search

hasherezade / pe-bear-releases

PE-bear (builds only)
https://hshrzd.wordpress.com/pe-bear/
767 stars 73 forks source link

Imports tab shows even if invalid #44

Closed Shadlock0133 closed 2 years ago

Shadlock0133 commented 2 years ago

PE-bear version: v0.5.5.3

I have an exe file with data directory size set to 0. This causes "Data Directory" view to be filled with garbage data (but it's not that important), and for some reason "Imports" tab is displayed, also filled with garbage.

Here is the file, compressed: main.zip

hasherezade commented 2 years ago

hi! in the example that you shared, the VA of Import Table is non-zero (1), and also the size(1000):

size_filled

garbage_table

so the attempt of parsing it is not a bug, but a valid behavior, just: garbage in -> garbage out.

If the size of the Import Directory was set to 0, the content won't be parsed - so, there will be no garbage imports - but the Imports tab will be displayed, because the VA of the Import Table is still non-zero:

size_set_to_zero

empty_table

This is not a bug, but intended behavior. The tab is shown, because the PE do have imports directory, even if they are invalid.

PE-bear just displays the data, it is not supposed to make guesses or assumptions about whether or not this input makes sense as an import table. The only sanity checks it makes, are for the buffer sizes, for security purposes. That's why it may sometimes display a garbage data, just because it shows literally what was supplied.

Shadlock0133 commented 2 years ago

I was mostly surprised because the data dir is supposed to be empty. So it contains "garbage" because it read data from sections headers.

hasherezade commented 2 years ago

data dir is supposed to be empty.

but in the Data Directory the Import Table is not empty - the RVA is set to 1:

filled

So PE-bear reads whatever this RVA points to.