|
20 | 20 | February 22, 2021</span></div><img src=https://lief.re//img/waves.png class="d-block mx-auto mt-4 mb-5" alt=Wave><div class=text-dark><div class="admonition abstract"><p class=admonition-title>Tl;DR</p>LIEF v0.11.1 fixes some issues related to PE Authentihash computation. The new packages are available on PyPI and |
21 | 21 | the SDKs can be downloaded on the official <a href=https://lief.quarkslab.com/download/>website</a>.<p>Enjoy!</p></div><p>LIEF 0.11.0 missed handling some cases in the processing of the PE Authentihash. This new release addresses |
22 | 22 | these issues and the following blog post explains the cases we did not handle.</p><h3 id=section-name>Section name</h3><p>PE section’s names are stored in a <strong>fixed</strong> char array (8 bytes) which means that a section’s name can |
23 | | -contain trailing bytes after the null char:</p><div class=highlight><pre tabindex=0 style=background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-cpp data-lang=cpp><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">1</span><span><span style=color:#000;font-weight:700>struct</span> <span style=color:#458;font-weight:700>pe_section</span> { |
24 | | -</span></span><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">2</span><span> <span style=color:#458;font-weight:700>char</span> name[<span style=color:#099>8</span>]; |
25 | | -</span></span><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">3</span><span> <span style=color:#458;font-weight:700>uint32_t</span> RVA; |
26 | | -</span></span><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">4</span><span> <span style=color:#998;font-style:italic>// ... |
27 | | -</span></span></span><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">5</span><span><span style=color:#998;font-style:italic></span>}; |
| 23 | +contain trailing bytes after the null char:</p><div class=highlight><pre tabindex=0 style=background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-cpp data-lang=cpp><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">1</span><span><span style=color:#cf222e>struct</span> <span style=color:#1f2328>pe_section</span> <span style=color:#1f2328>{</span> |
| 24 | +</span></span><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">2</span><span> <span style=color:#cf222e>char</span> name<span style=color:#1f2328>[</span><span style=color:#0550ae>8</span><span style=color:#1f2328>];</span> |
| 25 | +</span></span><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">3</span><span> <span style=color:#cf222e>uint32_t</span> RVA<span style=color:#1f2328>;</span> |
| 26 | +</span></span><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">4</span><span> <span style=color:#57606a>// ... |
| 27 | +</span></span></span><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">5</span><span><span style=color:#57606a></span><span style=color:#1f2328>};</span> |
28 | 28 | </span></span></code></pre></div><p>Before v0.11.1, LIEF didn’t take into account the trailing bytes and stopped to read the section’s name |
29 | | -on the first null char:</p><div class=highlight><pre tabindex=0 style=background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-cpp data-lang=cpp><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">1</span><span><span style=color:#000;font-weight:700>this</span><span style=color:#000;font-weight:700>-></span>name_ <span style=color:#000;font-weight:700>=</span> std<span style=color:#000;font-weight:700>::</span>string(header<span style=color:#000;font-weight:700>-></span>name, <span style=color:#000;font-weight:700>sizeof</span>(header<span style=color:#000;font-weight:700>-></span>name)).c_str(); |
| 29 | +on the first null char:</p><div class=highlight><pre tabindex=0 style=background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-cpp data-lang=cpp><span style=display:flex><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em;color:#7f7f7f">1</span><span><span style=color:#cf222e>this</span><span style=color:#0550ae>-></span>name_ <span style=color:#0550ae>=</span> std<span style=color:#0550ae>::</span>string<span style=color:#1f2328>(</span>header<span style=color:#0550ae>-></span>name<span style=color:#1f2328>,</span> <span style=color:#cf222e>sizeof</span><span style=color:#1f2328>(</span>header<span style=color:#0550ae>-></span>name<span style=color:#1f2328>)).</span>c_str<span style=color:#1f2328>();</span> |
30 | 30 | </span></span></code></pre></div><p>This implementation has two drawbacks. First, we lose information since we don’t store the extra trailing bytes. |
31 | 31 | Regular binaries have zero trailing bytes after the first null char but some of them might use this spot to |
32 | 32 | hide data.</p><p><img src=section_table_e.png alt="Section name with trailing bytes"></p><p>Secondly, the <strong>full</strong> section name (i.e the whole 8 bytes) is used to compute the Authentihash. |
|
0 commit comments