PE header data is returned partially with pefile 2024.8.26 #430
Comments
platomav
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
platomav
changed the title
Hello,
The latest pefile release, 2024.8.26, appears to incorrectly get the full data of the PE header in some cases. This can cause various issues later down the line, especially when attempting to "get_data()" and/or calculate hashes based on the size/end of the PE header.
I have attached below a sample PE binary, alongside its header data, which triggers the issue:
a8346d8cfa1c3241fa006216d22a679d6bf2d10bac33993cb728650ba6e2b4c6.zip
At pefile 2023.2.7, the header data size is 0x280. However, at 2024.8.26, the header data size is 0x270 instead. The missing data is 16 (0x10) bytes of (what appears to be) 0x00 padding at the end of the PE header:
After a few hours of debugging between 2023.2.7 and 2024.8.26, the issue seems to originate from this call:
pefile/pefile.py
Line 3322 in 4b3b1e2
Applying git blame on this call, the following commit by @erocarrera comes up:
Improve and document handling of PointerToRawData values (4934b7d)
I have confirmed that adding back those 0x10-sized null bytes at the end of the header data, does produce the same end-user results as pefile 2023.2.7.
The text was updated successfully, but these errors were encountered: