libyal / libexe Goto Github PK

Library and tools to access the executable (EXE) format

License: GNU Lesser General Public License v3.0

PowerShell 2.70% Shell 6.68% C 73.80% Makefile 1.71% C++ 0.21% Python 1.93% M4 12.21% Roff 0.76%

libexe's Issues

Potential typo in documentation

https://github.com/libyal/libexe/blob/main/documentation/Executable%20(EXE)%20file%20format.asciidoc#687-event-definitions

The signature for Event definitions is defined as "EVTN", however, in my files I see it as "EVNT". Is this a typo or it is version-dependent? The major version in my case is 5.

Thanks anyway for the documentation!

How do I compile from source?

libuna_utf8_stream.c
fatal error C1083: “....\libuna\libuna_utf8_stream.c”: No such file or directory
libcdata_list.c
fatal error C1083: “....\libcdata\libcdata_list.c”: No such file or directory
libcdata_list_element.c
fatal error C1083: “....\libcdata\libcdata_list_element.c”: No such file or directory
.........
pls

OOB read of 1 and 2 in libexe_io_handle_read_coff_optional_header of libexe 20180812

Multiple heap-buffer-overflow errors inside function libexe_io_handle_read_coff_optional_header in libexe_io_handle.c

We found with our fuzzer multiple heap-buffer-overflow errors inside function libexe_io_handle_read_coff_optional_header. The version we use is "exeinfo 20180812".

These can be triggered when compiled with address sanitizer and run with exe file.

Here is the POC files:
POC_files.zip

For example:

=================================================================
==109161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000051 at pc 0x7f84e022ab5d bp 0x7fff952dad00 sp 0x7fff952dacf0
READ of size 1 at 0x602000000051 thread T0
    #0 0x7f84e022ab5c in libexe_io_handle_read_coff_optional_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1093
    #1 0x7f84e022c06d in libexe_io_handle_read_coff_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:985
    #2 0x7f84e022c5f2 in libexe_io_handle_read_pe_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:754
    #3 0x7f84e022ca2d in libexe_io_handle_read_extended_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:429
    #4 0x7f84e022d306 in libexe_io_handle_read_file_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:262
    #5 0x7f84e022212a in libexe_file_open_read /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:865
    #6 0x7f84e0223454 in libexe_file_open_file_io_handle /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:660
    #7 0x7f84e0223d7e in libexe_file_open /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:379
    #8 0x405cc3 in info_handle_open_input /home/wcventure/Documents/Fuzzing_Object/libexe/exetools/info_handle.c:301
    #9 0x402c7e in main /home/wcventure/Documents/Fuzzing_Object/libexe/exetools/exeinfo.c:260
    #10 0x7f84dfdec82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x403708 in _start (/home/wcventure/Documents/Fuzzing_Object/libexe/build/bin/exeinfo+0x403708)

0x602000000051 is located 0 bytes to the right of 1-byte region [0x602000000050,0x602000000051)
allocated by thread T0 here:
    #0 0x7f84e07e0b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
    #1 0x7f84e022738c in libexe_io_handle_read_coff_optional_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1048

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1093 in libexe_io_handle_read_coff_optional_header
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 00 fa fa 04 fa fa fa[01]fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==109161==ABORTING

And

=================================================================
==37887==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000001ca at pc 0x7f9a68633229 bp 0x7ffd49fad890 sp 0x7ffd49fad880
READ of size 2 at 0x60e0000001ca thread T0
    #0 0x7f9a68633228 in libexe_io_handle_read_coff_optional_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1812
    #1 0x7f9a6863406d in libexe_io_handle_read_coff_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:985
    #2 0x7f9a686345f2 in libexe_io_handle_read_pe_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:754
    #3 0x7f9a68634a2d in libexe_io_handle_read_extended_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:429
    #4 0x7f9a68635306 in libexe_io_handle_read_file_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:262
    #5 0x7f9a6862a12a in libexe_file_open_read /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:865
    #6 0x7f9a6862b454 in libexe_file_open_file_io_handle /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:660
    #7 0x7f9a6862bd7e in libexe_file_open /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_file.c:379
    #8 0x405cc3 in info_handle_open_input /home/wcventure/Documents/Fuzzing_Object/libexe/exetools/info_handle.c:301
    #9 0x402c7e in main /home/wcventure/Documents/Fuzzing_Object/libexe/exetools/exeinfo.c:260
    #10 0x7f9a681f482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x403708 in _start (/home/wcventure/Documents/Fuzzing_Object/libexe/build/bin/exeinfo+0x403708)

0x60e0000001ca is located 10 bytes to the right of 160-byte region [0x60e000000120,0x60e0000001c0)
allocated by thread T0 here:
    #0 0x7f9a68be8b90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
    #1 0x7f9a6862f38c in libexe_io_handle_read_coff_optional_header /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1048

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wcventure/Documents/Fuzzing_Object/libexe/libexe/libexe_io_handle.c:1812 in libexe_io_handle_read_coff_optional_header
Shadow bytes around the buggy address:
  0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c1c7fff8020: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff8030: 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa
  0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==37887==ABORTING

How to get the size of an EXE file from its header?

Hi,

In your document https://github.com/libyal/libexe/blob/main/documentation/Executable%20(EXE)%20file%20format.asciidoc, it shows the DOS MZ Header contains :

Number of bytes in last 512-byte page of executable, assume V1
Total number of 512-byte pages in executable, assume V2

So I use V2 * 512 + V1, but the size is much smaller than the actual EXE file size, why?

Some research on Resource Data Types

https://github.com/libyal/libexe/blob/master/documentation/Executable%20(EXE)%20file%20format.asciidoc#55-resource-data-types

I've done some digging on these values, and some unknown values actually seems to be the Windows Locale ID values.
For example, pwrshmsg.zip pwrshmsg.dll seems to have 1033 as a nameId on Byte 0x478, which corresponds to en-US.
In same way, the unknown value on the document seems to be ms-BN. Although this might need more research for confirmation, at least I think this gives a header to start.
https://ss64.com/locale.html I used this site to check for locale values, but pretty sure that a windows certified site would exist somewhere else.
BTW, your resources have been greatly helpful for Windows forensic. Thanks a lot!

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.