pinkflawd
pinkflawd
- [ ] Plenty of functions are detected, but not disassembled correctly, the end too early or show invalid instructions in the end Some examples are the functions: - [...
For splwow64.exe, after analyzing with jmptable and hasnext parameters set to true: Functions at the beginning of the code are not detected. Code starts at 0x140003b00, function detection picks up...
When analyzing twain_32.dll with the config anal.hasnext = true, a lot more legitimate functions are detected than without; however also a jumptable is analyzed as a function. See below, 0x66204a6d...
todo: beautiful database handling
for now the tool just works for win7 vs. win8 can be easily modified
hexrays plugin produces different function signatures for win7/8, parsing needs to view func.arguments transparently
the parsing is eating up too much memory when parsing lots of files in a dir. dont know why, mb do some 'garbage colleciton' every once ina while