Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Section names with invalid UTF-8 codepoints fails the length limit of 8 bytes check #453

Closed
Avroke opened this issue Jun 19, 2023 · 5 comments
Closed

Section names with invalid UTF-8 codepoints fails the length limit of 8 bytes check #453

Avroke opened this issue Jun 19, 2023 · 5 comments
Labels
bug pe-file Issues related to AsmResolver.PE.File
Milestone
5.4.0

Comments

@Avroke
Copy link

Avroke commented Jun 19, 2023

Problem Description

When PE section names are parsed, the ArgumentException "Section name cannot be longer than 8 characters." may be called.
However, some legitimate files may have a section name longer than 8 characters.
I also hope that malware with such a section can still be parsed.

Proposal

Can you please propose the possibility of disabling this check (Boolean parameter)?
In the worst case, simply crop the name to the first 8 characters.

Alternatives

No response

Additional Context

No response
@Washi1337 Washi1337 added the pe Issues related to AsmResolver.PE label Jun 19, 2023
@Washi1337
Copy link
Owner

The reason this check exists is because the specification of the PE file format states that section headers can only contain names with up to 8 characters, There is a clause that states that this can also be an offset into a string table, but executable images do not support this.

That being said, Microsoft can be inconsistent between specifications and their implementations, so feel free to point me to a sample for which this indeed is the case and then we can discuss how this could be implemented.

@Avroke
Copy link
Author

Avroke commented Jun 20, 2023
edited

For example, here are 3 benign files with this problem: Download link

VirusTotal results :
7ca49c093ac66d4b28841b5a2222e53010f4e5f11d745330cf762d6f64ca379e
423ba8faabb19d9683cbad8d0cfe21c9cb66b52f02b12ee3574a2f7d453b444b
55d3ff6e4fb7791cc8f88d10d4fa1e71820e12c48242abb4c4049d025d1c4fa8

I can provide you with many more.

@sunnamed434
Copy link
Contributor

For example, here are 3 benign files with this problem: Download link

VirusTotal results : 7ca49c093ac66d4b28841b5a2222e53010f4e5f11d745330cf762d6f64ca379e 423ba8faabb19d9683cbad8d0cfe21c9cb66b52f02b12ee3574a2f7d453b444b 55d3ff6e4fb7791cc8f88d10d4fa1e71820e12c48242abb4c4049d025d1c4fa8

I can provide you with many more.

Download link asks for the access

@Avroke
Copy link
Author

Avroke commented Jun 20, 2023
edited

For example, here are 3 benign files with this problem: Download link
VirusTotal results : 7ca49c093ac66d4b28841b5a2222e53010f4e5f11d745330cf762d6f64ca379e 423ba8faabb19d9683cbad8d0cfe21c9cb66b52f02b12ee3574a2f7d453b444b 55d3ff6e4fb7791cc8f88d10d4fa1e71820e12c48242abb4c4049d025d1c4fa8
I can provide you with many more.

Download link asks for the access

I've just changed the link, thank you for reporting it to me!

@Washi1337
Copy link
Owner

Thanks for submitting the test files.

Quick inspection on all these files show that all sections really do have a name of 8 characters, as the spec specifies. I have tested this using three different PE header parsers: your VirusTotal links, PE-Bear and CFF Explorer.

The reason AsmResolver breaks, however, is because the section names are suffixed with invalid UTF-8 code points (notice the bytes after the zero terminator as reported by e.g. VirusTotal). This makes the call to Encoding.UTF8.GetByteCount return a wrong value, failing the assert.

I will change this issue to a bug report, and have a fix up shortly that filters these invalid code-points. For 6.0 in the future, we probably want to change the Name property to be of type Utf8String, as it does support retaining these invalid code-points.

@Washi1337 Washi1337 added bug pe-file Issues related to AsmResolver.PE.File and removed enhancement pe Issues related to AsmResolver.PE labels Jun 20, 2023
@Washi1337 Washi1337 changed the title Disable verification of section name length Section names with invalid UTF-8 codepoints fails the length limit of 8 bytes check Jun 20, 2023
@Washi1337 Washi1337 added this to the 5.4.0 milestone Jun 20, 2023
This was referenced Jun 20, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug pe-file Issues related to AsmResolver.PE.File
Projects
None yet
Milestone
5.4.0
Development

No branches or pull requests
3 participants
@Washi1337 @sunnamed434 @Avroke