Skip to content

Improved handling of export table for invalid export address and removed GandCrab workaround in GetProcAddress#1358

Merged
kabeor merged 2 commits intoqilingframework:devfrom
clairelevin:bugfix
Jul 4, 2023
Merged

Improved handling of export table for invalid export address and removed GandCrab workaround in GetProcAddress#1358
kabeor merged 2 commits intoqilingframework:devfrom
clairelevin:bugfix

Conversation

@clairelevin
Copy link
Contributor

@clairelevin clairelevin commented Jun 1, 2023
edited
Loading

Binaries with an invalid export address table cause Qiling to crash when attempting to load exports. This fix ensures that pefile has loaded the export table before attempting to parse the exports.

Additionally, the hook for GetProcAddress contains a workaround for GandCrab that returns 0 when looking for RtlComputeCrc32. This causes other emulated binaries using the RtlComputeCrc32 API to fail, which makes me think this workaround was included unintentionally.

Checklist

Which kind of PR do you create?

  • This PR only contains minor fixes.
  • This PR contains major feature update.
  • This PR introduces a new function/api for Qiling Framework.

Coding convention?

  • The new code conforms to Qiling Framework naming convention.
  • The imports are arranged properly.
  • Essential comments are added.
  • The reference of the new code is pointed out.

Extra tests?

  • No extra tests are needed for this PR.
  • I have added enough tests for this PR.
  • Tests will be added after some discussion and review.

Changelog?

  • This PR doesn't need to update Changelog.
  • Changelog will be updated after some proper review.
  • Changelog has been updated in my PR.

Target branch?

  • The target branch is dev branch.

One last thing

@elicn
Copy link
Member

elicn commented Jun 2, 2023

Doesn't the check on line 551 help avoid this situation?

@clairelevin
Copy link
Contributor Author

clairelevin commented Jun 2, 2023

The check on line 551 can fail if the export table exists, but is malformed. In that situation, the IMAGE_DIRECTORY_ENTRY_EXPORT attribute is present, but when pefile.full_load() is called, it can't parse the export table. Because of this, the DIRECTORY_ENTRY_EXPORT attribute never gets created, so Qiling crashes when it tries to access it.

@elicn
Copy link
Member

elicn commented Jun 4, 2023

OK, then better document that just above that line (something like: "address a corner case where ...."), because it might look redundant for someone who is not familiar with that exact corner case.

Also, please break the if statement so the return appears on a different line.

@clairelevin
Copy link
Contributor Author

clairelevin commented Jun 5, 2023

Ok, I've made the changes.

@xwings
Copy link
Member

xwings commented Jul 3, 2023

@elicn are you ok with the updates

@elicn
Copy link
Member

elicn commented Jul 3, 2023

@xwings, approved.

@kabeor
Copy link
Member

kabeor commented Jul 4, 2023

Thanks, merged.

@kabeor kabeor merged commit 7d28532 into qilingframework:dev Jul 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elicn elicn elicn approved these changes

@kabeor kabeor kabeor approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@clairelevin @elicn @xwings @kabeor