From 284930d893e9f24afd53c4e3857b920900d09081 Mon Sep 17 00:00:00 2001 From: Stefan Hausotte Date: Tue, 4 Dec 2018 09:25:04 +0100 Subject: [PATCH 1/2] Fix bug with too long module names in the import section --- PeNet.sln | 11 +++++++++ src/PEditor/PEditor.csproj | 2 +- src/PEditor/TabItems/Exceptions.xaml.cs | 6 ++--- src/PeNet/Parser/ImportedFunctionsParser.cs | 10 +++++++- src/PeNet/Parser/SafeParser.cs | 9 +++---- src/PeNet/PeFile.cs | 26 +++++++-------------- src/PeNet/PeNet.csproj | 6 +++-- 7 files changed, 41 insertions(+), 29 deletions(-) diff --git a/PeNet.sln b/PeNet.sln index ffdab32b..02579a3d 100644 --- a/PeNet.sln +++ b/PeNet.sln @@ -22,6 +22,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PEditor", "src\PEditor\PEdi EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "PeNet.Test", "test\PeNet.Test\PeNet.Test.csproj", "{2A160801-CC38-4986-AC00-B742ACC567D7}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Test.App", "Test.Console\Test.App.csproj", "{36A620F6-69CB-46B5-B2A9-2EE96D31C1C8}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -54,6 +56,14 @@ Global {2A160801-CC38-4986-AC00-B742ACC567D7}.Release|Any CPU.Build.0 = Release|Any CPU {2A160801-CC38-4986-AC00-B742ACC567D7}.Release|x64.ActiveCfg = Release|Any CPU {2A160801-CC38-4986-AC00-B742ACC567D7}.Release|x64.Build.0 = Release|Any CPU + {36A620F6-69CB-46B5-B2A9-2EE96D31C1C8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {36A620F6-69CB-46B5-B2A9-2EE96D31C1C8}.Debug|Any CPU.Build.0 = Debug|Any CPU + {36A620F6-69CB-46B5-B2A9-2EE96D31C1C8}.Debug|x64.ActiveCfg = Debug|Any CPU + {36A620F6-69CB-46B5-B2A9-2EE96D31C1C8}.Debug|x64.Build.0 = Debug|Any CPU + {36A620F6-69CB-46B5-B2A9-2EE96D31C1C8}.Release|Any CPU.ActiveCfg = Release|Any CPU + {36A620F6-69CB-46B5-B2A9-2EE96D31C1C8}.Release|Any CPU.Build.0 = Release|Any CPU + {36A620F6-69CB-46B5-B2A9-2EE96D31C1C8}.Release|x64.ActiveCfg = Release|Any CPU + {36A620F6-69CB-46B5-B2A9-2EE96D31C1C8}.Release|x64.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE @@ -62,6 +72,7 @@ Global {12794D4D-98EA-4A5C-92EA-D3282790C3D3} = {C6BBC182-0EA7-4DEA-8D06-C7B27B863B92} {41416783-179F-4117-A95B-DAAF6DD0B144} = {C6BBC182-0EA7-4DEA-8D06-C7B27B863B92} {2A160801-CC38-4986-AC00-B742ACC567D7} = {B7DE051E-5D6F-4209-8472-B8A407C3D257} + {36A620F6-69CB-46B5-B2A9-2EE96D31C1C8} = {C6BBC182-0EA7-4DEA-8D06-C7B27B863B92} EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {DDEF9B8E-AB65-440B-86B9-BF0BE9BE5993} diff --git a/src/PEditor/PEditor.csproj b/src/PEditor/PEditor.csproj index 93ae7040..be6fc562 100644 --- a/src/PEditor/PEditor.csproj +++ b/src/PEditor/PEditor.csproj @@ -32,7 +32,7 @@ PEditor false 0 - 1.0.1.%2a + 1.1.0.%2a false true true diff --git a/src/PEditor/TabItems/Exceptions.xaml.cs b/src/PEditor/TabItems/Exceptions.xaml.cs index a3e05c88..7b75e2ff 100644 --- a/src/PEditor/TabItems/Exceptions.xaml.cs +++ b/src/PEditor/TabItems/Exceptions.xaml.cs @@ -30,7 +30,7 @@ private void lbRuntimeFunctions_SelectionChanged(object sender, SelectionChanged var uw = selected.UnwindInfo.ToIntFromHexString(); // Find the RUNTIME_FUNCTION which was selected. - var rt = _peFile.RuntimeFunctions.First(x => x.FunctionStart == funcStart + var rt = _peFile.ExceptionDirectory.First(x => x.FunctionStart == funcStart && x.FunctionEnd == funcEnd && x.UnwindInfo == uw ); @@ -65,10 +65,10 @@ public void SetException(PeFile peFile) _peFile = peFile; lbRuntimeFunctions.Items.Clear(); - if (peFile.Is32Bit || peFile.RuntimeFunctions == null) + if (peFile.Is32Bit || peFile.ExceptionDirectory == null) return; - foreach (var rt in peFile.RuntimeFunctions) + foreach (var rt in peFile.ExceptionDirectory) { lbRuntimeFunctions.Items.Add(new { diff --git a/src/PeNet/Parser/ImportedFunctionsParser.cs b/src/PeNet/Parser/ImportedFunctionsParser.cs index ce9cd416..b5443eb1 100644 --- a/src/PeNet/Parser/ImportedFunctionsParser.cs +++ b/src/PeNet/Parser/ImportedFunctionsParser.cs @@ -1,4 +1,5 @@ -using System.Collections.Generic; +using System; +using System.Collections.Generic; using PeNet.Structures; using PeNet.Utilities; @@ -36,6 +37,8 @@ protected override ImportFunction[] ParseTarget() { var dllAdr = idesc.Name.RVAtoFileMapping(_sectionHeaders); var dll = _buff.GetCString(dllAdr); + if (IsModuleNameTooLong(dll)) + continue; var tmpAdr = idesc.OriginalFirstThunk != 0 ? idesc.OriginalFirstThunk : idesc.FirstThunk; if (tmpAdr == 0) continue; @@ -72,5 +75,10 @@ protected override ImportFunction[] ParseTarget() return impFuncs.ToArray(); } + + private bool IsModuleNameTooLong(string dllName) + { + return dllName.Length > 256; + } } } \ No newline at end of file diff --git a/src/PeNet/Parser/SafeParser.cs b/src/PeNet/Parser/SafeParser.cs index 5bc07781..b868eced 100644 --- a/src/PeNet/Parser/SafeParser.cs +++ b/src/PeNet/Parser/SafeParser.cs @@ -3,7 +3,7 @@ namespace PeNet.Parser { internal abstract class SafeParser - where T : class + where T : class { protected readonly byte[] _buff; protected readonly uint _offset; @@ -22,7 +22,6 @@ private bool SanityCheckFailed() return _offset > _buff?.Length; } - public Exception ParserException { get; protected set; } protected abstract T ParseTarget(); @@ -40,9 +39,11 @@ public T GetParserTarget() { _target = ParseTarget(); } - catch (Exception exception) + catch (Exception) { - ParserException = exception; + // Silently catch the exception + // TODO: Add global list with exception + _target = null; } return _target; diff --git a/src/PeNet/PeFile.cs b/src/PeNet/PeFile.cs index 49b57e14..ffe3c7d3 100644 --- a/src/PeNet/PeFile.cs +++ b/src/PeNet/PeFile.cs @@ -73,11 +73,6 @@ public PeFile(string peFile) FileLocation = peFile; } - /// - /// List with all exceptions that have occurred during the PE header parsing. - /// - public List Exceptions { get; } = new List(); - /// /// Returns true if the Export directory is valid. /// @@ -96,7 +91,7 @@ public PeFile(string peFile) /// /// Returns true if the Exception directory is valid. /// - public bool HasValidExceptionDir => Exceptions != null; + public bool HasValidDir => ExceptionDirectory != null; /// /// Returns true if the Security directory is valid. @@ -218,7 +213,7 @@ public bool IsEXE /// /// Access the array of RUNTIME_FUNCTION from the Exception header. /// - public RUNTIME_FUNCTION[] RuntimeFunctions => _dataDirectoryParsers.RuntimeFunctions; + public RUNTIME_FUNCTION[] ExceptionDirectory => _dataDirectoryParsers.RuntimeFunctions; /// /// Access the WIN_CERTIFICATE from the