Infinite loop when parsing resources

[bennw]

manalyze_infloop.zip

CAUTION: malware attached

The file in the attached zip gives an infinite loop when parsing resources, spamming the following error messages:

[*] Warning: The PE contains duplicate resources. It was almost certainly crafted manually.
[*] Warning: Could not locate the section containing resource 65280. Trying to use the RVA as an offset...
[*] Warning: Resource 65280 has a size of 0!

Seems to be related to size 0 resources.

[JusticeRage]

Hi! Thanks a lot for the report! I'm a little busy at the moment but I'll look into this file ASAP!

[JusticeRage]

I've started looking into this issue. I can confirm that it takes place during the parsing of the resources, but at the moment I'm not sure that there is indeed an infinite loop taking place. It could be that parsing so many resources and printing out all the warnings takes a very long time. Either way, something needs to be done about it!

[bennw]

Thanks for looking into it! If it helps, at some point during the parsing, the resource number goes to 0:

[*] Warning: The PE contains duplicate resources. It was almost certainly crafted manually.
[*] Warning: Could not locate the section containing resource . Trying to use the RVA as an offset...
[*] Warning: Resource 0 has a size of 0!

I've been running the parser; as of now, the printed warnings are 107 GB in size (and counting!)

[JusticeRage]

Integer overflow on the number of resources? I'll be sure to keep that in mind. On my end, I've launched the parser with all messages disabled hoping that I'll be able to reach the end of the analysis!

[JusticeRage]

Okay, Manalyze has been running for weeks on your sample and still doesn't show any signs of stopping. I'm revising my initial judgement: you may have been right that the program somehow enters an infinite loop. I'll keep investigating this issue!