Skip to content

Commit

Permalink
fix: wrong extraction of PDB path from certain PE files.
Browse files Browse the repository at this point in the history 
Also add test cases covering all executions paths during PDB path extraction.
  • Loading branch information
@plusvic
plusvic committed Nov 8, 2023
1 parent 96edde7 commit 8262728
Show file tree
Hide file tree
Showing 7 changed files with 3,591 additions and 1 deletion.
2 changes: 1 addition & 1 deletion yara-x/src/modules/pe/parser.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1267,7 +1267,7 @@ impl<'a> PE<'a> {
verify(le_u32::<&[u8], Error>, |signature| {
*signature == 0x3031424e // "NB10"
}),
take(16_usize), // skip offset, timestamp, and age
take(12_usize), // skip offset, timestamp, and age
take_till(|c| c == 0),
)),
//
Expand Down
126 changes: 126 additions & 0 deletions ...les/pe/tests/testdata/6c2abf4b80a87e63eee2996e5cea8f004d49ec0c1806080fa72e960529cba14c.in
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
:100000004D5A000000000000000000000000000049
:1000100000000000000000000000000000000000E0
:1000200000000000000000000000000000000000D0
:100030000000000000000000000000008000000040
:1000400000000000000000000000000000000000B0
:1000500000000000000000000000000000000000A0
:100060000000000000000000000000000000000090
:100070000000000000000000000000000000000080
:10008000504500006486030000000000C007000027
:1000900000000000F0000E030B0202380000000018
:1000A00000000000000000001A04000040020000F0
:1000B0000000000000000000200000002000000000
:1000C0000000000000000000000000000000000030
:1000D000C007000040020000467500000B00000051
:1000E0000000000000000000000000000000000010
:1000F0000000000000000000000000000000000000
:1001000000000000100000000000000000000000DF
:1001100000000000000000000000000000000000DF
:1001200000000000000000000000000000000000CF
:100130000000000000000000600700005500000003
:1001400000000000000000000000000000000000AF
:10015000000000000000000000000000000000009F
:10016000000000000000000000000000000000008F
:10017000000000000000000000000000000000007F
:1001800000000000000000002E746578740000007C
:10019000A004000040020000A00400004002000093
:1001A00000000000000000000000000020000060CF
:1001B0002E6461746100000080000000E006000011
:1001C00060000000E00600000000000000000000E9
:1001D00000000000600000E02E64656275670000AA
:1001E000550000006007000060000000600700008C
:1001F000000000000000000000000000600000623D
:1002000000000000000000000000000000000000EE
:1002100000000000000000000000000000000000DE
:1002200000000000000000000000000000000000CE
:1002300000000000000000000000000000000000BE
:10024000554889E556574883EC3048B8AAAAAAAA67
:10025000AAAAAAAA488D75E8488906488915CE0435
:100260000000488B4260488905CB040000488B425F
:1002700058488905C8040000488D0DA104000048B5
:1002800089F2E883000000488B060FB7086683F9FF
:10029000FF746D488D35760400004889C76683F980
:1002A000FF74136683F904740D0FB757020FB70C70
:1002B000174801D7EBE76683F9FF480F44F86683D8
:1002C0003F047510488D57084889F1E82401000063
:1002D00084C075180FB74F02488D040F488945E850
:1002E0000FB70C0F6683F9FF75B0EB140FB7470219
:1002F0004801F8488945E8488B4F18E8E7000000B6
:1003000031C04883C4305F5E5DC3554889E54157BD
:1003100041565657534883EC2849BE0E0000000052
:1003200000008048C70200000000488B05FF030062
:1003300000488378680074494989D74889CB31F6E9
:1003400031FF488B50704801F24889D9E8A300007A
:100350000084C0751648FFC7488B05D103000048CC
:1003600083C618483B786872D9EB16488B05BE03E4
:100370000000488B4070488B443010498907453154
:10038000F64C89F04883C4285B5F5E415E415F5D47
:10039000C3554889E556574883EC304889CE488D87
:1003A0007DE848C70700000000488B05880300006F
:1003B000B9040000004889F24989F8FF5040488B91
:1003C0003F4885FF7416488B056B0300004889F988
:1003D0004889F24531C0FF90680100004889F8481B
:1003E00083C4305F5E5DC3554889E548890D560377
:1003F00000005DC3554889E54531C04531C9428B90
:100400000489422B048A4109C049FFC14983F90488
:1004100075EC4585C00F94C05DC3554889E54157CB
:1004200041565657534883EC4848C745C000000022
:1004300000E80AFEFFFF4885C00F88500100004811
:10044000BF0900000000000080B920000000E83E65
:10045000FFFFFF4885C00F84C90100004889C6C757
:10046000006D6C6564488D05C90100004889460827
:100470004C8D45C849C70000000000488B05460266
:100480000000488945B8488B05330200004889457B
:10049000B0C745D400000000488B05990200004811
:1004A0008D0D4A02000031D2FF90400100004885C6
