Open d3v1l401 opened 3 years ago
I’ll take a look at this tonight.
I can't replicate this crash on MacOS with latest master, nor on Windows with 4.0.2.
The fact that some of the values in the struct are 0xfdfdfdfd is interesting (although possibly a red herring). Isn't that the value MSFT uses for guard pages in a debug build? Can you replicate the bug in a release build?
I tried to replicate in Release mode and it doesn't happen.
I attach here the compiled binary of rules and the text ones, to allow you perhaps to replicate the problem if coming from the rules.
The compiled binary rules or the source for the rules is not going to make a difference. The crash you observed indicates it is in the OpenSSL code but only when built for Windows and only when in debug mode. I know nothing about how the Windows build for YARA works so I can't really debug further here. I can try and get a build environment setup on Windows but it might take me some time...
A minimal repro would be a debug build on Windows and a rule of import "pe" rule a { condition: false }
.
I tried to replicate this issue without success. I built YARA with Visual Studio 2015 both for 64 and 32 bits in debug mode and it didn't crashed. The pre-built binaries for version 4.0.2 also work fine. Can you provide more information about how did you built the binaries that you're using?
I built it using Visual Studio 2019 toolset (v142), converted the project to ISO C++17 instead of C.
My modifications to the program did not change the core functionalities of Yara, I simply added C++ code (a class) to download compiled binaries of rules from a remote host via HTTPS with cUrl.
If the problem relies on OpenSSL, then I can tell you I downloaded the OpenSSL NuGet package embedded within the VS Project in the %YARA%\windows\vs2017\ directory after conversion to 2019 project solution:
YARA.OpenSSL.x64 (1.1.1)
I really don't know what else it can be, let me know if I can give you more information.
If we scan a Microsoft's PE file with Authenticode signature, Yara will crash when setting the cert_info->version integer field from the X509 certificate; specifically, this line (I expanded the code out of the macros manually, as you can see):
Here are the crash details:
Exception thrown at 0x00007FF6C64CFE4C in yara64.exe: 0xC0000005: Access violation reading location 0x0000000200000005.
Here the dump of the X509 content:
Yara version:
This is happening only with a specific Microsoft's library, that I have found in Rockstar's launcher:
api-ms-win-core-processenvironment-l1-1-0.dll
I don't know exactly how you can find this file, but I attached it into this report. api-ms-win-core-processenvironment-l1-1-0.zip