Wrong import observed in dumped dlls

while using pd with pid NNN
I've observed some strange behaviour in produced dlls..

here is an example:

original kernel32.dll module:

<img width="1631" height="1057" alt="Image" src="https://github.com/user-attachments/assets/d5cbeae8-9867-4f00-be8a-d4e53c257712" />

and this is what being produced by pd64 -pid 3464 (one of the chrome.exe child process)

<img width="1359" height="1085" alt="Image" src="https://github.com/user-attachments/assets/84ee96b9-4563-4e34-bbe1-d391fb6c1714" />

the appended (fake?) entries list is huge  (as you see it has 1361  imported dlls!)
majority of added records are duplicates (eg kernel32.dll   LZDone
eg here is the end:

<img width="1118" height="878" alt="Image" src="https://github.com/user-attachments/assets/7aa08f66-7d73-4025-b4b9-d09b6014ce7c" />

so the question is:
is it possible to determine the real effective and of table and not append some fake records?

seen it almost on all dumped dlls....


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Wrong import observed in dumped dlls #36

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Wrong import observed in dumped dlls #36

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions