x64dbg
/
GleeBug
mirror of https://github.com/x64dbg/GleeBug
1
0
Fork 0
Code Releases Activity

most (209/228) corkami messed up PE files pass with ParseHeaders

This commit is contained in:
mrexodia 2015-12-29 02:22:47 +01:00
parent 399503b268
commit 407c05a5ec
6 changed files with 336 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
GleeBug/Static.Pe.cpp
View File

@ -6,6 +6,7 @@ namespace GleeBug
: _file(file) : _file(file)
{ {
Clear(); Clear();
setupErrorMap();
} }
void Pe::Clear() void Pe::Clear()
@ -35,12 +36,16 @@ namespace GleeBug
return ErrorDosHeaderMagic; return ErrorDosHeaderMagic;
//get the NT headers offset //get the NT headers offset
auto newOffset = uint32(_dosHeader->e_lfanew); auto newOffset = _dosHeader->e_lfanew;
//verify the new offset //verify the new offset
if (newOffset < 0 || newOffset < _offset || newOffset >= _file.GetSize()) if (newOffset < 0 || uint32(newOffset) >= _file.GetSize())
return ErrorDosHeaderNtHeaderOffset; return ErrorDosHeaderNtHeaderOffset;
//TODO: special case where DOS and PE header overlap (tinygui.exe)
if (uint32(newOffset) < _offset)
return ErrorDosHeaderNtHeaderOffsetOverlap;
//read & verify the data between the DOS header and the NT headers //read & verify the data between the DOS header and the NT headers
auto afterDosCount = newOffset - _offset; auto afterDosCount = newOffset - _offset;
_afterDosData = readRegion<uint8>(afterDosCount); _afterDosData = readRegion<uint8>(afterDosCount);
@ -51,7 +56,7 @@ namespace GleeBug
auto signature = readRegion<DWORD>(); auto signature = readRegion<DWORD>();
if (!signature) if (!signature)
return ErrorNtSignatureRead; return ErrorNtSignatureRead;
if (*(signature()) != IMAGE_NT_SIGNATURE) if (*signature() != IMAGE_NT_SIGNATURE)
return ErrorNtSignatureMagic; return ErrorNtSignatureMagic;
//read the file header //read the file header
@ -98,11 +103,26 @@ namespace GleeBug
break; break;
default: //unsupported machine default: //unsupported machine
{
//try the best possible effort (corkami's d_resource.dll)
auto ioh = readRegion<uint8>(ifh->SizeOfOptionalHeader);
if (!ioh)
return ErrorNtFileHeaderUnsupportedMachineOptionalHeaderRead;
_ntHeaders32 = Region<IMAGE_NT_HEADERS32>(&_data, signature.Offset());
if (!_ntHeaders32)
return ErrorNtFileHeaderUnsupportedMachineNtHeadersRegionSize;
return ErrorNtFileHeaderUnsupportedMachine; return ErrorNtFileHeaderUnsupportedMachine;
} }
}
//read data after the optional header //check the SizeOfOptionalHeader field
auto sizeOfIoh = ifh->SizeOfOptionalHeader; //this field can be zero auto sizeOfIoh = ifh->SizeOfOptionalHeader;
if (ifh->NumberOfSections && sizeOfIoh < realSizeOfIoh) //TODO: this can be valid in certain circumstances (nullSOH-XP)
return ErrorNtFileHeaderSizeOfOptionalHeaderOverlap;
//read data after the optional header (TODO: check if this is even possible)
uint32 afterOptionalCount = sizeOfIoh > realSizeOfIoh ? sizeOfIoh - realSizeOfIoh : 0; uint32 afterOptionalCount = sizeOfIoh > realSizeOfIoh ? sizeOfIoh - realSizeOfIoh : 0;
_afterOptionalData = readRegion<uint8>(afterOptionalCount); _afterOptionalData = readRegion<uint8>(afterOptionalCount);
@ -113,6 +133,16 @@ namespace GleeBug
return ErrorOk; return ErrorOk;
} }
bool Pe::IsValidPe() const
{
return _sectionHeaders.Valid();
}
bool Pe::IsPe64() const
{
return IsValidPe() ? _ntHeaders64.Valid() : false;
}
uint32 Pe::readData(uint32 size) uint32 Pe::readData(uint32 size)
{ {
std::vector<uint8> temp(size); std::vector<uint8> temp(size);
@ -126,13 +156,23 @@ namespace GleeBug
return result; return result;
} }
bool Pe::IsValidPe() const void Pe::setupErrorMap()
{ {
return _sectionHeaders.Valid(); _errorMap.insert({ ErrorOk, "ErrorOk" });
} _errorMap.insert({ ErrorDosHeaderRead, "ErrorDosHeaderRead" });
_errorMap.insert({ ErrorDosHeaderMagic, "ErrorDosHeaderMagic" });
bool Pe::IsPe64() const _errorMap.insert({ ErrorDosHeaderNtHeaderOffset, "ErrorDosHeaderNtHeaderOffset" });
{ _errorMap.insert({ ErrorDosHeaderNtHeaderOffsetOverlap, "ErrorDosHeaderNtHeaderOffsetOverlap" });
return IsValidPe() ? _ntHeaders64.Valid() : false; _errorMap.insert({ ErrorAfterDosHeaderData, "ErrorAfterDosHeaderData" });
_errorMap.insert({ ErrorNtSignatureRead, "ErrorNtSignatureRead" });
_errorMap.insert({ ErrorNtSignatureMagic, "ErrorNtSignatureMagic" });
_errorMap.insert({ ErrorNtFileHeaderRead, "ErrorNtFileHeaderRead" });
_errorMap.insert({ ErrorNtFileHeaderSizeOfOptionalHeaderOverlap, "ErrorNtFileHeaderSizeOfOptionalHeaderOverlap" });
_errorMap.insert({ ErrorNtFileHeaderUnsupportedMachine, "ErrorNtFileHeaderUnsupportedMachine" });
_errorMap.insert({ ErrorNtFileHeaderUnsupportedMachineOptionalHeaderRead, "ErrorNtFileHeaderUnsupportedMachineOptionalHeaderRead" });
_errorMap.insert({ ErrorNtFileHeaderUnsupportedMachineNtHeadersRegionSize, "ErrorNtFileHeaderUnsupportedMachineNtHeadersRegionSize" });
_errorMap.insert({ ErrorNtOptionalHeaderRead, "ErrorNtOptionalHeaderRead" });
_errorMap.insert({ ErrorNtOptionalHeaderMagic, "ErrorNtOptionalHeaderMagic" });
_errorMap.insert({ ErrorNtHeadersRegionSize, "ErrorNtHeadersRegionSize" });
} }
}; };

30
GleeBug/Static.Pe.h
View File

@ -11,18 +11,22 @@ namespace GleeBug
public: public:
enum Error enum Error
{ {
ErrorOk, ErrorOk = 0,
ErrorDosHeaderRead, ErrorDosHeaderRead = 1,
ErrorDosHeaderMagic, ErrorDosHeaderMagic = 2,
ErrorDosHeaderNtHeaderOffset, ErrorDosHeaderNtHeaderOffset = 3,
ErrorAfterDosHeaderData, ErrorDosHeaderNtHeaderOffsetOverlap = 4,
ErrorNtSignatureRead, ErrorAfterDosHeaderData = 5,
ErrorNtSignatureMagic, ErrorNtSignatureRead = 6,
ErrorNtFileHeaderRead, ErrorNtSignatureMagic = 7,
ErrorNtFileHeaderUnsupportedMachine, ErrorNtFileHeaderRead = 8,
ErrorNtOptionalHeaderRead, ErrorNtFileHeaderSizeOfOptionalHeaderOverlap = 9,
ErrorNtOptionalHeaderMagic, ErrorNtFileHeaderUnsupportedMachine = 10,
ErrorNtHeadersRegionSize ErrorNtFileHeaderUnsupportedMachineOptionalHeaderRead = 11,
ErrorNtFileHeaderUnsupportedMachineNtHeadersRegionSize = 12,
ErrorNtOptionalHeaderRead = 13,
ErrorNtOptionalHeaderMagic = 14,
ErrorNtHeadersRegionSize = 15,
}; };
explicit Pe(File & file); explicit Pe(File & file);
@ -41,6 +45,7 @@ namespace GleeBug
private: private:
uint32 readData(uint32 size); uint32 readData(uint32 size);
void setupErrorMap();
template<typename T> template<typename T>
inline Region<T> readRegion(uint32 count = 1) inline Region<T> readRegion(uint32 count = 1)
@ -48,6 +53,7 @@ namespace GleeBug
return Region<T>(&_data, readData(sizeof(T) * count), count); return Region<T>(&_data, readData(sizeof(T) * count), count);
} }
std::unordered_map<Error, const char*> _errorMap;
File & _file; File & _file;
uint32 _fileSize; uint32 _fileSize;
std::vector<uint8> _data; std::vector<uint8> _data;

1
MyDebugger/MyDebugger.vcxproj
View File

@ -142,6 +142,7 @@
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="MyDebugger.h" /> <ClInclude Include="MyDebugger.h" />
<ClInclude Include="PeTests.h" />
</ItemGroup> </ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets"> <ImportGroup Label="ExtensionTargets">

3
MyDebugger/MyDebugger.vcxproj.filters
View File

@ -23,5 +23,8 @@
<ClInclude Include="MyDebugger.h"> <ClInclude Include="MyDebugger.h">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="PeTests.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
</Project> </Project>

231
MyDebugger/PeTests.h Normal file
View File

@ -0,0 +1,231 @@
const wchar_t* peTestFiles[] =
{
L"65535sects.exe",
L"96emptysections.exe",
L"96workingsections.exe",
L"appendeddata.exe",
L"appendedhdr.exe",
L"appendedsecttbl.exe",
L"apphdrW7.exe",
L"appsectableW7.exe",
L"aslr-ld.exe",
L"aslr.dll",
L"bigalign.exe",
L"bigib.exe",
L"bigsec.exe",
L"bigSoRD.exe",
L"bottomsecttbl.exe",
L"cfgbogus.exe",
L"compiled.exe",
L"copyright.exe",
L"ctxt-ld.exe",
L"ctxt.dll",
L"debug.exe",
L"delaycorrupt.exe",
L"delayfake.exe",
L"delayimports.exe",
L"dep.exe",
L"dll-dynld.exe",
L"dll-dynunicld.exe",
L"dll-ld.exe",
L"dll-webdavld.exe",
L"dll.dll",
L"dllbound-ld.exe",
L"dllbound-redirld.exe",
L"dllbound-redirldXP.exe",
L"dllbound.dll",
L"dllbound2.dll",
L"dllcfgdup-dynld.exe",
L"dllcfgdup.dll",
L"dllemptyexp-ld.exe",
L"dllemptyexp.dll",
L"dllextep-ld.exe",
L"dllextep.dll",
L"dllfakess-dynld.exe",
L"dllfakess-ld.exe",
L"dllfakess.dll",
L"dllfw-ld.exe",
L"dllfw.dll",
L"dllfwloop-ld.exe",
L"dllfwloop.dll",
L"dllmaxvals-dynld.exe",
L"dllmaxvals-ld.exe",
L"dllmaxvals.dll",
L"dllnegep-ld.exe",
L"dllnegep.dll",
L"dllnoexp-dynld.exe",
L"dllnoexp.dll",
L"dllnomain-ld.exe",
L"dllnomain.dll",
L"dllnomain2-dynld.exe",
L"dllnomain2.dll",
L"dllnoreloc-ld.exe",
L"dllnoreloc.dll",
L"dllnullep-dynld.exe",
L"dllnullep-ld.exe",
L"dllnullep.dll",
L"dllord-ld.exe",
L"dllord.dll",
L"dllweirdexp-ld.exe",
L"dllweirdexp.dll",
L"dosZMXP.exe",
L"dotnet20.exe",
L"driver.sys",
L"dump_imports.exe",
L"duphead.exe",
L"dupsec.exe",
L"d_nonnull-ld.exe",
L"d_nonnull.dll",
L"d_resource-ld.exe",
L"d_resource.dll",
L"d_tiny-ld.exe",
L"d_tiny.dll",
L"exceptions.exe",
L"exe2pe.exe",
L"exportobf.exe",
L"exportsdata.exe",
L"exports_doc.exe",
L"exports_order.exe",
L"fakenet.exe",
L"fakeregs.exe",
L"fakeregslib.dll",
L"fakerelocs.exe",
L"foldedhdr.exe",
L"foldedhdrW7.exe",
L"footer.exe",
L"gui.exe",
L"hard_imports.exe",
L"hdrcode.exe",
L"hdrdata.exe",
L"hiddenappdata1.exe",
L"hiddenappdata2.exe",
L"ibkernel.exe",
L"ibkmanual.exe",
L"ibknoreloc64.exe",
L"ibnullXP.exe",
L"ibreloc.exe",
L"ibrelocW7.exe",
L"impbyord.exe",
L"imports.exe",
L"importsdotXP.exe",
L"importshint.exe",
L"imports_apimsW7.exe",
L"imports_badterm.exe",
L"imports_bogusIAT.exe",
L"imports_corruptedIAT.exe",
L"imports_iatindesc.exe",
L"imports_mixed.exe",
L"imports_multidesc.exe",
L"imports_nnIAT.exe",
L"imports_noext.exe",
L"imports_noint.exe",
L"imports_nothunk.exe",
L"imports_relocW7.exe",
L"imports_tinyW7.exe",
L"imports_tinyXP.exe",
L"imports_virtdesc.exe",
L"imports_vterm.exe",
L"ldrsnaps.exe",
L"ldrsnaps64.exe",
L"lfanew_relocW7.exe",
L"lfanew_relocXP.exe",
L"lowsubsys.exe",
L"manifest.exe",
L"manifest_broken.exe",
L"manifest_bsod.exe",
L"manyimportsW7.exe",
L"maxsecW7.exe",
L"maxsecXP.exe",
L"maxsec_lowaligW7.exe",
L"maxvals.exe",
L"memshared-ld.exe",
L"memshared.dll",
L"mini.exe",
L"mscoree.exe",
L"multiss.exe",
L"multiss_con.exe",
L"multiss_drv.sys",
L"multiss_gui.exe",
L"mz.exe",
L"namedresource.exe",
L"no0code.exe",
L"normal.exe",
L"normal64.exe",
L"nosectionW7.exe",
L"nosectionXP.exe",
L"nothing-ld.exe",
L"nothing.dll",
L"no_dd.exe",
L"no_dd64.exe",
L"no_dep.exe",
L"no_seh.exe",
L"nullEP.exe",
L"nullSOH-XP.exe",
L"nullvirt.exe",
L"ownexports.exe",
L"ownexports2.exe",
L"ownexportsdot.exe",
L"pdf.exe",
L"pdf_zip_pe.exe",
L"quine.exe",
L"reloc4.exe",
L"reloc9.exe",
L"reloccrypt.exe",
L"reloccryptW8.exe",
L"reloccryptXP.exe",
L"relocsstripped.exe",
L"relocsstripped64.exe",
L"reshdr.exe",
L"resource.exe",
L"resource2.exe",
L"resourceloop.exe",
L"resource_icon.exe",
L"resource_string.exe",
L"safeseh.exe",
L"safeseh_fly.exe",
L"sc.exe",
L"secinsec.exe",
L"seh_change64.exe",
L"shuffledsect.exe",
L"signature.exe",
L"skippeddynbase.exe",
L"slackspace.exe",
L"ss63.exe",
L"ss63nocookie.exe",
L"standard.exe",
L"tiny.exe",
L"tinydll-ld.exe",
L"tinydll.dll",
L"tinydllXP-ld.exe",
L"tinydllXP.dll",
L"tinydrivXP.sys",
L"tinygui.exe",
L"tinynet.exe",
L"tinyW7.exe",
L"tinyW7x64.exe",
L"tinyW7_3264.exe",
L"tinyXP.exe",
L"tls.exe",
L"tls64.exe",
L"tls_aoi.exe",
L"tls_aoiOSDET.exe",
L"tls_exiting.exe",
L"tls_import.exe",
L"tls_k32.exe",
L"tls_noEP.exe",
L"tls_obfuscation.exe",
L"tls_onthefly.exe",
L"tls_reloc.exe",
L"tls_virtEP.exe",
L"truncatedlast.exe",
L"truncsectbl.exe",
L"version_cust.exe",
L"version_mini.exe",
L"version_std.exe",
L"virtEP.exe",
L"virtgap.exe",
L"virtrelocXP.exe",
L"virtsectblXP.exe",
L"weirdsord.exe",
L"winver.exe"
};

