ghidra icon indicating copy to clipboard operation
ghidra copied to clipboard
verified publisher icon NationalSecurityAgency

java.lang.IndexOutOfBoundsException: Specified length extends beyond file bytes length

Open anon767 opened this issue 3 years ago • 3 comments

Describe the bug Receiving an Index out of bounds exception with a sample from the sorel virus dataset. Reminds me on this

To Reproduce Steps to reproduce the behavior:

  1. Download (disarmed) PE file https://www.file-upload.net/download-15032079/000bc8ba3745a8b9e44d3d988452049d53cec7fc8fb94b35c22257255b1fd8e0.html
  2. Apply headless analyzer
analyzeHeadless . project -readOnly -import 000bc8ba3745a8b9e44d3d988452049d53cec7fc8fb94b35c22257255b1fd8e0  -processor x86:LE:32:default

Expected behavior

Successful Analysis

Screenshots Stacktrace of the crash

ERROR REPORT: Specified length extends beyond file bytes length (HeadlessAnalyzer) java.lang.IndexOutOfBoundsException: Specified length extends beyond file bytes length
	at ghidra.program.database.mem.MemoryMapDB.checkFileBytesRange(MemoryMapDB.java:685)
	at ghidra.program.database.mem.MemoryMapDB.createInitializedBlock(MemoryMapDB.java:648)
	at ghidra.app.util.MemoryBlockUtils.createInitializedBlock(MemoryBlockUtils.java:227)
	at ghidra.app.util.opinion.PeLoader.processMemoryBlocks(PeLoader.java:766)
	at ghidra.app.util.opinion.PeLoader.load(PeLoader.java:124)
	at ghidra.app.util.opinion.AbstractLibrarySupportLoader.doLoad(AbstractLibrarySupportLoader.java:347)
	at ghidra.app.util.opinion.AbstractLibrarySupportLoader.loadProgram(AbstractLibrarySupportLoader.java:83)
	at ghidra.app.util.opinion.AbstractProgramLoader.load(AbstractProgramLoader.java:113)
	at ghidra.app.util.importer.AutoImporter.importFresh(AutoImporter.java:198)
	at ghidra.app.util.importer.AutoImporter.importFresh(AutoImporter.java:156)
	at ghidra.app.util.importer.AutoImporter.importByLookingForLcs(AutoImporter.java:91)
	at ghidra.app.util.headless.HeadlessAnalyzer.loadProgram(HeadlessAnalyzer.java:1645)
	at ghidra.app.util.headless.HeadlessAnalyzer.processFileWithImport(HeadlessAnalyzer.java:1523)
	at ghidra.app.util.headless.HeadlessAnalyzer.processWithImport(HeadlessAnalyzer.java:1689)
	at ghidra.app.util.headless.HeadlessAnalyzer.processWithImport(HeadlessAnalyzer.java:1754)
	at ghidra.app.util.headless.HeadlessAnalyzer.processLocal(HeadlessAnalyzer.java:445)
	at ghidra.app.util.headless.AnalyzeHeadless.launch(AnalyzeHeadless.java:121)
	at ghidra.GhidraLauncher.launch(GhidraLauncher.java:59)
	at ghidra.Ghidra.main(Ghidra.java:47)

java.lang.IndexOutOfBoundsException: Specified length extends beyond file bytes length
	at ghidra.program.database.mem.MemoryMapDB.checkFileBytesRange(MemoryMapDB.java:685)
	at ghidra.program.database.mem.MemoryMapDB.createInitializedBlock(MemoryMapDB.java:648)
	at ghidra.app.util.MemoryBlockUtils.createInitializedBlock(MemoryBlockUtils.java:227)
	at ghidra.app.util.opinion.PeLoader.processMemoryBlocks(PeLoader.java:766)
	at ghidra.app.util.opinion.PeLoader.load(PeLoader.java:124)
	at ghidra.app.util.opinion.AbstractLibrarySupportLoader.doLoad(AbstractLibrarySupportLoader.java:347)
	at ghidra.app.util.opinion.AbstractLibrarySupportLoader.loadProgram(AbstractLibrarySupportLoader.java:83)
	at ghidra.app.util.opinion.AbstractProgramLoader.load(AbstractProgramLoader.java:113)
	at ghidra.app.util.importer.AutoImporter.importFresh(AutoImporter.java:198)
	at ghidra.app.util.importer.AutoImporter.importFresh(AutoImporter.java:156)
	at ghidra.app.util.importer.AutoImporter.importByLookingForLcs(AutoImporter.java:91)
	at ghidra.app.util.headless.HeadlessAnalyzer.loadProgram(HeadlessAnalyzer.java:1645)
	at ghidra.app.util.headless.HeadlessAnalyzer.processFileWithImport(HeadlessAnalyzer.java:1523)
	at ghidra.app.util.headless.HeadlessAnalyzer.processWithImport(HeadlessAnalyzer.java:1689)
	at ghidra.app.util.headless.HeadlessAnalyzer.processWithImport(HeadlessAnalyzer.java:1754)
	at ghidra.app.util.headless.HeadlessAnalyzer.processLocal(HeadlessAnalyzer.java:445)
	at ghidra.app.util.headless.AnalyzeHeadless.launch(AnalyzeHeadless.java:121)
	at ghidra.GhidraLauncher.launch(GhidraLauncher.java:59)
	at ghidra.Ghidra.main(Ghidra.java:47)

Environment (please complete the following information):

  • Mac OS X latest and Linux 4.19.0-20-amd64 SMP Debian 4.19.235-1 (2022-03-17) x86_64 GNU/Linux
  • openjdk version "17.0.2" 2022-01-18
  • Ghidra Version: latest
  • Ghidra Origin: official GitHub distro latest Release

anon767 avatar Nov 01 '22 15:11 anon767

I have fixed a few corner case checks in Ghidra that now enables this binary to load, but I am confused about the entry point. It is in the final section whose PointerToRawData clearly is past the end of the file. I suppose we could make an uninitialzed block in that case, but at least to me, that raises the question of how to detect a corrupted file vs handling malware doing crazy/undocumented things.

Do you know anything about what's going on with the entry point in this sample?

ryanmkurtz avatar Nov 02 '22 07:11 ryanmkurtz

Do you know anything about what's going on with the entry point in this sample?

Unfortunately not, but it seems like this phenomenon occurs in about 2% of the malware dataset

anon767 avatar Nov 02 '22 08:11 anon767

Ok. I'll see what I can do about getting it to at least load.

ryanmkurtz avatar Nov 02 '22 09:11 ryanmkurtz

This should load now.

ryanmkurtz avatar Nov 15 '22 07:11 ryanmkurtz