#262 PE Analyzer: Incorrect ordinal numbers and intermittent crashes
PE Analyzer displays incorrect ordinal numbers for some exports in some DLL's. For some DLL's, the plugin causes Far to crash intermittently due to an access violation.
Below is an example from advapi32.dll. The ordinal number for the function __Ord_1000 is shown as 1002, which is incorrect; it should be 1000. The ordinal for WriteEncryptedFileRaw is shown as 18473, which is also incorrect; it should be 1851. Both Dependency Walker and COFF/PE Dumper (objdump), display the correct ordinal numbers. Note that the other ordinal numbers shown below are incorrect too.
PE Analyzer
| Function | RVA | Ord |
|---|---|---|
| GetWindowsAccountDomainSid | 00021bf0 | 1001 |
| __Ord_1000 | 0003be20 | 1002 |
| I_ScGetCurrentGroupStateW | 00049720 | 1003 |
| A_SHAFinal | NTDLL.A… | 1004 |
| A_SHAInit | NTDLL.A… | 1005 |
| A_SHAUpdate | NTDLL.A… | 1006 |
| AbortSystemShutdownA | 00046830 | 1007 |
| AbortSystemShutdownW | 000468d0 | 1008 |
| ... | ... | ... |
| WmiSetSingleItemW | 0005d060 | 1851 |
| WriteEncryptedFileRaw | 00030670 | 18473 |
Dependency Walker
| Ordinal | Hint | Function | Entry Point |
|---|---|---|---|
| 1000 | N/A | N/A | 0x0003BE20 |
| 1001 | 361 | I_ScGetCurrentGroupStateW | 0x00049720 |
| 1002 | 0 | A_SHAFinal | NTDLL.A_SHAFinal |
| 1003 | 1 | A_SHAInit | NTDLL.A_SHAInit |
| 1004 | 2 | A_SHAUpdate | NTDLL.A_SHAUpdate |
| 1005 | 3 | AbortSystemShutdownA | 0x00046830 |
| 1006 | 4 | AbortSystemShutdownW | 0x000468D0 |
| ... | ... | ... | ... |
| 1850 | 849 | WmiSetSingleItemW | 0x0005D060 |
| 1851 | 850 | WriteEncryptedFileRaw | 0x00030670 |
Possible Fix
Something like the following should resolve the issue:
--- pe_analyzer.cpp
+++ pe_analyzer.cpp
@@ -351,12 +351,15 @@
if (rva_nord[j] == i)
fx_index = j;
}
- fx.ordinal = static_cast<WORD>(exp_dir->Base) + rva_nord[i];
if (fx_index != 0xffff) {
+ fx.ordinal = static_cast<WORD>(exp_dir->Base) + rva_nord[fx_index];
const auto name = reinterpret_cast<const char*>(data_from_rva(rva_name[fx_index]));
if (name)
fx_name = name;
}
+ else {
+ fx.ordinal = static_cast<WORD>(exp_dir->Base) + i;
+ }
if (fx_name.empty())
fx_name = ordinal_name(exp_dir->Base + i);
Discussion
Anonymous
Good catch. Thanks.
3.10.23
Thank you. This issue is resolved.