Security header. @@ -324,10 +319,7 @@ public bool IsEXE /// True of cert chain is valid and from a trusted CA. public bool IsValidCertChain(bool online) { - if (!IsSigned) - return false; - - return SignatureInformation.IsValidCertChain(PKCS7, online); + return IsSigned && SignatureInformation.IsValidCertChain(PKCS7, online); } /// @@ -341,17 +333,16 @@ public CrlUrlList GetCrlUrlList() if (PKCS7 == null) return null; - CrlUrlList list = null; try { - list = new CrlUrlList(PKCS7); + return new CrlUrlList(PKCS7); } - catch (Exception exception) + catch (Exception) { - Exceptions.Add(exception); + // Silently catch exceptions. + // TODO: Add to global exception list. + return null; } - - return list; } /// @@ -368,7 +359,6 @@ public static bool IsPEFile(string file) using (var fs = new FileStream(file, FileMode.Open, FileAccess.Read)) { fs.Read(buffer, 0, buffer.Length); - fs.Close(); } return buffer[1] == 0x5a && buffer[0] == 0x4d; // MZ Header diff --git a/src/PeNet/PeNet.csproj b/src/PeNet/PeNet.csproj index c8222265..5086c914 100644 --- a/src/PeNet/PeNet.csproj +++ b/src/PeNet/PeNet.csproj @@ -2,12 +2,14 @@ netstandard2.0;net461;net40 https://github.com/secana/PeNet - 0.8.0 + 0.8.1 Stefan Hausotte http://www.apache.org/licenses/LICENSE-2.0 PeNet is a Windows PE (Portable Executable) parser written in C#. It parses all PE header structures for x32 and x64. It supports the ImpHash algorithm which is popular in malware analysis. You can use it for string and pattern matching in PE files. 2017 @ Stefan Hausotte - Add debug directory parsing + Removed "Exceptions" property +Renamed "RuntimeFunctions" to "ExceptionDirectory" +Skip imported modules with names longer than 256 characters https://github.com/secana/PeNet PE Header Portable Executable https://raw.githubusercontent.com/secana/PeNet/master/src/PEditor/Icons/logo.png From d3e9dcf47f034e52bf7743016bad19e91f54e17f Mon Sep 17 00:00:00 2001 From: Stefan Hausotte Date: Tue, 4 Dec 2018 09:26:42 +0100 Subject: [PATCH 2/2] Remove comments --- build.cake | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build.cake b/build.cake index d865a379..4dbad324 100644 --- a/build.cake +++ b/build.cake @@ -3,10 +3,10 @@ var target = Argument("target", "Default"); var solutionDir = System.IO.Directory.GetCurrentDirectory(); -var testResultDir = Argument("testResultDir", System.IO.Path.Combine(solutionDir, "test-results")); // ./build.sh --target test -testResultsDir="somedir" -var artifactDir = Argument("artifactDir", System.IO.Path.Combine(solutionDir, "artifacts")); // ./build.sh --target pack -artifactDir="somedir" -var apiKey = Argument("apiKey", null); // ./build.sh --target push -apiKey="nuget api key" -var accessToken = Argument("accessToken", null); // ./build.sh --target release -accessToken="github access token" +var testResultDir = Argument("testResultDir", System.IO.Path.Combine(solutionDir, "test-results")); +var artifactDir = Argument("artifactDir", System.IO.Path.Combine(solutionDir, "artifacts")); +var apiKey = Argument("apiKey", null); +var accessToken = Argument("accessToken", null); var peditorArtifactDir = System.IO.Path.Combine(artifactDir, "PEditor"); string peditorReleaseZip = null; string peditorVersion = null;