Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Undocumented PE Header Machine Type #36364

Closed
gfs opened this issue May 13, 2020 · 8 comments
Closed

Undocumented PE Header Machine Type #36364

gfs opened this issue May 13, 2020 · 8 comments
Labels
area-VM-coreclr untriaged New issue has not been triaged by the area owner

Comments

@gfs
Copy link

gfs commented May 13, 2020

@dotnet/jit-contrib

I discovered some PE binaries that are System packages that have undocumented machine codes. The binaries with those machine codes are linked below along with related GitHub issues in a PE header parsing library.

The documentation does not list these as possible machine type codes: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format

See linked bugs also for potential issues with memmove causing fatal CLR crash.
@Dotnet-GitSync-Bot Dotnet-GitSync-Bot added area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI untriaged New issue has not been triaged by the area owner labels May 13, 2020
@AndyAyersMS AndyAyersMS added area-VM-coreclr and removed area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI labels May 13, 2020
@AndyAyersMS
Copy link
Member

PE headers are written by language compilers or by crossgen-like tools. So changing area to VM.

@janvorli
Copy link
Member

The machine codes that are documented on MSDN are for Windows. For other OS-es, we xor them with an OS specific value so that we can prevent binaries for e.g. Linux amd64 to be used on Windows amd64 or OSX amd64.
See:

runtime/src/coreclr/src/inc/pedecoder.h

Lines 90 to 104 in 61c6581

#if defined(__APPLE__)
#define IMAGE_FILE_MACHINE_NATIVE_OS_OVERRIDE 0x4644
#elif defined(__FreeBSD__)
#define IMAGE_FILE_MACHINE_NATIVE_OS_OVERRIDE 0xADC4
#elif defined(__linux__)
#define IMAGE_FILE_MACHINE_NATIVE_OS_OVERRIDE 0x7B79
#elif defined(__NetBSD__)
#define IMAGE_FILE_MACHINE_NATIVE_OS_OVERRIDE 0x1993
#elif defined(__sun)
#define IMAGE_FILE_MACHINE_NATIVE_OS_OVERRIDE 0x1992
#else
#define IMAGE_FILE_MACHINE_NATIVE_OS_OVERRIDE 0
#endif
#define IMAGE_FILE_MACHINE_NATIVE_NI (IMAGE_FILE_MACHINE_NATIVE ^ IMAGE_FILE_MACHINE_NATIVE_OS_OVERRIDE)

@janvorli
Copy link
Member

janvorli commented May 13, 2020
edited
Loading

So 0xC020 == 0x8664 xor 0x4644 => OSX amd64
and 0xFD1D == 0x8664 xor 0x7B79 => Linux amd64

@GrabYourPitchforks
Copy link
Member

The issues Gabe linked to also potentially finger memmove as a reliability issue. I remember we had a bug a while back with this on Full Framework, but I don't recall offhand if it affected Core 3.1.3.

@gfs gfs mentioned this issue May 13, 2020
Closed
@gfs
Copy link
Author

gfs commented May 13, 2020
edited
Loading

On the memmove topic, from the linked bugs:

Fatal error. Internal CLR error. (0x80131506)
   at System.Buffer._Memmove(Byte ByRef, Byte ByRef, UInt64)
   at System.Buffer.Memmove(Byte ByRef, Byte ByRef, UInt64)
   at System.Span`1[[System.Byte, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].ToArray()
   at PeNet.Header.Authenticode.ContentInfo..ctor(System.Span`1<Byte>)
   at PeNet.Header.Authenticode.AuthenticodeInfo..ctor(PeNet.PeFile)
   at PeNet.HeaderParser.Authenticode.AuthenticodeParser.ParseTarget()
   at PeNet.PeFile.get_Authenticode()
   at AttackSurfaceAnalyzer.Collectors.WindowsFileSystemUtils.GetSignatureStatus(System.String)

@mangod9
Copy link
Member

mangod9 commented Jun 22, 2020

@gfs, can this be closed for now? Assume the memmove is a different issue than the title?

@gfs
Copy link
Author

gfs commented Jun 22, 2020

The memmove issue is not related to the title but was a symptom. I think per @GrabYourPitchforks it was worth tracking but if you want to separate the issues for tracking and close this that's fine.

@mangod9
Copy link
Member

mangod9 commented Jun 22, 2020

yeah a separate issue would help with triaging appropriately. Thx

@gfs gfs closed this as completed Jun 22, 2020
@gfs gfs mentioned this issue Jun 22, 2020
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Dec 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-VM-coreclr untriaged New issue has not been triaged by the area owner
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gfs @GrabYourPitchforks @AndyAyersMS @janvorli @Dotnet-GitSync-Bot @mangod9