odin1314 / yara-project

Automatically exported from code.google.com/p/yara-project
Apache License 2.0
0 stars 0 forks source link

[BUG] Wrong entrypoint in malformed executables #66

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
Scan with yara with this files:
http://www.mediafire.com/?j9sri3j6droprsg

2cd824f14689dabce09f7dd2d944bb1e
33a2504c99c525c9de3835ce14a42129
6cce882e601bc0e2c12f4445c40ce92d
9d61140f3ac118a42947c3f1ad3f8b16

All this files have the same EP, at RVA 0xf10f, when you use "entrypoint" 
variable in one rule yara will returns 0xfd0f, that offset is erroneus and out 
of the file.

This files have a wrong SizeOfRawData in the first section, this causes a wrong 
result of the pe_rva_to_offset routine used by yara to get the EP in PE files.

I fixed it making some little changes in the original routine in exe.c file, I 
don't know if it is the best way, but it works :)

unsigned long long pe_rva_to_offset(PIMAGE_NT_HEADERS pe_header, unsigned long 
long rva, unsigned int buffer_length)
{
    int i = 0;  
    unsigned long long max_va = 0;
    PIMAGE_SECTION_HEADER section;
    PIMAGE_SECTION_HEADER vsection;

    section = IMAGE_FIRST_SECTION(pe_header);

    while(i < MIN(pe_header->FileHeader.NumberOfSections, 60))
    {
        if ((unsigned char*) section - (unsigned char*) pe_header + sizeof(IMAGE_SECTION_HEADER) < buffer_length)
        {
            if (rva >= section->VirtualAddress &&
                rva <  section->VirtualAddress + section->SizeOfRawData)
            {
                if (section->VirtualAddress >= max_va)
                {
                    max_va = section->VirtualAddress;
                    vsection = section;
                }               
            }           
            section++;
            i++;
        }
        else
        {
            break;
        }
    }
    if (max_va != 0)  
    {
        return vsection->PointerToRawData + (rva - vsection->VirtualAddress); 
    }
    else 
    {
        return 0;
    }
}

Original issue reported on code.google.com by golgotr...@gmail.com on 18 Oct 2012 at 12:18

GoogleCodeExporter commented 9 years ago
I forget to say that the password for the mediafire samples is "infected" and 
please don't execute it because are malware files. :p

Original comment by golgotr...@gmail.com on 18 Oct 2012 at 12:27