36
MyDebugger/main.cpp
View File

@ -37,15 +37,11 @@ static void printRegion(const char* str, Region<T> region)
region.Empty() ? "true" : "false"); region.Empty() ? "true" : "false");
} }
static void testStatic() static bool testPeFile(const wchar_t* szFileName, bool dumpData = true)
{ {
#ifdef _WIN64
wchar_t szFilePath[256] = L"c:\\test64.exe";
#else //x86
wchar_t szFilePath[256] = L"c:\\!exclude\\pe\\mini.exe";
#endif //_WIN64
using namespace GleeBug; using namespace GleeBug;
File diskFile(szFilePath, File::ReadOnly); auto result = false;
File diskFile(szFileName, File::ReadOnly);
if (diskFile.Open()) if (diskFile.Open())
{ {
auto diskSize = diskFile.GetSize(); auto diskSize = diskFile.GetSize();
@ -57,6 +53,9 @@ static void testStatic()
auto parseError = pe.ParseHeaders(); auto parseError = pe.ParseHeaders();
if (parseError == Pe::ErrorOk) if (parseError == Pe::ErrorOk)
{ {
result = true;
if (!dumpData)
return result;
auto idh = pe.GetDosHeader(); auto idh = pe.GetDosHeader();
printRegion("DOS Header:", idh); printRegion("DOS Header:", idh);
printf(" e_magic: %02X\n", idh->e_magic); printf(" e_magic: %02X\n", idh->e_magic);
@ -78,6 +77,7 @@ static void testStatic()
printf(" Machine : %04X\n", ifh->Machine); printf(" Machine : %04X\n", ifh->Machine);
printf(" NumberOfSections : %04X\n", ifh->NumberOfSections); printf(" NumberOfSections : %04X\n", ifh->NumberOfSections);
printf(" TimeDateStamp : %08X\n", ifh->TimeDateStamp); printf(" TimeDateStamp : %08X\n", ifh->TimeDateStamp);
printf(" SizeOfOptionalHeader: %04X\n", ifh->SizeOfOptionalHeader);
PIMAGE_OPTIONAL_HEADER ioh = &inth->OptionalHeader; PIMAGE_OPTIONAL_HEADER ioh = &inth->OptionalHeader;
puts("\n Optional Header:"); puts("\n Optional Header:");
@ -114,11 +114,31 @@ static void testStatic()
} }
else else
puts("File::Open failed!"); puts("File::Open failed!");
return result;
}
static void testCorkami()
{
#include "PeTests.h"
wchar_t szBasePath[MAX_PATH] = L"c:\\!exclude\\pe\\bin\\";
int okCount = 0;
for (auto i = 0; i < _countof(peTestFiles); i++)
{
std::wstring fileName(szBasePath);
fileName += peTestFiles[i];
if (testPeFile(fileName.c_str(), false))
okCount++;
else
{
printf("file: %ws\n\n", fileName.c_str());
}
}
printf("\n%d/%d parsed OK!\n", okCount, _countof(peTestFiles));
} }
int main() int main()
{ {
testStatic(); testCorkami();
puts(""); puts("");
system("pause"); system("pause");
return 0; return 0;