handling of too small NumberOfRvaAndSizes values #265
Conversation
pefile.py
Outdated
| @@ -2216,6 +2216,15 @@ def __parse__(self, fname, data, fast_load, is_obj): | |||
| self.NT_HEADERS.FILE_HEADER = self.FILE_HEADER | |||
| self.NT_HEADERS.OPTIONAL_HEADER = self.OPTIONAL_HEADER | |||
|
|
|||
| # Detect artificially reduced values of NumberOfRvaAndSizes | |||
| # | |||
| directory_delta = (self.FILE_HEADER.SizeOfOptionalHeader | |||
There was a problem hiding this comment.
I came across a sample where SizeOfOptionalHeader also appeared to be inaccurate -- the optional header (including the data directories array) is clearly 240 (0xf0), but then SizeOfOptionalHeader is 160 (0xa0).
10 of the data directory entries are "missing" (e.g. the data directory array entry is present, but the address and size are both == 0), which is communicated by NumberOfRvaAndSizes being set to 6 (e.g. just a convenient precalculated count of "missing" entries). 10*8 bytes = 80 bytes (or 0x50), which just happens to be the difference between the actual space taken by the optional header and the SizeOfOptionalHeader value (0xf0 - 0xa0 = 0x50).
There was a problem hiding this comment.
Actually, I think the check you have is right as far as detecting misleading NumberOfRvaAndSizes. Upon closer inspection of the file I was looking at, I think the tools we were using were interpreting data after the optional header as data directory entries.
There was a problem hiding this comment.
Yep, this is pretty much the conclusion I also reached =).
|
I have rebased the PR onto the most recent version since there has been some recent support. I'd still like to see this in pefile. |
This is a proposed fix for #264.