-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PE: unable to parse imports with a null directory size #340
Comments
I've made an MR because that was not a big change, but I'd like your opinion regarding how acceptable this is. |
Handling malware and hand crafted files is a can of worms, and until now this crate has only cared about binaries from common toolchains. For some cases it may be better to return an error, rather than trying to duplicate the undocumented internals of the Windows loader. For this case, the change may be simple enough, but let me think about it. I assume for your use case you'd rather be able to parse the file fully, rather than getting an error? |
Currently, we get
For my very use case, I'd prefer the latter (be able to parse the list of imports, without being even warned about an invalid size) because that would make my life easier :D All the more as the logic in |
But I understand that you could be reluctant to change In that case, maybe we could create a cargo feature(say, This (ignoring invalid directory sizes when they have a valid pointer location) would be the first behaviour that would be tweaked, but maybe more would be added in the future |
I think that can be fixed with just this change from your PR? - .filter(|d| d.size.get(LE) != 0)
+ .filter(|d| d.virtual_address.get(LE) != 0)
This can always be done using the lower level API. If it's missing functions to do this then we should add them. And this may be desirable for your use anyway (e.g. it was for another user in #324). The unified API makes it harder to support features that are unique to only one file format.
This seems the same as the second option to me? i.e. the second option already includes the behaviour of the first option
This is still an option, but I need to investigate further. |
Some valid PE files may declare that their import directory has a null size (but a valid location).
Such files are valid, and can run fine in Windows, which actually links to the required imports (declared at the valid location).
Such an example is the PE101 simple.exe (that is described here and that can be downloaded here via
pe101.zip
)The declared size of the imports directory is ignored by the windows loader, since it is actually useless. The import data in the PE file (pointed to by the valid location) is a null-terminated list, that can be parsed without the knowledge of its size.
Expected behaviour
PeFile::imports()
would return a valid vector ofImport
s.For instance, that's what the Python
pefile
does.Actual behaviour
PeFile::imports()
returnsOk([])
. This is due toself.data_directory(pe::IMAGE_DIRECTORY_ENTRY_IMPORT)
beingNone
(data_directory
checks that the declared length of the directory is not 0).How to solve it?
I'm not sure. We probably should forcibly parse the imports structure and ignore the declared size. On the other hand, this is a borderline case (the PE file is almost-but-not-totally valid), and I'm not sure what the philosophy of
object
is regarding these casesThe text was updated successfully, but these errors were encountered: