yara icon indicating copy to clipboard operation
yara copied to clipboard

Published 20 hours ago verified publisher icon VirusTotal

Fix `pe_rva_to_offset`

Open xbabka01 opened this issue 3 years ago • 2 comments

  • Fix: checking if RVA is inside section
  • Fix: real pointer to raw data is aligned down to sector size

xbabka01 avatar Sep 01 '21 13:09 xbabka01

Would you be able to share an example file or two that triggers this bug? I'd love to see these!

Also, is it possible to include a test case for these? This is something which is rather fragile to maintain without test cases.

wxsBSD avatar Sep 01 '21 14:09 wxsBSD

Would you be able to share an example file or two that triggers this bug? I'd love to see these!

I uploaded the following files to VirusTotal:

354d5b4169147e2f395f5da59f080629bdd9d1c7f661797d7db09b0534642b78
337208e7c2890129f285744b22ba39e63ec6a352e323d405bf051e226db9269e
92f9b1bd7d5be60c87aa8f578372890c2fec8d5b3ac37ac76ed76c2cd3acbf0b
c6e1fa68823b865dd19903c39559eacec3bd102f6ffdc2c04e5d9fab214fdae2
0b0447fc100b37ad1623b7718ba969ac82aa8cfa2dc250c01708544f69e376d1
3176345470f709a31272a0944e7ce26c039861471b5168b6846180445b54b4b3
07804d19de6536106fe5b82c84fb981fd2bc69a8f0cb34ed68b896a88cb3c5f7
ebb6553919d00c510da87277ead5e4cd5a588ee11b34bd82f38215b6ad5da1d2
e41b97274be7d0a2173d8cb66bf6f2d1bb9943e05e514eacc0645ca8d9b5e6ec
c65042ed700a456d088458c88c282a67414e6f74378dc93761010a02c183af37
2a5174547676d8adc78e5ebf7b8d1b0726d43eaa07d8ec827ccf7281e64796ab
c6f9709feccf42f2d9e22057182fe185f177fb9daaa2649b4669a24f2ee7e3ba
9283767313b9cc8e903e87be94b607b733d0db9224d8422aeab9dfa003321d87
cd40ddaf852adbaecb69c4c403c8ec30b10e75bf1583582e9379b34e98f37f37

Moreover, I prepared few legal files for you that also triggered the bug. They all are legit (built with special linker flags) and will run on Windows 10:

* Win32\FileTest.exe
* x64\FileTest.exe
  - “Standard” EXE, no anomalies
* Win32\FileTest_Alignment_40.exe
* x64\FileTest_Alignment_40.exe
  - Section alignment 0x40, Windows doesn’t create sections and maps them 1:1 with RWX
* Win32\FileTest_Section1_Starts_at_header.exe
  - Section[0] has PointerToRawData not aligned to 0x200, so it begins at offset 0
  - Packed with the NSPACK packer

Samples_YARA_1561.zip

Please, let me know if you need more samples or to explain something.

ladislav-zezula avatar Sep 02 '21 06:09 ladislav-zezula

I included this in a collection of other open PRs and it was merged in along with a test case for it. This can be closed, thanks for the fix!

wxsBSD avatar Dec 15 '22 13:12 wxsBSD