goblin icon indicating copy to clipboard operation
goblin copied to clipboard

Published 20 hours ago verified publisher icon m4b

enable parsing from loaded image

Open shuffle2 opened this issue 2 years ago • 2 comments

Most image formats handled by goblin are stored on disk in a different layout than they'd actually appear in memory if mapped for execution.

At least for PE, pointing goblin at an image that has been loaded into memory results in it erroring out (during processing imports, but i didn't look closer). It would be nice if it Just Worked.

btw, looking at the ImageBase field in the header and comparing to the address of the base of the PE is a reliable way to detect if you're parsing an on-disk image or one which has been loaded.

shuffle2 avatar Jun 02 '22 06:06 shuffle2

I believe we have the infra necessary to do this, it’s the pe config you pass to parser to eg resolve rvas I believe. It would be neat to perhaps use the heuristic you suggested to enter into an in-memory parsing mode (by setting the flag perhaps ?)

would you be interested in investigating the issue ?

m4b avatar Jun 03 '22 02:06 m4b

My use case was pretty small so I just rewrote my code (which needed to follow some pointers in the PE) to do the VA translations using the PE headers. It's slower than reading from a mapped image, but it's OK for me for now...so I'm not planning on investing time into this.

shuffle2 avatar Jun 09 '22 06:06 shuffle2