search

hasherezade / libpeconv

A library to load, manipulate, dump PE files. See also: https://github.com/hasherezade/libpeconv_tpl
https://hasherezade.github.io/libpeconv
BSD 2-Clause "Simplified" License
1.07k stars 176 forks source link

Import table with empty blocks interpreted as wrong #22

Closed hasherezade closed 3 years ago

hasherezade commented 3 years ago

It is rare, but it may happen in valid PE files, that full blocks are empty:

empty_reloc_blocks

Example - the files belonging to MS Office:

C:/Program Files/Common Files/microsoft shared/OfficeSoftwareProtectionPlatform/OSPPSVC.EXE
C:/Program Files/Common Files/microsoft shared/OfficeSoftwareProtectionPlatform/OSPPOBJS.DLL

LibPEConv interprets blocks which have all entries empty as invalid blocks.

https://github.com/hasherezade/libpeconv/blob/01bc0d04273d931c40806d1e439b040ff074bf6b/libpeconv/src/relocate.cpp#L78

And then the full Import Table is treated as invalid: https://github.com/hasherezade/libpeconv/blob/01bc0d04273d931c40806d1e439b040ff074bf6b/libpeconv/src/relocate.cpp#L120-L121