search

Ishan112 / pefile

Automatically exported from code.google.com/p/pefile
Other
0 stars 0 forks source link

Errors parsing EAT with 1.2.10_89 (but 1.2.10_85 works) #22

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hey folks, 

I ran into some issues parsing the EAT of some files with pefile 1.2.10_89. 

$ python
Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56) 
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pefile
>>> pe = pefile.PE("driver.804d7000.sys")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.6/dist-packages/pefile-1.2.10_89-py2.6.egg/pefile.py", line 1631, in __init__
    self.__parse__(name, data, fast_load)
  File "/usr/local/lib/python2.6/dist-packages/pefile-1.2.10_89-py2.6.egg/pefile.py", line 1921, in __parse__
    self.parse_data_directories()
  File "/usr/local/lib/python2.6/dist-packages/pefile-1.2.10_89-py2.6.egg/pefile.py", line 2234, in parse_data_directories
    value = entry[1](dir_entry.VirtualAddress, dir_entry.Size)
  File "/usr/local/lib/python2.6/dist-packages/pefile-1.2.10_89-py2.6.egg/pefile.py", line 3131, in parse_export_directory
    name_offset = self.get_offset_from_rva( symbol_name_address ),
  File "/usr/local/lib/python2.6/dist-packages/pefile-1.2.10_89-py2.6.egg/pefile.py", line 3618, in get_offset_from_rva
    raise PEFormatError, 'data at RVA can\'t be fetched. Corrupt header?'
pefile.PEFormatError: "data at RVA can't be fetched. Corrupt header?"

I can parse the EAT of the same file just fine with pefile 1.2.10-85.

$ python
Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56) 
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pefile
>>> pe = pefile.PE("driver.804d7000.sys")
>>> for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
...     print exp
... 
<pefile.ExportData instance at 0xb70cb1ec>
<pefile.ExportData instance at 0xb70cb20c>
<pefile.ExportData instance at 0xb70cb24c>
[...]

I attached the file for your testing. Its a dumped copy of the nt module from 
an XPSP3 memory dump. So since it was dumped from memory, it makes sense that 
some fields may be corrupt, but the EAT should be fine since 1.2.10-85 and 
other tools like CFF Explorer can parse it without issues.

Original issue reported on code.google.com by michael.hale@gmail.com on 8 Dec 2010 at 10:18

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by ero.carr...@gmail.com on 12 Dec 2010 at 3:43

GoogleCodeExporter commented 9 years ago 
Fixed in revision 91

Original comment by ero.carr...@gmail.com on 13 Dec 2010 at 3:56