pefile Improve PE size / overlay start calculations

Improve PE size / overlay start calculations

Open recvfrom opened this issue 6 years ago • 2 comments

Implements fixes for #253

Make it so that the following are handled better:

EXEs with Authenticode signatures
EXEs with a COFF symbol table / string table
EXEs with section headers but no data after

I can contribute tests and/or test binaries too - what's the preferred way of doing this, given that the test data appears encrypted?

Feb 18 '19 03:02 recvfrom

Hi, If the test binaries are in VirusTotal, just give me the hashes and I'll get them from there. Otherwise you can send the binaries directly to me and I'll bundle them into the tests.

Apr 14 '19 13:04 erocarrera

Here are two examples for each case:

EXEs with Authenticode signatures

00048c246c8db3c309b759631057f1a5704296803a2ba23e0d9530d14986a130
001a26ff51bf6babf6325983f512cf8d84cadee1ca36f166a41702d94c1b0841

EXEs with a COFF symbol table / string table

01794f55fab26842c12e2a67fc218ad9c1a9201ccf0bf2fbd9f5815d6f20182f
03d896e59d78d4338cae141ea52447190fe9ebd6362acd16d4cd2954039ed5d7

EXEs with section headers but no data after

76c13fe37652df8ce2fde315b6eae4d2e0ec7f9424b4a0d6fc661354a7679da0
39d41e1814a82488f14acfb06e96920ca5a633dc90acb31b21ab98b3cebdef5b

Apr 15 '19 04:04 recvfrom

pefile pefile copied to clipboard

Improve PE size / overlay start calculations

pefile
pefile copied to clipboard