binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Binary Ninja fails to resolve ws2_32.dll import by negative(?) ordinal

Open bsendpacket opened this issue 1 year ago • 0 comments

Version and Platform (required):

  • Binary Ninja Version: 4.1.5261-dev
  • OS: Windows
  • OS Version: 22621.525
  • CPU Architecture: x64

Bug Description: While viewing decompilation of a function that utilizes a ws2_32.dll import, Binary Ninja seems to not be able to deduce the correct imported function. The ordinal is also shown to be negative within the output. I had my friend compare this output within an instance of IDA Pro, and he was able to confirm that the functions are ws2_32!socket and ws2_32!gethostbyname.

Steps To Reproduce: Please provide all steps required to reproduce the behavior:

  1. Download sample (MALICIOUS) from https://bazaar.abuse.ch/sample/f3c124dcce2659610bab08861feebcfe353eb45d1001ccee04db1b9ca7311917/
  2. Extract file, password is "infected"
  3. Navigate to sub_4016D0
  4. Decompile the function and observe the imported ws2_32 calls

Expected Behavior: The first call should be resolved to socket, and the second call should be resolved to gethostbyname.

Screenshots: image image

bsendpacket avatar May 11 '24 22:05 bsendpacket