Closed eternaleclipse closed 1 year ago
btw version is PE-bear_0.6.1_x64_win_vs17
(latest)
hi @eternaleclipse ! thanks for reporting. you are right. it's gonna be fixed in the new release.
@eternaleclipse - I fixed it, would you like to test the new version pre-release? you can download the builds from AppVeyor server, as described in the README. I will appreciate your feedback.
This is how it looks - the mapped Raw Offset is used for displaying section:
The original Raw Offset is showed in the Sections Headers view, with annotation that it is different than the mapped one:
Having automatic builds from git is so convenient! I'm checking it out now.
Looks great! It shows the correct mapped offset now for the code section.
A few suggestions:
IMAGE_SECTION_HEADER.PointerToRawData
is misaligned.@eternaleclipse - I appreciate you taking time for testing, and thanks for your feedback!
Addressing your suggestions:
This tooltip contains various info about different PE malformations found. What do you think?
Please have look at this demo file (pass demo_demo
):
The section containing imports has been misaligned:
It corrupts how the imports are displayed in case of the old PE-bear version:
However, the new version automatically compensates for the misalignment, and uses the offsets the way they are mapped, rather than their literal definitions:
Does it answer your concerns about it? Please let me know your thoughts.
About the misaligned section warning - I do understand your dislike of the message box interfering with the flow of the application. A more subtle visible cue is also good. I think it's better to have something that is clearly visible at all times, for example at the status bar "File: C:\bad.exe (WARNING: Malformed PE, contains misaligned sections)"
. That's just my preference though, I don't think there is a particularly correct way to handle it - it's a design decision.
About the pointer resolving fix - Previously, I didn't realize it applies to different pointers in all section types. I've just tested it with the misaligned imports binary you sent and it works great!
Cheers 🍻
Thank you! BTW, after trying various options, I settled with the MessageBox after all.
available in the latest release:
When displaying section data, PE-Bear uses
IMAGE_SECTION_HEADER.PointerToRawData
to find the section data in the file. In reality, when Windows loads the file, if the section file offset is not aligned toIMAGE_OPTIONAL_HEADER.FileAlignment
, it will be rounded up to the next aligned address and loaded there. A malicious binary can use this inconsistency to display incorrect section data.Btw, CFF Explorer falls for this too. IDA Pro displays a warning that it has detected a section that is not aligned and refuses to handle the section header.
Screenshot demonstrating the difference in section contents between section data in PE-Bear and what is actually loaded in memory (x64dbg):
EXE for reproduction: packed.zip