Closed AdrianIssott closed 3 years ago
Thanks for writing that up. It's very helpful. I think I see what the problem is in the code. It's not reading the IMAGE_LOAD_CONFIG_DIRECTORY structure in the PE correctly based on relative virtual address. So pointers to random bytes get parsed out and is causing the structure to give back garbage config directory sizes. I'm working on trying to get that read correctly, but it may be some time before I can figure it out.
Actually, I just fixed it. The problem was how the module was reading the file into memory. It should work now, but it may end up crashing if you're reading really large binaries.
Well, that was quick, thanks @egru!
I've just confirmed current master @ https://github.com/NetSPI/PESecurity/commit/7f89e0050a1469ecdd7d262a54201e2b2f18ed7e now reliably tells me SafeSEH is True for that binary.
BTW, it looks like an accidental duplication of code got added. See https://github.com/NetSPI/PESecurity/blob/master/Get-PESecurity.psm1#L529-L535. Looks like merging master in https://github.com/NetSPI/PESecurity/commit/7f89e0050a1469ecdd7d262a54201e2b2f18ed7e went a bit awry.
Here's an example of this using the attached adoberfp.zip
It appears to happen for all 32-bit binaries where SafeSEH really is OK on my machine. This adobe DLL is just the first one I tried that I could share.
Some details of my machine:
Dump of file C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll
File Type: DLL
Section contains the following load config:
Summary