pefile: better handle forwarded exports with specific paths

2025-12-12 15:49:46 -08:00 · 2023-07-13 10:51:28 +02:00
parent 6b6d7eb494
commit 9e9f120c80
1 changed files with 6 additions and 1 deletions
--- a/capa/features/extractors/pefile.py
+++ b/capa/features/extractors/pefile.py
@@ -51,7 +51,12 @@ def extract_file_export_names(pe, **kwargs):
                except UnicodeDecodeError:
                    continue

-                forwarded_dll, _, forwarded_symbol = forwarded_name.partition(".")
+                # use rpartition so we can split on separator between dll and name.
+                # the dll name can be a full path, like in the case of
+                # ef64d6d7c34250af8e21a10feb931c9b
+                # which i assume means the path can have embedded periods.
+                # so we don't want the first period, we want the last.
+                forwarded_dll, _, forwarded_symbol = forwarded_name.rpartition(".")
                forwarded_dll = forwarded_dll.lower()

                va = base_address + export.address