[Forensics-changes] [yara] 239/368: pe: imports: Actually look at FirstThunk if OriginalFirstThunk is zero.
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:43 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit f7c1abc7f082166f9ff2a8850e49bc4f269435b8
Author: Hilko Bengen <bengen at hilluzination.de>
Date: Mon Mar 21 23:45:39 2016 +0100
pe: imports: Actually look at FirstThunk if OriginalFirstThunk is zero.
Closes: #371
---
libyara/modules/pe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index f0a29a6..1569a71 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -886,7 +886,7 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
// I've seen binaries where OriginalFirstThunk is zero. In this case
// use FirstThunk.
- if (offset < 0)
+ if (offset <= 0)
offset = pe_rva_to_offset(pe, import_descriptor->FirstThunk);
if (offset < 0)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list