[Forensics-changes] [yara] 217/407: Fix a problem with ord_lookup.
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:27 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit 5cb324a2449e68db920a10e6f3be19d49c64f137
Author: Wesley Shields <wxs at atarininja.org>
Date: Mon Nov 17 16:59:35 2014 -0500
Fix a problem with ord_lookup.
If the ordinal can not be looked up we must return "ordN" and not NULL.
This was causing things with imports by ordinal that do not map to have
incorrect hashes. For example, this file:
d4ffa4559a1e22167933772d82cf714cd4bb7a0e79511c2424e18bdb619d63a4
The correct imphash for this (according to pefile) is:
74638b0911b0c9268aae1edee5a60a9f
---
libyara/modules/pe.c | 42 ++++++++++++++++++------------------------
libyara/modules/pe_utils.c | 4 ++--
2 files changed, 20 insertions(+), 26 deletions(-)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 4b70e1b..e4433c6 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -634,22 +634,19 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
name = ord_lookup(dll_name, thunks64->u1.Ordinal & 0xFFFF);
}
- if (name != NULL)
- {
- IMPORTED_FUNCTION* imported_func = (IMPORTED_FUNCTION*)
- yr_calloc(1, sizeof(IMPORTED_FUNCTION));
+ IMPORTED_FUNCTION* imported_func = (IMPORTED_FUNCTION*)
+ yr_calloc(1, sizeof(IMPORTED_FUNCTION));
- imported_func->name = name;
- imported_func->next = NULL;
+ imported_func->name = name;
+ imported_func->next = NULL;
- if (head == NULL)
- head = imported_func;
+ if (head == NULL)
+ head = imported_func;
- if (tail != NULL)
- tail->next = imported_func;
+ if (tail != NULL)
+ tail->next = imported_func;
- tail = imported_func;
- }
+ tail = imported_func;
thunks64++;
}
@@ -686,22 +683,19 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
name = ord_lookup(dll_name, thunks32->u1.Ordinal & 0xFFFF);
}
- if (name != NULL)
- {
- IMPORTED_FUNCTION* imported_func = (IMPORTED_FUNCTION*)
- yr_calloc(1, sizeof(IMPORTED_FUNCTION));
+ IMPORTED_FUNCTION* imported_func = (IMPORTED_FUNCTION*)
+ yr_calloc(1, sizeof(IMPORTED_FUNCTION));
- imported_func->name = name;
- imported_func->next = NULL;
+ imported_func->name = name;
+ imported_func->next = NULL;
- if (head == NULL)
- head = imported_func;
+ if (head == NULL)
+ head = imported_func;
- if (tail != NULL)
- tail->next = imported_func;
+ if (tail != NULL)
+ tail->next = imported_func;
- tail = imported_func;
- }
+ tail = imported_func;
thunks32++;
}
diff --git a/libyara/modules/pe_utils.c b/libyara/modules/pe_utils.c
index 21cb81c..8ab5e21 100644
--- a/libyara/modules/pe_utils.c
+++ b/libyara/modules/pe_utils.c
@@ -1661,7 +1661,7 @@ static char *ord_lookup(
}
if (name[0] == '\0')
- return NULL;
+ sprintf(name, "ord%u", ord);
return yr_strdup(name);
-}
\ No newline at end of file
+}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list