Stuck on parsing a malformed PE

Question

Stuck on parsing a malformed PE

hasherezade opened this issue 2 years ago · comments

hasherezade commented 2 years ago

Sample:

439ca9d490cb27c45fa08a807fc935e9b6260bc715854da42a8ce32ec79aebb4

Parser gets stuck on parsing this sample.

The sample has an atypical section alignment:

    "sections_aligmnent": "0x1000",
    "file_aligmnent": "0x1",

"sections": [
    {
      "name": "mbw",
      "raw_offset": "0x200",
      "raw_size": "0x580",
      "virtual_offset": "0x1000",
      "virtual_size": "0x580",
      "characteristics": "0x60000020",
      "entropy": 5.525607716586443
    },
    {
      "name": "hm",
      "raw_offset": "0x780",
      "raw_size": "0x30e",
      "virtual_offset": "0x2000",
      "virtual_size": "0x30e",
      "characteristics": "0x40000040",
      "entropy": 4.876276356664052
    },
    {
      "name": "therk",
      "raw_offset": "0xa8e",
      "raw_size": "0x4c",
      "virtual_offset": "0x3000",
      "virtual_size": "0x4c",
      "characteristics": "0x42000040",
      "entropy": 4.720582776146015
    }
  ]

The sample loads fine with PE-bear 0.5.5.3.

The issue appeared starting from the commit: 3330039