-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Memory exhaustion - likely due to incorrect section parsing #635
Comments
thanks @mr-tz . will look into it. |
confirmed:
still uncertain why it's loading that map. will have to schedule some time to investigate. any input/context you may be able to add about this bin would be awesome. otherwise, we'll have to look through the PE parser and look for ways it differs from the PE Loader. if there's simply logic as to why this is misreading or why this map wouldn't normally be loaded into RAM on a target, that would speed resolution ;) thx either way! |
sorry, you already did give great context.
|
the reason i ask for anything else is because malware tends to exploit how an OS works in undocumented ways to make our jobs harder. obviously you know that already :) |
In my limited testing and per my understanding [1] this should suffice to get the offset: For the sample above that's 488 (0x1E8). The issue here seems to be that the used calculation then subtracts the length of the Here: and
Obviously, this is a core parsing part and worked well so far. So more testing and reading is necessary. I wanted to provide what I had so far though. [1] The PE file header consists of a Microsoft MS-DOS stub, the PE signature, the COFF file header, and an optional header. A COFF object file header consists of a COFF file header and an optional header. In both cases, the file headers are followed immediately by section headers. - via https://learn.microsoft.com/en-us/windows/win32/debug/pe-format |
thank you, @mr-tz ! that's truly very helpful analysis. |
Analyzing malware sample (sha256: c177e0a9e745a247a944f805189daf4c2f3f059340290c8c0ec0861bacaa8316) results in memory exhaustion.
The issue seems to be that the section table (section headers) offset gets identified as 480 (0x1E0) instead of 488 (0x1E8) which then leads to parsing a section with VirtualSize 2019914798.
The text was updated successfully, but these errors were encountered: