search

erocarrera / pefile

pefile is a Python module to read and work with PE (Portable Executable) files
MIT License
1.83k stars 516 forks source link

pefile.py failed to load PE binary with bogus section.SizeOfRawData #381

Open peta909 opened 10 months ago

peta909 commented 10 months ago

Hi, I recently came across a binary with its section.SizeOfRawData have a bogus value which is much larger than its actual value. This result in pefile loading the binary wrongly. at pefile/pefile.py line 6290 if ( srd > len(self.__data__) or prd > len(self.__data__) or srd + prd > len(self.__data__) or VirtualAddress_adj >= max_virtual_address ): continue

I had to comment out 2 lines of the above code with "srd" for the binary to be loaded correctly. The same binary was loaded correctly in IDA Pro and Pe-bear.

erocarrera commented 10 months ago

Hi, when you say "loaded correctly", what is the end result you expect? The line is part of the code of the get_memory_mapped_image() method. The large section.SizeOfRawData imply the section will be skipped and its data not added to the simulated "memory mapped image", what would be the behavior you expect, to add any available data for the section to the result? that would seem feasible.

Would it be possible to provide the file or its hash, if available through a service such as VirusTotal?