[Forensics-changes] [yara] 189/407: Address an import parsing problem.

Sat Jul 1 10:28:24 UTC 2017

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit 987b81d725803b9a9b85db1872b978d88ceb45c7
Author: Wesley Shields <wxs at atarininja.org>
Date:   Mon Nov 3 17:40:15 2014 -0500

    Address an import parsing problem.
    
    I've got a binary here which pefile parses imports correctly but YARA
    does not. It appears that when parsing the Import Directory if
    OriginalFirstThunk is zero you can use FirstThunk.
---
 libyara/modules/pe.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 0f13caf..1b6feaa 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -598,6 +598,11 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
   uint64_t offset = pe_rva_to_offset(
       pe, import_descriptor->OriginalFirstThunk);
 
+  // I've seen binaries where OriginalFirstThunk is zero. In this case
+  // use FirstThunk.
+  if (offset == 0)
+    offset = pe_rva_to_offset(pe, import_descriptor->FirstThunk);
+
   if (offset == 0)
     return NULL;
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

