Join GitHub today
32-bit malware sample causes x64dbg crash when opening #2065
Please remind us of the “usual password”…
On Fri, 2 Nov 2018 at 08:14, rotateLeft ***@***.***> wrote: Malware sample attached. Usual password. 98ec-x86-gui.zip <https://github.com/x64dbg/x64dbg/files/2541360/98ec-x86-gui.zip> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2065 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACWCmUU_n-lm151f56w3HRRRZ53pP9gzks5uq_DmgaJpZM4YK_i6> .
I've checked this crash and it happens due to a bogus Debug Directory size in the PE headers. The sample contains a Debug Directory with the size 0xfffff000 which causes the while loop in ReadDebugDirectory to overrun the mapped file and crash.
It can be reproduced on a non-malware 32-bit sample (e.g. calc.exe) by using CFF Explorer to modify it's Debug Directory entry's size to 0xfffff000 and the entry's base address so it points to a valid address that's not a supported entry (e.g. to a random position after the original entries).
I have a fix for this and will send a PR shortly. PE reading doesn't seem very robust at the moment, there could be similar crashes with other malicious PE files. @mrexodia, do you have any suggestions on how to review and exercise this part of the code?