radare2
radare2 copied to clipboard
radareorg
functions missed in splwow64.exe
For splwow64.exe, after analyzing with jmptable and hasnext parameters set to true:
Functions at the beginning of the code are not detected. Code starts at 0x140003b00, function detection picks up at 0x140003c48, functions at 0x140003b00, 0x140003b90 and 0x140003bc0 are not found. I think these are member functions in vtables and/or exception handlers, nothing directly referenced.
The last function detected, 0x14000eeb0 is an exception handling structure, and mistakenly interpreted as function.
password infected splwow64.zip
This issue has been automatically marked as stale because it has not had recent activity. Considering a lot has changed since its creation, we kindly ask you to check again if the issue you reported is still relevant in the current version of radare2. If it is, update this issue with a comment, otherwise it will be automatically closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
It is only happening when running with anal.hasnext, without this option (which is not enabled by default) and it is known to analyze data in some situations.
Also it will be good to have a test, but probably we can't distribute this executable, do we? :D
It should be checked if anal.hasnext is really necessary. In last 3 years analysis has changed a lot, so maybe that var is not necessary to identify functions in this bin. Just guessing though.
