[Forensics-changes] [yara] 231/368: pe: pe_rva_to_offset: Round to File Alignment
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:42 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit e8f786e85ef0b648e0086e74f23d7934efe346ec
Author: Hilko Bengen <bengen at hilluzination.de>
Date: Tue Mar 15 23:06:59 2016 +0100
pe: pe_rva_to_offset: Round to File Alignment
Closes #424
---
libyara/modules/pe.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index ce16cc7..a741393 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -402,12 +402,20 @@ int64_t pe_rva_to_offset(
section_offset = section->PointerToRawData;
section_raw_size = section->SizeOfRawData;
- // If the section_offset is less than 0x200 it is rounded down to 0.
- // See also: https://github.com/plusvic/yara/issues/399
- // Discussion (and other awesome details) at:
+ // Round section_offset down to file alignment.
+ //
+ // Rounding everything less than 0x200 to 0 as discussed in
// https://code.google.com/archive/p/corkami/wikis/PE.wiki#PointerToRawData
- if (section_offset < 0x200)
- section_offset = 0;
+ // does not work for PE32_FILE from the test suite and for
+ // some tinype samples where File Alignment = 4
+ // (http://www.phreedom.org/research/tinype/).
+ int alignment = OptionalHeader(pe, FileAlignment);
+ if (alignment)
+ {
+ int rest = section_offset % alignment;
+ if (rest)
+ section_offset -= rest;
+ }
}
section++;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list