pe-parse

pe-parse copied to clipboard

Within #145, there are very simple tests to detect whether pe-parse would correctly identify the executables as PE, without erroring. Unfortunately (but not unexpectedly), there are a few executables that are not parsed correctly.

Ideally, we should at least test and enforce that we support parsing of any PE in the Corkami dataset.

• [ ] There are no test exceptions (read: known failures) when processing the Corkami dataset of PEs

Reference to known failing tests: https://github.com/trailofbits/pe-parse/blob/4286f109b0763972d1db7177ec6fe5f6791350f8/tests/corkami_test.cpp#L34-L51

Secondly, a much bigger task would be to confirm that pe-parse is correctly parsing all and only the information that the Corkami PEs claim to exhibit.

• [ ] There are specific PE field tests/asserts for the Corkami PEs to ensure correctness

How to Start Investigating

First, run git submodule update --init to pull the Corkami dataset (We will be focusing on the PEs here https://github.com/corkami/pocs/tree/master/PE/bin).

Then, running the standalone dump-pe tool that is included in this repo should be an easy way to iterate on code changes, since the testing logic is basically the same.

$ ./build/dump-pe/dump-pe tests/assets/corkami-poc-dataset/PE/bin/virtsectblXP.exe
Error: 3 (Invalid section)
Location: ParsePEFromBuffer:2394

Use that information as a starting point for where to begin debugging. Moreover, most, if not all, of the PEs have a corresponding asm file that provides the source code for building the PE and how the file is constructed. Use this information to gain a better understanding of why pe-parse is having difficulty parsing it and what kind of fix would be needed. Here it is for our example https://github.com/corkami/pocs/blob/master/PE/virtsectblXP.asm