search

hasherezade / pe-bear-releases

PE-bear (builds only)
https://hshrzd.wordpress.com/pe-bear/
767 stars 73 forks source link

PE-Bear wrongly identifies optional header magic number - Identifies Windows 64-bit calculator as 32-bit #48

Closed retsek860 closed 2 years ago

retsek860 commented 2 years ago

When disassembling calc.exe on Windows 10 64-bit I noticed that it identified the magic number (NT Headers > Optional Header > Magic) as 10B, and labels it as NT32. Even in the hex editor window the value at offset 100 is 0B 01. When analysing the program in CFF Explorer, HxD and Detect It Easy, they all identify it as PE64.

To recreate: This is the standard calculator that comes with Windows I am running Windows 10 Pro ver 21H2 (not sure how important the exact version number might be) I am running Windows in a VM on a Linux host (again, not sure if this is important but included for transparency).

hasherezade commented 2 years ago

hi @retsek860 ! can you give me the exact path & hash of the calculator you was looking at? and even better, pack this executable for me, and attach it to the issue? I want to be 100% sure that we are looking at the same PE. If you can add some screenshots illustrating what do you observe, it will be very helpful, so it will give me additional context of what is really happening. The value 0B 01 - 0x10B - in the hexeditor would suggest that the application is indeed 32 bit (check this example: https://wiki.osdev.org/PE - under "Optional header"). Are you sure that the calc opened in PE-bear is exactly the same as the calc opened in CFF Explorer, and the other application, and not a version from SysWOW64?

retsek860 commented 2 years ago

Hi @hasherezade , yes I am sure I am opening the same PE in each program. C:\Windows\System32\calc.exe. I ran a SHA256 hash on the executable with 7zip: 58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f Screenshot from 2022-08-12 09-15-06

hasherezade commented 2 years ago

@retsek860 - I am pretty sure that you are using PE-bear 32 bit, and what happens here is File System Redirection (it is a default feature of Windows that causes the path to C:\Windows\System32 to be automatically converted to C:\Windows\SysWOW64 when a 32-bit app references it). So the path is misleading, and those are not the same instances of calc you are looking at. Try with PE-bear 64 bit and you will see what I mean. Example: PE-bear 32 bit vs 64 bit opening calc:

calc1_and_2

calc1_and_2a

retsek860 commented 2 years ago

I'm sorry you are right :)

hasherezade commented 2 years ago

@retsek860 - no problem, glad that we solved it! :)