search

lief-project / LIEF

LIEF - Library to Instrument Executable Formats
https://lief.re
Apache License 2.0
4.4k stars 611 forks source link

pe :section .content not read correctly. #1092

Closed gogo2464 closed 2 weeks ago

gogo2464 commented 2 weeks ago

Describe the bug Parsed content not correctly recopied in the target binary.

To Reproduce I am coding a PE infector that creates a new section.

When I run

s = PE.Section(".mytext", lief.PE.SECTION_TYPES.TEXT)  = lief.parse(r"..\..\myexe.exe").get_section(".text").content
b.add_section(s)

The section created sometimes contains the exact shellcode. In this case (1/4 times) the program libreoffice is entierely executed correctly with the full shellcode with. And sometimes it creates an executable with extra content in the section and corrupts the shellcode.

Expected behavior I would like that the program products in 100% of time a .exe that does not contains extra content in the middle of the shellcode.

Environment (please complete the following information):

Additional context The infector is proprietary. (I might not be able to do that. I need to check) Tell me if you require extra info.

romainthomas commented 2 weeks ago

LIEF is pretty smart: if it detects that the user tries to create a shellcode it will automatically corrupt the binary.

gogo2464 commented 2 weeks ago

The shellcode is well tested and runs very fine in a .exe.

@romainthomas do you need more code to debug my program? I could provide the full code in private if you want.

gogo2464 commented 2 weeks ago

the command:

radiff2.exe -D .\out\good .\out\bad

shows that the section really contains different content from a run to another.

gogo2464 commented 2 weeks ago

the execution of

assert [b for b in section_text.content] == [good array]

fails 1 on 2 run. There must be a lack of unit testing in lief.

romainthomas commented 2 weeks ago

There must be a lack of unit testing in lief.

Yep

gogo2464 commented 2 weeks ago

I suggest to assign me to add unit testing to proove the gap first. Can you assign me in please?

romainthomas commented 2 weeks ago

Done

gogo2464 commented 2 weeks ago

Thanks <3

gogo2464 commented 2 weeks ago

could you reopen this issue ? I am redoing a shellcode to upload to a lief executable like before.

I have a lot of licenses issues! I do not want to share my BIG shellcode in the unit testing. I will find a bad online just to tests and add it in the unit testing!

gogo2464 commented 2 weeks ago

could you reopen the issue please?

romainthomas commented 2 weeks ago

LIEF is pretty smart: if it detects that the user tries to create a shellcode it will automatically corrupt the binary.

As you noticed, it works for other binaries. It's not an issue