libyal / libexe Goto Github PK
View Code? Open in Web Editor NEWLibrary and tools to access the executable (EXE) format
License: GNU Lesser General Public License v3.0
Library and tools to access the executable (EXE) format
License: GNU Lesser General Public License v3.0
libexe is a library to access the executable (EXE) format. At the moment the goal of this project is to provide functionality to parse EXE (PE/COFF) and the resources stored in them using libwrc. This functionality is used in libevt and libevx to parse EventLog messages from PE/COFF message files. Project information: * Status: experimental * Licence: LGPLv3+ Planned: * Multi-threading support For more information see: * Project documentation: https://github.com/libyal/libexe/wiki/Home * How to build from source: https://github.com/libyal/libexe/wiki/Building
The signature for Event definitions is defined as "EVTN", however, in my files I see it as "EVNT". Is this a typo or it is version-dependent? The major version in my case is 5.
Thanks anyway for the documentation!
I've done some digging on these values, and some unknown values actually seems to be the Windows Locale ID values.
For example, pwrshmsg.zip pwrshmsg.dll seems to have 1033 as a nameId on Byte 0x478, which corresponds to en-US.
In same way, the unknown value on the document seems to be ms-BN. Although this might need more research for confirmation, at least I think this gives a header to start.
https://ss64.com/locale.html I used this site to check for locale values, but pretty sure that a windows certified site would exist somewhere else.
BTW, your resources have been greatly helpful for Windows forensic. Thanks a lot!
Hi,
In your document https://github.com/libyal/libexe/blob/main/documentation/Executable%20(EXE)%20file%20format.asciidoc, it shows the DOS MZ Header contains :
So I use V2 * 512 + V1, but the size is much smaller than the actual EXE file size, why?
Multiple heap-buffer-overflow errors inside function libexe_io_handle_read_coff_optional_header in libexe_io_handle.c
We found with our fuzzer multiple heap-buffer-overflow errors inside function libexe_io_handle_read_coff_optional_header. The version we use is "exeinfo 20180812".
These can be triggered when compiled with address sanitizer and run with exe file.
Here is the POC files:
POC_files.zip
For example:
=================================================================
==109161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000051 at pc 0x7f84e022ab5d bp 0x7fff952dad00 sp 0x7fff952dacf0
READ of size 1 at 0x602000000051 thread T0
#0 0x7f84e022ab5c in libexe_io_handle_read_coff_optional_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1093
#1 0x7f84e022c06d in libexe_io_handle_read_coff_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:985
#2 0x7f84e022c5f2 in libexe_io_handle_read_pe_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:754
#3 0x7f84e022ca2d in libexe_io_handle_read_extended_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:429
#4 0x7f84e022d306 in libexe_io_handle_read_file_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:262
#5 0x7f84e022212a in libexe_file_open_read /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:865
#6 0x7f84e0223454 in libexe_file_open_file_io_handle /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:660
#7 0x7f84e0223d7e in libexe_file_open /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:379
#8 0x405cc3 in info_handle_open_input /home/wcventure/Documents/Fuzzing_Object/libexe/exetools/info_handle.c:301
#9 0x402c7e in main /home/wcventure/Documents/Fuzzing_Object/libexe/exetools/exeinfo.c:260
#10 0x7f84dfdec82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x403708 in _start (/home/wcventure/Documents/Fuzzing_Object/libexe/build/bin/exeinfo+0x403708)
0x602000000051 is located 0 bytes to the right of 1-byte region [0x602000000050,0x602000000051)
allocated by thread T0 here:
#0 0x7f84e07e0b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
#1 0x7f84e022738c in libexe_io_handle_read_coff_optional_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1048
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1093 in libexe_io_handle_read_coff_optional_header
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 00 fa fa 04 fa fa fa[01]fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==109161==ABORTING
And
=================================================================
==37887==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000001ca at pc 0x7f9a68633229 bp 0x7ffd49fad890 sp 0x7ffd49fad880
READ of size 2 at 0x60e0000001ca thread T0
#0 0x7f9a68633228 in libexe_io_handle_read_coff_optional_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1812
#1 0x7f9a6863406d in libexe_io_handle_read_coff_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:985
#2 0x7f9a686345f2 in libexe_io_handle_read_pe_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:754
#3 0x7f9a68634a2d in libexe_io_handle_read_extended_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:429
#4 0x7f9a68635306 in libexe_io_handle_read_file_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:262
#5 0x7f9a6862a12a in libexe_file_open_read /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:865
#6 0x7f9a6862b454 in libexe_file_open_file_io_handle /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:660
#7 0x7f9a6862bd7e in libexe_file_open /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:379
#8 0x405cc3 in info_handle_open_input /home/wcventure/Documents/Fuzzing_Object/libexe/exetools/info_handle.c:301
#9 0x402c7e in main /home/wcventure/Documents/Fuzzing_Object/libexe/exetools/exeinfo.c:260
#10 0x7f9a681f482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x403708 in _start (/home/wcventure/Documents/Fuzzing_Object/libexe/build/bin/exeinfo+0x403708)
0x60e0000001ca is located 10 bytes to the right of 160-byte region [0x60e000000120,0x60e0000001c0)
allocated by thread T0 here:
#0 0x7f9a68be8b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
#1 0x7f9a6862f38c in libexe_io_handle_read_coff_optional_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1048
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1812 in libexe_io_handle_read_coff_optional_header
Shadow bytes around the buggy address:
0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c1c7fff8020: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff8030: 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa
0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==37887==ABORTING
libuna_utf8_stream.c
fatal error C1083: “....\libuna\libuna_utf8_stream.c”: No such file or directory
libcdata_list.c
fatal error C1083: “....\libcdata\libcdata_list.c”: No such file or directory
libcdata_list_element.c
fatal error C1083: “....\libcdata\libcdata_list_element.c”: No such file or directory
.........
pls
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.