stack Overflow post. The rationale for the change is that it makes sense to not take anything smaller than the virtual size, I guess?EDIT: the changes of #293 appear to fix the problem without having to perform changes I'm unsure of on the computed size.
What do you think?
The text was updated successfully, but these errors were encountered: