[Forensics-changes] [yara] 238/368: pe: Recognize RVAs below mapped sections

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit ba60f4e5edd4d1eca9ba2f1ad6f5543aa4d95153
Author: Hilko Bengen <bengen at hilluzination.de>
Date:   Mon Mar 21 22:18:41 2016 +0100

    pe: Recognize RVAs below mapped sections
    
    Closes #379, #395
---
 libyara/modules/pe.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index a741393..f0a29a6 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -383,6 +383,7 @@ int64_t pe_rva_to_offset(
 {
   PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pe->header);
 
+  DWORD lowest_section_rva = 0xffffffff;
   DWORD section_rva = 0;
   DWORD section_offset = 0;
   DWORD section_raw_size = 0;
@@ -395,6 +396,11 @@ int64_t pe_rva_to_offset(
   {
     if (struct_fits_in_pe(pe, section, IMAGE_SECTION_HEADER))
     {
+      if (lowest_section_rva > section->VirtualAddress)
+      {
+        lowest_section_rva = section->VirtualAddress;
+      }
+
       if (rva >= section->VirtualAddress &&
           section_rva <= section->VirtualAddress)
       {
@@ -427,12 +433,22 @@ int64_t pe_rva_to_offset(
     }
   }
 
+  // Everything before the first section seems to get mapped straight
+  // relative to ImageBase.
+
+  if (rva < lowest_section_rva)
+  {
+    return rva;
+  }
+
   // Many sections, have a raw (on disk) size smaller than their in-memory size.
   // Check for rva's that map to this sparse space, and therefore have no valid
   // associated file offset.
 
   if ((rva - section_rva) >= section_raw_size)
+  {
     return -1;
+  }
 
   result = section_offset + (rva - section_rva);
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git