Segmentation faults in pehash and readpe

[rocklob]

I have come across a couple binaries that cause pehash and readpe to segfault. I uploaded an example of such a binary to malwr:

https://malwr.com/analysis/NmIwMDZkMTZlOTRkNDJkOTgzZDFhZTNhNTQ3ZWIxZjA/share/e09332fe54fc412ba2a995d3b9b9fd0d

(This is from the wild, so handle with care.)

On this sample, pehash gives me this output:

file
    filepath:                        bdb1ee7bdff9d6fff9f1bbc61c246e90206c37e28eae38bd391c6652e839aeeb.data
    md5:                             c122f3f4f4e08e854ab387900b80fb5c
    sha1:                            c4de77b015b9d515ba6024665ed2d5eb072f6b6f
    ssdeep:                          6144:oj98IJ+DlOxnmXmdcUHpiBENp1+xOKez6KO2m7wIVPitvezgxp:fIIDqm2dcIpiBENp8xpeeKOn8IV6Fqgf
headers
    header
        header_name:                     IMAGE_DOS_HEADER
        md5:                             391ea009064a4158eb6a7c8d6c49c886
        sha1:                            c3047ff45c7b4b6f290f157e200892f2c1177058
        ssdeep:                          3:WlWUqt/vll1:idqf
    header
        header_name:                     IMAGE_COFF_HEADER
        md5:                             7bbc50502f0564715b8b25afe445a1ec
        sha1:                            05199e13a4493b605fda16f63ef81ed616581b18
        ssdeep:                          3:VtlQQlH:+Qd
    header
        header_name:                     IMAGE_OPTIONAL_HEADER
        md5:                             7db26786973e4396ac69fb6c556c6e59
        sha1:                            b4f5a77022883e041cf3d39cb514d391c8348578
        ssdeep:                          3:x/rjJnPvX7MHvl5LuXNlk8s/J/llFllNllFllX:x2+08s/Jt
sections
    section
        section_name:                    .text
Segmentation fault (core dumped)

readpe gives me this:

...snip...
        Section
            Name:                            .reloc
            Virtual Address:                 0x12c000
            Physical Address:                0x1924
            Size:                            0x1a00 (6656 bytes)
            Pointer To Data:                 0x128a00
            Relocations:                     0
            Characteristics:                 0x42000040
            Characteristic Names
                                                 IMAGE_SCN_CNT_INITIALIZED_DATA
                                                 IMAGE_SCN_MEM_DISCARDABLE
                                                 IMAGE_SCN_MEM_READ
output: trying to close a document, but the current scope is of a different type.
Aborted (core dumped)

[merces]

Hi @rocklob. Thanks for opening this issue. I've confirmed it and added some error handling code under @4912ed4bbdb88. However, I wonder if any tool is able to seek through the section content or list the imports of this DLL file. If so, we should be able to do the same.

[rocklob]

I'm not familiar with similar tools, but if more samples that cause this issue would be helpful to you, I can probably find some.

Thanks for working this issue!

[jweyrich]

@merces: pedump isn't able, at least - http://pedump.me/c122f3f4f4e08e854ab387900b80fb5c/#pe

From its log:

[?] imports info beyond EOF [?] exports info beyond EOF [?] can't find file_offset of VA 0x338 [?] exports info beyond EO

[merces]

Got it, @rocklob. @jweyrich, thanks for checking. I've tested with two other tools and got the same results. So, I'm closing this issue but I'll add tests with those binaries in our TODO list. Perhaps we can extend pev to parse more data from them. ;)

Thank you all.

[jweyrich]

@rocklob: I believe the issues you reported were fixed by @merces' commit. I ran both tools with that sample and they no longer crash.