Closed 0ssigeno closed 6 months ago
@0ssigeno is still still an issue?
Hi! Sorry for the late answer. I tried again with the sample in the code of my first message, and the error seems to be still present :(
We would need a copy of the offending binary to take a closer look.
That said, I won't be surprised if a piece of malware is deliberately malformed in the way that allows it to load but complicates parsing. While the problem of making sense of malware files is legitimate, I don't think it's reasonable to expect pyelftools to work with those correctly. Parsers, as a rule, throw exceptions on those.
Absolutely agree that, if the samples have their headers actually malformed pyelftools should not work. I opened this issue because, unfortunately, I don't know enough about elf headers or how pyelftools works to double check if these sample should not work with pyelftools or if there is a parsing error with the library itself.
If you are interested on test it yourself to see whether is a real error or not, you should be able to download one of the offending sample from malware bazaar without the need of a registered account. Take all precautions necessary, because it is a malware.
Tried both of those (note: on Windows you have to switch off OS level real time protection, or the system will remove the file the moment you try to touch it). They look malformed to me - the very first section seems to be beyond the file size. GNU readelf seems to agree:
$ readelf -S mw.elf There are 10 section headers, starting at offset 0xebc8: readelf: Error: Reading 400 bytes extends past end of file for section headers
Pyelftools seems to be working as expected. This is not an issue with pyelftools, except maybe in the very narrow sense that the exception message is somewhat misleading (it complains about a missing string table; the error occurs even before that).
Oki, nothing that we can do if they are malformed, I have to agree with you.
A more "verbose" error would be nice, but I can argue that the implementation time for changing the error message when the header is malformed is overkill for this.
Thank you for your time, I think that we can close this issue!
I can't close the issue. You can.
Wops, thought you were admin in the repo, and wanted to double check before actually closing it
Hi guys!
I was using pyelftools to analyze some malware and I encountered an error with some ARM samples:
When calling
The tracelog error raised is the following:
The error is raised with both the current pypi release, and the master branch. I'm sorry to be unable to provide more information about this, but I have very low knowledge about the internals of the project.