pe-bear icon indicating copy to clipboard operation
pe-bear copied to clipboard

Published 20 hours ago verified publisher icon hasherezade

Section data view disregards FileAlignment

Open eternaleclipse opened this issue 1 year ago • 2 comments

When displaying section data, PE-Bear uses IMAGE_SECTION_HEADER.PointerToRawData to find the section data in the file. In reality, when Windows loads the file, if the section file offset is not aligned to IMAGE_OPTIONAL_HEADER.FileAlignment, it will be rounded up to the next aligned address and loaded there. A malicious binary can use this inconsistency to display incorrect section data.

Btw, CFF Explorer falls for this too. IDA Pro displays a warning that it has detected a section that is not aligned and refuses to handle the section header.

Screenshot demonstrating the difference in section contents between section data in PE-Bear and what is actually loaded in memory (x64dbg): Screenshot 2022-10-22 024856

EXE for reproduction: packed.zip

eternaleclipse avatar Oct 22 '22 00:10 eternaleclipse

btw version is PE-bear_0.6.1_x64_win_vs17 (latest)

eternaleclipse avatar Oct 22 '22 00:10 eternaleclipse

hi @eternaleclipse ! thanks for reporting. you are right. it's gonna be fixed in the new release.

hasherezade avatar Oct 24 '22 13:10 hasherezade

@eternaleclipse - I fixed it, would you like to test the new version pre-release? you can download the builds from AppVeyor server, as described in the README. I will appreciate your feedback.

This is how it looks - the mapped Raw Offset is used for displaying section:

view1

The original Raw Offset is showed in the Sections Headers view, with annotation that it is different than the mapped one:

view2

hasherezade avatar Feb 13 '23 15:02 hasherezade

Having automatic builds from git is so convenient! I'm checking it out now.

eternaleclipse avatar Feb 16 '23 00:02 eternaleclipse

Looks great! It shows the correct mapped offset now for the code section.

A few suggestions:

  • Adding an additional warning during loading, if the IMAGE_SECTION_HEADER.PointerToRawData is misaligned.
  • Changing the names to something more indicative, like "Raw Offset (file)", "Mapped offset (file)", "Virtual address (mem)".
  • The current build fixes Section headers and Code views. I haven't tested, but I suspect the bug will resurface in any section type that contains pointers (imports, exports, relocations, etc). There might be some fixing required with the "Follow raw" behaviour to point to the actual location of the structure as it is mapped in memory after alignment.

eternaleclipse avatar Feb 16 '23 01:02 eternaleclipse

@eternaleclipse - I appreciate you taking time for testing, and thanks for your feedback!

Addressing your suggestions:

  1. I have mixed feelings about showing popups during the load, unless it is a critical error. Some people just find them annoying. But I am agree with you that the fact that sections are misaligned should be more highlighted, so this is what I did:

added_info

This tooltip contains various info about different PE malformations found. What do you think?

  1. Regarding the "Section Hdrs" tab - this is where I display the headers literally, as is defined in the file, so I don't want to add additional fields here, as it may be misleading. I can only comment the existing fields better. I will think how to make it more clear and visible for the user.
  2. I guess you mean the conversion of the addresses is going to be invalid, and still using the old raw addresses to map? This is not the case, as it already uses the mapped addresses.

Please have look at this demo file (pass demo_demo):

The section containing imports has been misaligned:

misaligned_sec

It corrupts how the imports are displayed in case of the old PE-bear version:

old_pebear

However, the new version automatically compensates for the misalignment, and uses the offsets the way they are mapped, rather than their literal definitions:

new_pebear

Does it answer your concerns about it? Please let me know your thoughts.

hasherezade avatar Feb 17 '23 15:02 hasherezade

About the misaligned section warning - I do understand your dislike of the message box interfering with the flow of the application. A more subtle visible cue is also good. I think it's better to have something that is clearly visible at all times, for example at the status bar "File: C:\bad.exe (WARNING: Malformed PE, contains misaligned sections)". That's just my preference though, I don't think there is a particularly correct way to handle it - it's a design decision.

About the pointer resolving fix - Previously, I didn't realize it applies to different pointers in all section types. I've just tested it with the misaligned imports binary you sent and it works great!

Cheers 🍻

eternaleclipse avatar Feb 18 '23 01:02 eternaleclipse

Thank you! BTW, after trying various options, I settled with the MessageBox after all.

hasherezade avatar Feb 19 '23 14:02 hasherezade

available in the latest release:

  • https://github.com/hasherezade/pe-bear/releases/tag/v0.6.5

hasherezade avatar Feb 24 '23 18:02 hasherezade