[Forensics-changes] [yara] 247/368: Round section offsets to 0x200 if FileAlignment > 0x200
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:44 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit 6bbbdc2a510871534aa0d2860c46f46415642107
Author: Hilko Bengen <bengen at hilluzination.de>
Date: Thu Mar 31 01:31:22 2016 +0200
Round section offsets to 0x200 if FileAlignment > 0x200
Closes 429
---
libyara/modules/pe.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 1569a71..bbad762 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -408,14 +408,17 @@ int64_t pe_rva_to_offset(
section_offset = section->PointerToRawData;
section_raw_size = section->SizeOfRawData;
- // Round section_offset down to file alignment.
+ // Round section_offset
//
// Rounding everything less than 0x200 to 0 as discussed in
// https://code.google.com/archive/p/corkami/wikis/PE.wiki#PointerToRawData
// does not work for PE32_FILE from the test suite and for
// some tinype samples where File Alignment = 4
// (http://www.phreedom.org/research/tinype/).
- int alignment = OptionalHeader(pe, FileAlignment);
+ //
+ // If FileAlignment is >= 0x200, it is apparently ignored (see
+ // Ero Carreras's pefile.py, PE.adjust_FileAlignment).
+ int alignment = yr_min(OptionalHeader(pe, FileAlignment), 0x200);
if (alignment)
{
int rest = section_offset % alignment;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list