[Forensics-changes] [yara] 05/17: Fix issue #669

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:32:43 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.6.1
in repository yara.

commit 4ee750b6834a96173d70d46e2b9ef3b85f5013ac
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Thu May 25 10:25:49 2017 +0200

    Fix issue #669
    
    pe.overlay.size was undefined for files not having overlaid data. Conditions like math.entropy(0, filesize - pe.overlay.size) >= 7.0 were failing because of this, even if they make perfect sense. Now for PE files not having overlaid data pe.overlay.size is set to zero. The value is still undefined for non-PE files or malformed PEs.
---
 libyara/modules/pe.c | 12 +++++++-----
 tests/test-pe.c      | 16 ++++++++++++++++
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 16c467e..93719c0 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1421,16 +1421,18 @@ void pe_parse_header(
     section++;
   }
 
-  // An overlay is data appended to a PE file. Its location is RawData + RawOffset of the last
-  // section on the physical file
+  // An overlay is data appended to a PE file. Its location is at
+  // RawData + RawOffset of the last section on the physical file
   last_section_end = highest_sec_siz + highest_sec_ofs;
 
-  // This way "overlay" is set to UNDEFINED for files that do not have an overlay section
+  // "overlay.offset" is set to UNDEFINED for files that do not have an overlay
   if (last_section_end && (pe->data_size > last_section_end))
-  {
     set_integer(last_section_end, pe->object, "overlay.offset");
+
+  // "overlay.size" is zero for well formed PE files that don not have an
+  // overlay and UNDEFINED for malformed PE files or non-PE files.
+  if (last_section_end && (pe->data_size >= last_section_end))
     set_integer(pe->data_size - last_section_end, pe->object, "overlay.size");
-  }
 }
 
 //
diff --git a/tests/test-pe.c b/tests/test-pe.c
index 0cad10a..04873ed 100644
--- a/tests/test-pe.c
+++ b/tests/test-pe.c
@@ -127,6 +127,22 @@ int main(int argc, char** argv)
       }",
       "tests/data/tiny");
 
+  assert_true_rule_file(
+      "import \"pe\" \
+      rule test { \
+        condition: \
+          pe.overlay.offset == 0x8000 and pe.overlay.size == 7 \
+      }",
+      "tests/data/tiny-overlay");
+
+  assert_true_rule_file(
+      "import \"pe\" \
+      rule test { \
+        condition: \
+         pe.overlay.size == 0 \
+      }",
+      "tests/data/tiny");
+
   assert_false_rule_file(
       "import \"pe\" \
       rule test { \

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list