Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle short MZ files #7

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Handle short MZ files #7

wants to merge 3 commits into from

Conversation

msbit
Copy link

@msbit msbit commented Jul 26, 2021

As per:

https://reverseengineering.stackexchange.com/questions/12993/how-to-quickly-distinguish-pe-dll-dos-mz-files-based-on-magic-numbers#answer-14031

check whether the value for e_lfanew is within the file, as old
MZ files may use that location for something else, creating an
invalid offset

@msbit
Copy link
Author

msbit commented Jul 26, 2021

This came up with the attached file, as it has 0x00000100 (65536) at offset 0x3c, which is beyond the size of the file (6506 bytes) causing a segfault when attempting to read the PE header.

main.zip

@msbit
Early return if not MZ
cafcdc9 
Rearrange the logic in `dump_file`, such that if the initial magic
for the file is not `MZ` it returns early
@msbit
Add comments for PE and NE magic
d9efb19
@msbit
Handle short MZ files
9b7c408 
As per:

  https://reverseengineering.stackexchange.com/questions/12993/how-to-quickly-distinguish-pe-dll-dos-mz-files-based-on-magic-numbers#answer-14031

check whether the value for `e_lfanew` is within the file, as old
MZ files may use that location for something else, creating an
invalid offset
@tkchia
Copy link
Contributor

tkchia commented Jan 6, 2023

Hello @msbit, hello @zfigura,

According to an old Developer Note from Microsoft (see https://jeffpar.github.io/kbarchive/kb/065/Q65122/ and elsewhere), the PE/NE header offset field is only valid if the MZ relocation table offset (e_lfarlc) is exactly 0x40:

The word at offset 18h in the old-style .EXE header contains the relative byte offset to the stub program's relocation table. If this offset is 40h, then the double word at offset 3Ch is assumed to be the relative byte offset from the beginning of the file to the beginning of the segmented executable header.

However, I realize not all new-style executables follow this — e.g. some UEFI modules blank out all the MZ header fields except the MZ magic and e_lfanew.

Perhaps a useful preliminary check, might be to see if e_lfarlc is exactly 0x40, or is a bogus value (< 0x1c).

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@msbit @tkchia