Merge pull request x64dbg#3701 from WindowsAPI/fix/resolve-ordinal-imports

mrexodia · web-flow · commit d2bd33cdeb30 · 2025-11-16T16:39:32.000+01:00
Fix ordinal imports display by resolving to function names
diff --git a/src/dbg/symbolinfo.cpp b/src/dbg/symbolinfo.cpp
@@ -493,22 +493,38 @@ bool SymbolFromAddressExact(duint address, SYMBOLINFO* info)
         }
     }
 
+    // module entry point pseudo-symbol
     if(modInfo->entry != 0 && modInfo->entrySymbol.rva == rva)
     {
         modInfo->entrySymbol.convertToGuiSymbol(base, info);
         return true;
     }
 
-    // search in module imports
+    // search in module imports (iat)
     {
         auto modImport = modInfo->findImport(rva);
         if(modImport != nullptr)
         {
+            // for imports by ordinal, try to resolve the real symbol
+            if(modImport->ordinal != -1)
+            {
+                duint exportAddress = 0;
+                if(DbgMemRead(address, &exportAddress, sizeof(exportAddress)) && exportAddress != 0)
+                {
+                    if(SymbolFromAddressExact(exportAddress, info))
+                    {
+                        // override the address of the export symbol with the IAT address
+                        info->addr = address;
+                        return true;
+                    }
+                }
+            }
+
+            // fall back to the import symbol itself
             modImport->copyToGuiSymbol(base, info);
             return true;
         }
     }
-
     return false;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -493,22 +493,38 @@ bool SymbolFromAddressExact(duint address, SYMBOLINFO* info)`
`493`	`493`	`}`
`494`	`494`	`}`
`495`	`495`
	`496`	`+ // module entry point pseudo-symbol`
`496`	`497`	`if(modInfo->entry != 0 && modInfo->entrySymbol.rva == rva)`
`497`	`498`	`{`
`498`	`499`	`modInfo->entrySymbol.convertToGuiSymbol(base, info);`
`499`	`500`	`return true;`
`500`	`501`	`}`
`501`	`502`
`502`		`- // search in module imports`
	`503`	`+ // search in module imports (iat)`
`503`	`504`	`{`
`504`	`505`	`auto modImport = modInfo->findImport(rva);`
`505`	`506`	`if(modImport != nullptr)`
`506`	`507`	`{`
	`508`	`+ // for imports by ordinal, try to resolve the real symbol`
	`509`	`+ if(modImport->ordinal != -1)`
	`510`	`+ {`
	`511`	`+ duint exportAddress = 0;`
	`512`	`+ if(DbgMemRead(address, &exportAddress, sizeof(exportAddress)) && exportAddress != 0)`
	`513`	`+ {`
	`514`	`+ if(SymbolFromAddressExact(exportAddress, info))`
	`515`	`+ {`
	`516`	`+ // override the address of the export symbol with the IAT address`
	`517`	`+ info->addr = address;`
	`518`	`+ return true;`
	`519`	`+ }`
	`520`	`+ }`
	`521`	`+ }`
	`522`	`+`
	`523`	`+ // fall back to the import symbol itself`
`507`	`524`	`modImport->copyToGuiSymbol(base, info);`
`508`	`525`	`return true;`
`509`	`526`	`}`
`510`	`527`	`}`
`511`		`-`
`512`	`528`	`return false;`
`513`	`529`	`}`
`514`	`530`