[Forensics-changes] [yara] 92/368: Fix issue #357

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:30:15 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit 86c50347a20f000c46cb3e70d63d38c0584272d1
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date:   Wed Oct 14 23:21:09 2015 +0200

    Fix issue #357
    
    Take into account the PE files can contain a VarFileInfo structure before StringFileInfo. In those cases we must skip the VarFileInfo.
---
 libyara/modules/pe.c | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index eb9f4c2..d8b4aa1 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -657,7 +657,6 @@ void pe_parse_version_info(
     PE* pe)
 {
   PVERSION_INFO version_info;
-  PVERSION_INFO string_file_info;
 
   int64_t version_info_offset = pe_rva_to_offset(pe, rsrc_data->OffsetToData);
 
@@ -675,25 +674,34 @@ void pe_parse_version_info(
   if (strcmp_w(version_info->Key, "VS_VERSION_INFO") != 0)
     return;
 
-  string_file_info = ADD_OFFSET(
+  version_info = ADD_OFFSET(
       version_info, sizeof(VERSION_INFO) + 86);
 
-  while(fits_in_pe(pe, string_file_info->Key, sizeof("StringFileInfo") * 2) &&
-        strcmp_w(string_file_info->Key, "StringFileInfo") == 0 &&
-        string_file_info->Length != 0)
+  while(fits_in_pe(pe, version_info->Key, sizeof("VarFileInfo") * 2) &&
+        strcmp_w(version_info->Key, "VarFileInfo") == 0 &&
+        version_info->Length != 0)
+  {
+    version_info = ADD_OFFSET(
+        version_info,
+        version_info->Length);
+  }
+
+  while(fits_in_pe(pe, version_info->Key, sizeof("StringFileInfo") * 2) &&
+        strcmp_w(version_info->Key, "StringFileInfo") == 0 &&
+        version_info->Length != 0)
   {
     PVERSION_INFO string_table = ADD_OFFSET(
-        string_file_info,
+        version_info,
         sizeof(VERSION_INFO) + 30);
 
-    string_file_info = ADD_OFFSET(
-        string_file_info,
-        string_file_info->Length);
+    version_info = ADD_OFFSET(
+        version_info,
+        version_info->Length);
 
     while (struct_fits_in_pe(pe, string_table, VERSION_INFO) &&
            wide_string_fits_in_pe(pe, string_table->Key) &&
            string_table->Length != 0 &&
-           string_table < string_file_info)
+           string_table < version_info)
     {
       PVERSION_INFO string = ADD_OFFSET(
           string_table,

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list