Wrong virtual section size

[ark3us]

Hello and thank you very much for your amazing work!

I'm trying to use your code to convert an exe to a dll but i'm experiencing a problem. I'm not expert in the matter so I hope you can give me any hints. The program fails converting the raw pe to virtual with these messages:

[!] Truncated to maximal size: fc7000, buffer size:18e9000
[-] Raw section size is out ouf bounds: 332000

Adding some debug info, if I understood correctly, it seems the size of some virtual sections reported in the section header is wrong:

Section 13 at 9576448, size: 105902592
Section 14 at 22769664, size: 3350528

The size of section 13 should not be that big, right? This leads to the first error message. And also the SizeOfImage header seems to be too small, which leads to the second error message and failure. Unfortunately i cannot share the exe, but it runs normally, it's not corrupted. Any idea why this happens? Anything I can do to handle this type of files?

Thank you again!

[hasherezade]

hi @ark3us ! thank you for your interest in my tools.

Yes, from what you described, it seems to be a problem with atypical sections alignment. Is this executable packed by some packer/protector? Does it have an overlay? I can understand that you don't want to share the binary, but maybe you could share full section table, and the visualization from PE-bear? I mean, an analogous view to this one:

It would be very helpful for me to understand what exactly is the sections alignment, and how may it affect the conversion.

[ark3us]

Hi @hasherezade , thank you very much for you reply!

As you guessed, the exe is packed with Enigma Protector.

This is the Section Headers view from PE-bear (another amazing tool!):

Edit: I tried to modify the file manually following this article: https://whtaguy.com/2020/04/11/Calling-Arbitrary-Functions-In-EXEs-3A-Performing-Calls-to-EXE-Functions-Like-DLL-Exports.html

But also in this case I had no luck (failure calling the original EP), so I guess there must be some sophisticated loading mechanism which prevents to use this technique

Thanks!

[hasherezade]

@ark3us - thank you, seeing the sections layout, and knowing that it is packed, actually explains a lot. Indeed, the messages that you saw are about the section 13, which, in the Virtual format, overflows the next section, and even goes beyond the Image Size. Before the conversion, libPEconv tries to map the exe into the Virtual format, to make it easier to operate on it (no need to convert between virtual and raw addresses). But in this case there is this anomaly, which makes the mapped section not fit into the allocated image size. I have an idea how to resolve it, but it needs some more experiments. Do you have some other executable packed with Enigma Protector, that you could share with me as a test case?

Although this problem with sections could be solved, the other thing is, as you noticed, even modifying the binary manually didn't let it run as normal. Such cases (when the binary is packed by a protector) are usually tricky - their authors intentionally deploy various non-standard techniques to make analysis and modification of the binary harder. I am not sure what else is going on in this executable that makes it unable to run after the modifications, and if it can be resolved or not. As I mentioned, if you provide some testcases I can experiment with it, and let you know if I have any progress.

[ark3us]

Hi @hasherezade , thank you for your interest! I made a simple program similar to the one I was trying to convert to dll. It's a go executable which uses mingw64 gtk libs to show a simple hello word window. All required mingw64 libs are packed together with the exe using Enigma Protector 7.10. The original exe (before packing) is successfully converted by exe_to_dll and can also be executed without problems. The packed exe has the same problem as before, in this case section 25 overlaps with 26. You can find the files here: https://mega.nz/folder/o0Fy1STA#w5XTWptrunlcUJFXK9I5cA

I have been playing with libconv trying to fix offsets when converting raw sections to virtual, but I didn't have much success so far, I need to study the PE format better :D Please let me know if i can help you in any way! Thanks!

[hasherezade]

thank you @ark3us ! your samples will be very helpful in my tests. unfortunately, nowadays I am busy with something else, so I will not be able to take care of this immediately. but it is on my TODO, and I will let you know when I get some progress with it.

[ark3us]

Hi @hasherezade , just a quick update. It seems the problem with this type of packing is that it's not possible to put the new entry point in any executable sections, but only in specific ones. For example, it works putting the stub in sections 26, but not in others (the "main" returns with error probably due to some checks).