:1004B000C00F88E0000000488B4DC8488D55B04CF7
:1004C0008D45D4FF51104989C74885C00F98C04851
:1004D0008D4FFC4939CF0F95C14531F684C8752D34
:1004E0008B4DD485C97426E8A5FEFFFF4989C6480F
:1004F00085C00F84A7000000488B4DC8488D55B0BB
:100500004C8D4DD44D89F0FF51084989C74D85FF69
:100510000F8886000000410FB60E884E104885C92E
:100520000F848D00000048C1E104E862FEFFFF482F
:100530008946184885C00F8480000000807E100026
:100540007477498D4E04BA0100000031FF8A59FDCD
:10055000881C388A41FE488B5E1888443B01488BD2
:1005600001488B5E184889443B088A41FF488B5EEE
:100570001888443B020FB646104839C2733B488B7B
:10058000461848FFC24883C7104883C10BEBBE48DA
:1005900089C7E98E0000004889C7EB7C4C89FF4D74
:1005A00085F67474488B058D0100004C89F1FF506D
:1005B00048EB094883C7FAEB034C89FF488B057564
:1005C0000100004C89F1FF50484885FF784A48896E
:1005D000F74883C708488B055C010000488D0D1D56
:1005E0000100004C8D056601000031D2FF904001F2
:1005F0000000488B053F010000488D15E000000019
:10060000488D4DC04989F84531C9FF904801000027
:100610004889C74885C0790D488B051901000048F5
:1006200089F1FF50484889F84883C4485B5F5E41C0
:100630005E415F5DC3554889E55648B80300000038
:10064000000000804885C9742C0FB671084C8D5885
:100650000B4885F6741A4C8B491048C1E6044531A5
:10066000D24338141174134983C2104C39D675F132
:100670004C89D8EB3F48FFC8EB3A43807C1101011D
:100680007532488B0DC70000004885C974264B8B16
:100690005411084180F802410F95C043807C11023B
:1006A000020F94C04430C0440FB6C0488B41205E56
:1006B0005D48FFE05E5DC300000000000000000038
:1006C0008F78FC434AB0CC4FB40EFFAE869DF2F556
:1006D000000000000000000000000000000000001A
:1006E000A3CB62A68580C641907DF452FF73EF3F95
:1006F00029485EACFDA80B44AF339FFE013B12D8E6
:10070000EDC417035DE231449246C13E38CA3D8ACA
:10071000DDE24AEF36B7E3408061A74633347F23FA
:100720004CF23977D793D4119A3A0090273FC14DB4
:1007300000000000000000000000000000000000B9
:1007400000000000000000000000000000000000A9
:100750000000000000000000000000000000000099
:100760000000000088AC05630000000002000000EB
:10077000390000007C0700007C0700004D544F4307
:10078000B7931D443C5C953BBD9A6E46BDE8305521
:1007900032414337314146332D413333382D3439DB
:1007A00035432D383334452D3937374136444435B8
:1007B0004336464400000000000000000000000036
:0407C0000400000031
:00000001FF
153 changes: 153 additions & 0 deletions ...es/pe/tests/testdata/6c2abf4b80a87e63eee2996e5cea8f004d49ec0c1806080fa72e960529cba14c.out
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
is_pe: true
machine: MACHINE_AMD64
subsystem: SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER
os_version {
major: 0
minor: 0
}
subsystem_version {
major: 0
minor: 0
}
image_version {
major: 0
minor: 0
}
linker_version {
major: 2
minor: 56
}
characteristics: 782
dll_characteristics: 0
timestamp: 0
image_base: 0
checksum: 30022
base_of_code: 576
entry_point: 1050
entry_point_raw: 1050
section_alignment: 32
file_alignment: 32
loader_flags: 0
size_of_optional_header: 240
size_of_code: 0
size_of_initialized_data: 0
size_of_uninitialized_data: 0
size_of_image: 1984
size_of_headers: 576
size_of_stack_reserve: 0
size_of_stack_commit: 0
size_of_heap_reserve: 0
size_of_heap_commit: 0
pointer_to_symbol_table: 1984
number_of_symbols: 0
number_of_rva_and_sizes: 16
win32_version_value: 0
number_of_sections: 3
pdb_path: "2AC71AF3-A338-495C-834E-977A6DD5C6FD"
sections {
name: ".text"
full_name: ".text"
characteristics: 1610612768
raw_data_size: 1184
raw_data_offset: 576
virtual_address: 576
virtual_size: 1184
pointer_to_relocations: 0
pointer_to_line_numbers: 0
number_of_relocations: 0
number_of_line_numbers: 0
}
sections {
name: ".data"
full_name: ".data"
characteristics: 3758096480
raw_data_size: 96
raw_data_offset: 1760
virtual_address: 1760
virtual_size: 128
pointer_to_relocations: 0
pointer_to_line_numbers: 0
number_of_relocations: 0
number_of_line_numbers: 0
}
sections {
name: ".debug"
full_name: ".debug"
characteristics: 1644167264
raw_data_size: 96
raw_data_offset: 1888
virtual_address: 1888
virtual_size: 85
pointer_to_relocations: 0
pointer_to_line_numbers: 0
number_of_relocations: 0
number_of_line_numbers: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 1888
size: 85
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
data_directories {
virtual_address: 0
size: 0
}
overlay {
offset: 1984
size: 4
}
Loading

0 comments on commit 8262728

Please # to comment.