[Forensics-changes] [yara] 309/407: Use the OptionalHeader.Magic value.

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:28:39 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit a8d6eeae11f4187d39a37b4cf3ae1cd4325de3c8
Author: Wesley Shields <wxs at atarininja.org>
Date:   Sun Jan 4 23:33:47 2015 -0500

    Use the OptionalHeader.Magic value.
    
    When determining if a file is PE32 or PE32+ you need to use the Magic
    value in the OptionalHeader, not Fileheader.Machine. If you incorrectly
    use Fileheader.Machine then you will improperly parse 64bit files for
    non-AMD64 architectures. In particular I have seen this problem when
    looking at an ARM64 binary. The resource directories were all off by
    some amount because it was using the wrong OptionalHeader because of the
    wrong check.
---
 libyara/modules/pe.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 7e01ce1..5bf97a2 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -314,7 +314,11 @@ PIMAGE_DATA_DIRECTORY pe_get_directory_entry(
 {
   PIMAGE_DATA_DIRECTORY result;
 
-  if (pe->header->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
+  // The first WORD in the OptionalHeader (32 or 64 bit) is a Magic value
+  // which determines the appropriate structure to use (PIMAGE_NT_HEADERS64
+  // or PIMAGE_NT_HEADERS32). As such, just cast pe->header to
+  // PIMAGE_NT_HEADERS64 and check the magic value, then cast accordingly.
+  if (((PIMAGE_NT_HEADERS64) pe->header)->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
     result = &((PIMAGE_NT_HEADERS64) pe->header)->
         OptionalHeader.DataDirectory[entry];
   else
@@ -681,7 +685,7 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
   if (offset == 0)
     return NULL;
 
-  if (pe->header->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
+  if (((PIMAGE_NT_HEADERS64) pe->header)->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
   {
     PIMAGE_THUNK_DATA64 thunks64 = (PIMAGE_THUNK_DATA64)(pe->data + offset);
 
@@ -1049,7 +1053,7 @@ void pe_parse_header(
   char section_name[IMAGE_SIZEOF_SHORT_NAME + 1];
 
 #define OptionalHeader(field) \
-  (pe->header->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64 ? \
+  (((PIMAGE_NT_HEADERS64) pe->header)->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC ? \
    ((PIMAGE_NT_HEADERS64) pe->header)->OptionalHeader.field : \
      pe->header->OptionalHeader.field)
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list