Section data view disregards FileAlignment

[eternaleclipse]

When displaying section data, PE-Bear uses IMAGE_SECTION_HEADER.PointerToRawData to find the section data in the file. In reality, when Windows loads the file, if the section file offset is not aligned to IMAGE_OPTIONAL_HEADER.FileAlignment, it will be rounded up to the next aligned address and loaded there. A malicious binary can use this inconsistency to display incorrect section data.

Btw, CFF Explorer falls for this too. IDA Pro displays a warning that it has detected a section that is not aligned and refuses to handle the section header.

Screenshot demonstrating the difference in section contents between section data in PE-Bear and what is actually loaded in memory (x64dbg):

EXE for reproduction: packed.zip

[eternaleclipse]

btw version is PE-bear_0.6.1_x64_win_vs17 (latest)

[hasherezade]

hi @eternaleclipse ! thanks for reporting. you are right. it's gonna be fixed in the new release.

[hasherezade]

@eternaleclipse - I fixed it, would you like to test the new version pre-release? you can download the builds from AppVeyor server, as described in the README. I will appreciate your feedback.

This is how it looks - the mapped Raw Offset is used for displaying section:

The original Raw Offset is showed in the Sections Headers view, with annotation that it is different than the mapped one:

[eternaleclipse]

Having automatic builds from git is so convenient! I'm checking it out now.

[eternaleclipse]

Looks great! It shows the correct mapped offset now for the code section.

A few suggestions:

• Adding an additional warning during loading, if the IMAGE_SECTION_HEADER.PointerToRawData is misaligned.
• Changing the names to something more indicative, like "Raw Offset (file)", "Mapped offset (file)", "Virtual address (mem)".
• The current build fixes Section headers and Code views. I haven't tested, but I suspect the bug will resurface in any section type that contains pointers (imports, exports, relocations, etc). There might be some fixing required with the "Follow raw" behaviour to point to the actual location of the structure as it is mapped in memory after alignment.

[hasherezade]

@eternaleclipse - I appreciate you taking time for testing, and thanks for your feedback!

Addressing your suggestions:

1. I have mixed feelings about showing popups during the load, unless it is a critical error. Some people just find them annoying. But I am agree with you that the fact that sections are misaligned should be more highlighted, so this is what I did:

This tooltip contains various info about different PE malformations found. What do you think?

2. Regarding the "Section Hdrs" tab - this is where I display the headers literally, as is defined in the file, so I don't want to add additional fields here, as it may be misleading. I can only comment the existing fields better. I will think how to make it more clear and visible for the user.
3. I guess you mean the conversion of the addresses is going to be invalid, and still using the old raw addresses to map? This is not the case, as it already uses the mapped addresses.

Please have look at this demo file (pass demo_demo):

• imp1.zip

The section containing imports has been misaligned:

It corrupts how the imports are displayed in case of the old PE-bear version:

However, the new version automatically compensates for the misalignment, and uses the offsets the way they are mapped, rather than their literal definitions:

Does it answer your concerns about it? Please let me know your thoughts.

[eternaleclipse]

About the misaligned section warning - I do understand your dislike of the message box interfering with the flow of the application. A more subtle visible cue is also good. I think it's better to have something that is clearly visible at all times, for example at the status bar "File: C:\bad.exe (WARNING: Malformed PE, contains misaligned sections)". That's just my preference though, I don't think there is a particularly correct way to handle it - it's a design decision.

About the pointer resolving fix - Previously, I didn't realize it applies to different pointers in all section types. I've just tested it with the misaligned imports binary you sent and it works great!

Cheers 🍻

[hasherezade]

Thank you! BTW, after trying various options, I settled with the MessageBox after all.

[hasherezade]

available in the latest release:

• https://github.com/hasherezade/pe-bear/releases/tag/v0.6.5