search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
49.09k stars 5.65k forks source link

Cannot Load Win PE Import Table #6571

Open cubictriangle opened 1 month ago

cubictriangle commented 1 month ago

Describe the bug Ghidra cannot load the import table if the size value in optional header is too big. But Windows Operating System do not use the size value in optional header to decide the size of the import table. The import table is null-terminated, OS will stop loading when it find an all 0 import directory.

To Reproduce Steps to reproduce the behavior:

  1. Choose a Win PE executable file.
  2. Open the exe file using a hex editor (ImHex for example).
  3. Change the value of import table size in optional header to a very large number (0xFF FF FF FF for example).
  4. Save the change and close the file.
  5. Open the Ghidra and create a new project.
  6. Import the exe file into the Ghidra.
  7. Click on imported file in Ghidra and Click 'Yes' when Ghidra ask to analyze it.
  8. Wait.
  9. Click "Imports" in "Symbol Tree" and you will see nothing.
  10. If you check the IAT and CALL instructions which call those import functions, you would not see the function names.

Expected behavior "Imports" in "Symbol Tree" should shows imported libraries and functions. IAT should shows the libraries and functions name. When calling import function, CALL instructions should be followed by the libraries and functions name.

Screenshots This is what Ghidra should be: should-be

This is what it actually looks: actually-looks

The only difference is the value of import table size in optional header. And this program can run just fine. ninja-too-big-import-table-size

Attachments None

Environment (please complete the following information):

Additional context None

ryanmkurtz commented 1 month ago

Do you know if this is a unique feature of just the Import Table Data Directory, or do other Data Directories ignore the size too?

cubictriangle commented 1 month ago

Do you know if this is a unique feature of just the Import Table Data Directory, or do other Data Directories ignore the size too?

I am not really sure about that. The official PE Format document explicit said that the Import Data Directory is null-terminated. Quote From doc: "The last directory entry is empty (filled with null values), which indicates the end of the directory table." https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-idata-section I do not see it mentions other Data Directories have this feature. You can modify the size values for other Data Directories and see what happens. If the program runs fine, it means that the version of Windows you are using ignores the size.

I test the Export Table Data Directory on Windows 10, by setting the size to 0 and 0xFF FF FF FF, the program works fine. But when I modify the size of IAT Data Directories, it fails.