ergo-pe-av icon indicating copy to clipboard operation
ergo-pe-av copied to clipboard

Published 20 hours ago • verified publisher icon evilsocket

Entrypoint offset is wrong

Open Tigzy opened this issue 5 years ago • 1 comments

Hello, I've spotted an issue in encode_pe function:

try:
        ep_offset = pe.entrypoint - pe.optional_header.imagebase
        ep_bytes  = [int(b) for b in raw[ep_offset:ep_offset+64]]
    except Exception as e:
        log.warning("can't get entrypoint bytes from %s: %s", filepath, e)

The ep_offset is actually an RVA, it needs an extra step to get the offset in file as explained below: https://stackoverflow.com/questions/33724306/calculating-the-file-offset-of-a-entry-point-in-a-pe-file

Tigzy avatar Jun 06 '19 09:06 Tigzy

Replacing with this code seems to fix it.

try:
        ep_rva = pe.entrypoint - pe.optional_header.imagebase
        ep_bytes  = pe.get_content_from_virtual_address(ep_rva, 64)
    except Exception as e:
        log.warning("can't get entrypoint bytes from %s: %s", filepath, e)

Tigzy avatar Jun 06 '19 09:06 Tigzy