yara Both AddressOfRawData and PointerToRawData can be present in IMAGE_DEBUG

Both AddressOfRawData and PointerToRawData can be present in IMAGE_DEBUG_DIRECTORY

Open ladislav-zezula opened this issue 3 years ago • 1 comments

Sample: 735f72b3fcd72789f01e923c9de2a9ab5b5ffbece23633da81d976ad0ad159e3 This sample has debug info present (IMAGE_DEBUG_DIRECTORY):

  00 00 00 00  ....        (00000000) - Characteristics
  BA 03 C8 57  ...W        (57C803BA) - TimeDateStamp (2016-09-01 12-32-26)
  00 00        ..          (    0000) - MajorVersion
  00 00        ..          (    0000) - MinorVersion
  02 00 00 00  ....        (00000002) - Type
  89 00 00 00  ....        (00000089) - SizeOfData
  A0 25 1A 00  .%..        (001A25A0) - AddressOfRawData
  A0 25 1A 00  .%..        (001A25A0) - PointerToRawData

Both AddressOfRawData and PointerToRawData are present, but only PointerToRawData is correct. Yara should be able to use one of them, whichever one is correct.

Aug 25 '21 09:08 ladislav-zezula

Pull request: https://github.com/VirusTotal/yara/pull/1551

Aug 25 '21 09:08 ladislav-zezula

yara yara copied to clipboard

Both AddressOfRawData and PointerToRawData can be present in IMAGE_DEBUG_DIRECTORY

yara
yara copied to clipboard