|
I think the loading of exports for arm 32 bit is not quite right:
for my win 11 test machine \SysArm32\ntdll.dll's LdrLoadDll has according tho the PEAnatomist the RVA or 0x2F9F1 and the image base is 0x4B280000, however when stepping through a arm32 project LdrLoadDll is in my instance at 0x7723F9F0 with base at 0x77210000 so the RVA seams to be 0x2F9F0, 1 less than what PEAnatomist shows, also checking with IDA it says the address of that function is 0x4B2AF9F0, that minus the base address gives also 0x2F9F0 as the correct RVA.
Now that Said the peview of process hacker makes the same mistake :/
its strange that the values in the file are all off by exactly 1, its teh same for all functions I checked.
Cheep fix add -1 to the RVA if its an arm image, but I woudl preffer to understand why its so ans have a proper fix.
|