Jump to content
Tuts 4 You

bug in "pick dll" operation


Recommended Posts

To see this bug yourself - grab any process (e.g. firefox.exe), then press "pick DLL" button.
Then choose any module (e.g. kernel32.dll)
Now press "IAT Autosearch" and "Get Imports".
This is what I've got:



1. picked module - kernel32.dll
2. resolved imports are still belongs to main module...
3. ..but their RVA is calculated relative to base of selected module!bug tested on XPSP3, W7x64
Scylla ver 0.9.1 x32, x64

Link to comment

Looks like you are selecting the OEP of firefox.exe and not the DLL.  Try selecting the DLL then use the OEP of the DLL instead.  Address Entry Point + the ImageBase loaded at detected by Scylla.   On my system XP MSVPC image, the EP is 0000B64E, Scylla detected image base as 7C800000, So OEP = 7C80B64E

VA 7C801000 Size 00000620  392 Valid APIs


Remember when selecting the EXE process, the Imports (all the DLL API entries) you are seeing are pointing to the Exports of those DLLs.  Not the DLL's Imports.   - jack  


  • Like 2
Link to comment

Thank you! Now I see..
I've just lately started to use Scylla instead of ImpRec, so this thing was unclear to me.
I'm really thought that was a bug. Forgive me for a false alarm :sorry:

Link to comment

This little bug was fixed with version 0.9.2

Version 0.9.2 - Pick DLL -> Set DLL Entrypoint
- Advanced IAT Search Algorithm (Enable/Disable it in Options), thanks to ahmadmansoor
- Fixed bug in Options
- Added donate information, please feel free to donate some BTC to support this project
  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...