From 4fe8298411af5abf412e8f2bd98dfbdd55692c2a Mon Sep 17 00:00:00 2001 From: Ladislav Zezula Date: Mon, 8 Feb 2021 22:01:14 +0100 Subject: [PATCH] + PE Files cut in the middle of IMAGE_FILE_HEADER not cause fileinfo's loader to return ERROR_NONE and loaderError to LDR_ERROR_NTHEADER_OUT_OF_FILE --- src/fileformat/utils/format_detection.cpp | 2 +- src/pelib/ImageLoader.cpp | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/fileformat/utils/format_detection.cpp b/src/fileformat/utils/format_detection.cpp index 59e8c4f66..7814b8ede 100644 --- a/src/fileformat/utils/format_detection.cpp +++ b/src/fileformat/utils/format_detection.cpp @@ -129,7 +129,7 @@ bool isPe(std::istream& stream) // Create instance of the ImageLoader with most benevolent flags ImageLoader imgLoader(0); - // Load the image from stream. Only load headers. + // Load the image from stream. Only load headers return (imgLoader.Load(stream, 0, true) == ERROR_NONE); } diff --git a/src/pelib/ImageLoader.cpp b/src/pelib/ImageLoader.cpp index 29d1bdc85..a2b274b3f 100644 --- a/src/pelib/ImageLoader.cpp +++ b/src/pelib/ImageLoader.cpp @@ -879,9 +879,10 @@ int PeLib::ImageLoader::Load( if(fileError != ERROR_NONE) return fileError; - // Check and capture NT headers + // Check and capture NT headers. Don't go any fuhrter than here if the NT headers were detected as bad. + // Sample: retdec-regression-tests\tools\fileinfo\features\pe-loader-corruptions\001-pe-header-cut-001.ex_ fileError = captureNtHeaders(fileData); - if(fileError != ERROR_NONE) + if(fileError != ERROR_NONE || ldrError == LDR_ERROR_NTHEADER_OUT_OF_FILE) return fileError; // Check and capture section headers @@ -1607,11 +1608,11 @@ int PeLib::ImageLoader::captureNtHeaders(ByteBuffer & fileData) } filePtr += sizeof(uint32_t); - // Capture the file header + // Capture the file header. Note that if the NT header is cut, we still want to recognize the file as PE if((filePtr + sizeof(PELIB_IMAGE_FILE_HEADER)) >= fileEnd) { setLoaderError(LDR_ERROR_NTHEADER_OUT_OF_FILE); - return ERROR_INVALID_FILE; + return ERROR_NONE; } memcpy(&fileHeader, filePtr, sizeof(PELIB_IMAGE_FILE_HEADER));