Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detection of TypeLib ID should also check for parent relationship #966

Closed
metthal opened this issue Jun 9, 2021 · 1 comment · Fixed by #983
Closed

Detection of TypeLib ID should also check for parent relationship #966

metthal opened this issue Jun 9, 2021 · 1 comment · Fixed by #983
Assignees
@HoundThe
Labels
bug C-fileformat T-format-pe

Comments

@metthal
Copy link
Member

metthal commented Jun 9, 2021

Detection of TypeLib ID in .NET samples is through CustomAttributes .NET table where it checks that it points to MemberRef table of GuidAttribute type. However there's one check missing and that is Parent relationship of the custom attribute which must point to AssemblyRef in order to be valid TypeLib ID. Otherwise we're detecting random GUIDs connected to just some types in the .NET module. Examples of samples:

36b7ac044cf48ef7babf72bdcb39df51713735db6a0b2e7d6a297c01d8ceee8a
460e993ef177d700fa571c9bcaf0f6a5a22e1bac9f68a42eda1f2f14ee847ebc
4d5af57da4d0c87249bd3855064a1081d34915e72829097a09f2d51b24544e1c
756684f4017ba7e931a26724ae61606b16b5f8cc84ed38a260a34e50c5016f59
76efb5ca3412d03d43c87c58059b87db13afcac25f6d4e9eff15a9578dc831a1
a581f21030a511664b0801aa3dcd7359b85ce4aa7cae793eac369d8749b9c39e
@HoundThe HoundThe self-assigned this Jul 6, 2021
@HoundThe
Copy link
Member

HoundThe commented Jul 8, 2021

Shouldn't the reference be to Assembly instead of AssemblyRef?

@HoundThe HoundThe mentioned this issue Jul 8, 2021
Merged
PeterMatula added a commit that referenced this issue Jul 16, 2021
@PeterMatula
CHANGELOG.md: add entry for #966 and #983
bde3eb5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@HoundThe HoundThe

Labels
bug C-fileformat T-format-pe
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check for TypeLib parent relationship HoundThe/retdec
2 participants
@metthal @HoundThe