bug in "pick dll" operation

[nullRd]

To see this bug yourself - grab any process (e.g. firefox.exe), then press "pick DLL" button.
Then choose any module (e.g. kernel32.dll)
Now press "IAT Autosearch" and "Get Imports".
This is what I've got:

 

1. picked module - kernel32.dll
2. resolved imports are still belongs to main module...
3. ..but their RVA is calculated relative to base of selected module!bug tested on XPSP3, W7x64
Scylla ver 0.9.1 x32, x64

[redblkjck]

Looks like you are selecting the OEP of firefox.exe and not the DLL.  Try selecting the DLL then use the OEP of the DLL instead.  Address Entry Point + the ImageBase loaded at detected by Scylla.   On my system XP MSVPC image, the EP is 0000B64E, Scylla detected image base as 7C800000, So OEP = 7C80B64E

VA 7C801000 Size 00000620  392 Valid APIs

 

Remember when selecting the EXE process, the Imports (all the DLL API entries) you are seeing are pointing to the Exports of those DLLs.  Not the DLL's Imports.   - jack  

 

[nullRd]

Thank you! Now I see..
I've just lately started to use Scylla instead of ImpRec, so this thing was unclear to me.
I'm really thought that was a bug. Forgive me for a false alarm
 

[redblkjck]

  Only a small adjustment when starting to use Scylla.  Cheers - jack 

[Aguila]

This little bug was fixed with version 0.9.2

Version 0.9.2
- Pick DLL -> Set DLL Entrypoint

- Advanced IAT Search Algorithm (Enable/Disable it in Options), thanks to ahmadmansoor

- Fixed bug in Options

- Added donate information, please feel free to donate some BTC to support this project

[Jada^AoC]

Where to download the current version? In this section there isn't any up to date thread...

 

 

Best regards,

Jada^AoC

[Dreamer]

http://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/

[Aguila]

you can "follow this file" and receive update notifications.

 

Source is always here https://github.com/NtQuery/Scylla