[Forensics-changes] [yara] 222/368: Fix RVA calculation corner cases.
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:42 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit 3a91764bc978f5c70171280595f29697b1edd5be
Author: Wesley Shields <wxs at atarininja.org>
Date: Wed Mar 9 11:36:43 2016 -0500
Fix RVA calculation corner cases.
When the PointerToRawData is less than 0x200 it is rounded down to 0x00. This
causes entry point calculation to be incorrect in some cases. For example, these
two issues highlight the problem:
https://github.com/plusvic/yara/issues/399
https://github.com/plusvic/yara/issues/373
Details of this are in
https://code.google.com/archive/p/corkami/wikis/PE.wiki#PointerToRawData
I tested this against 293 PE files and found one difference in entry point
calculation, which upon inspection turned out to be another case of this bug.
Fixes: #399
Fixes: #373
---
libyara/modules/pe.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 4323b92..c7b88fd 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -395,6 +395,13 @@ int64_t pe_rva_to_offset(
section_rva = section->VirtualAddress;
section_offset = section->PointerToRawData;
section_raw_size = section->SizeOfRawData;
+
+ // If the section_offset is less than 0x200 it is rounded down to 0.
+ // See also: https://github.com/plusvic/yara/issues/399
+ // Discussion (and other awesome details) at:
+ // https://code.google.com/archive/p/corkami/wikis/PE.wiki#PointerToRawData
+ if (section_offset < 0x200)
+ section_offset = 0;
}
section++;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list