Skip to content

/ ghidra

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ghidra fails to parse packed/mangled PE file that runs on Windows #2858

Open
oxy opened this issue Mar 22, 2021 · 3 comments
Open

Ghidra fails to parse packed/mangled PE file that runs on Windows #2858

oxy opened this issue Mar 22, 2021 · 3 comments
Labels
Feature: Loader/PE Type: Bug

Comments

@oxy
Copy link

@oxy oxy commented Mar 22, 2021
edited

Describe the bug
GHIDRA currently fails to parse a PE file that executes on Windows. The file itself appears mangled/packed.

To Reproduce
Steps to reproduce the behavior:

  1. Create a new non-shared project.
  2. Import the file, available at https://github.com/kspalaiologos/compression/blob/b1bf66e7aeca44298120a34da578b336cbd70300/unpack.exe or in the attachment - into Ghidra.
  3. See stack trace.
Invalid file offset 208867231 while reading unpack.exe
java.io.EOFException: Invalid file offset 208867231 while reading unpack.exe
	at ghidra.app.util.bin.RandomAccessByteProvider.readBytes(RandomAccessByteProvider.java:140)
	at ghidra.app.util.bin.BinaryReader.readInt(BinaryReader.java:632)
	at ghidra.app.util.bin.format.pe.TLSDirectory.initTLSDirectory(TLSDirectory.java:89)
	at ghidra.app.util.bin.format.pe.TLSDirectory.createTLSDirectory(TLSDirectory.java:71)
	at ghidra.app.util.bin.format.pe.TLSDataDirectory.parse(TLSDataDirectory.java:116)
	at ghidra.app.util.bin.format.pe.TLSDataDirectory$$EnhancerByCGLIB$$9f905f88.CGLIB$parse$4(<generated>)
	at ghidra.app.util.bin.format.pe.TLSDataDirectory$$EnhancerByCGLIB$$9f905f88$$FastClassByCGLIB$$fc0297ce.invoke(<generated>)
	at net.sf.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:215)
	at generic.continues.ContinuesInterceptor.intercept(ContinuesInterceptor.java:39)
	at ghidra.app.util.bin.format.pe.TLSDataDirectory$$EnhancerByCGLIB$$9f905f88.parse(<generated>)
	at ghidra.app.util.bin.format.pe.DataDirectory.processDataDirectory(DataDirectory.java:80)
	at ghidra.app.util.bin.format.pe.TLSDataDirectory$$EnhancerByCGLIB$$9f905f88.CGLIB$processDataDirectory$8(<generated>)
	at ghidra.app.util.bin.format.pe.TLSDataDirectory$$EnhancerByCGLIB$$9f905f88$$FastClassByCGLIB$$fc0297ce.invoke(<generated>)
	at net.sf.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:215)
	at generic.continues.ContinuesInterceptor.intercept(ContinuesInterceptor.java:39)
	at ghidra.app.util.bin.format.pe.TLSDataDirectory$$EnhancerByCGLIB$$9f905f88.processDataDirectory(<generated>)
	at ghidra.app.util.bin.format.pe.TLSDataDirectory.initTLSDataDirectory(TLSDataDirectory.java:54)
	at ghidra.app.util.bin.format.pe.TLSDataDirectory.createTLSDataDirectory(TLSDataDirectory.java:44)
	at ghidra.app.util.bin.format.pe.OptionalHeaderImpl.processDataDirectories(OptionalHeaderImpl.java:416)
	at ghidra.app.util.bin.format.pe.OptionalHeaderImpl$$EnhancerByCGLIB$$81f337ef.CGLIB$processDataDirectories$31(<generated>)
	at ghidra.app.util.bin.format.pe.OptionalHeaderImpl$$EnhancerByCGLIB$$81f337ef$$FastClassByCGLIB$$1823e25f.invoke(<generated>)
	at net.sf.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:215)
	at generic.continues.ContinuesInterceptor.intercept(ContinuesInterceptor.java:39)
	at ghidra.app.util.bin.format.pe.OptionalHeaderImpl$$EnhancerByCGLIB$$81f337ef.processDataDirectories(<generated>)
	at ghidra.app.util.opinion.PeLoader.load(PeLoader.java:124)
	at ghidra.app.util.opinion.AbstractLibrarySupportLoader.doLoad(AbstractLibrarySupportLoader.java:347)
	at ghidra.app.util.opinion.AbstractLibrarySupportLoader.loadProgram(AbstractLibrarySupportLoader.java:83)
	at ghidra.app.util.opinion.AbstractProgramLoader.load(AbstractProgramLoader.java:112)
	at ghidra.plugin.importer.ImporterUtilities.importSingleFile(ImporterUtilities.java:400)
	at ghidra.plugin.importer.ImporterDialog.lambda$okCallback$7(ImporterDialog.java:349)
	at ghidra.util.task.TaskLauncher$1.run(TaskLauncher.java:88)
	at ghidra.util.task.Task.monitoredRun(Task.java:124)
	at ghidra.util.task.TaskRunner.lambda$startTaskThread$0(TaskRunner.java:104)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)

---------------------------------------------------
Build Date: 2020-Dec-29 1701 EST
Ghidra Version: 9.2.2
Java Home: /app/jdk
JVM Version: Flathub 11.0.8
OS: Linux 5.11.7-300.fc34.x86_64 amd64
Workstation: <unknown>

Expected behavior
File parses correctly and Ghidra loads.

Screenshots
N/A.

Attachments
https://www.virustotal.com/gui/file/682ecf2ed4d7a4112e73b8dc7313e5d872a77d74b8e9f22a90d6879f4f6ca78c/detection (Note, removed attachment on owner's request.)

Environment (please complete the following information):

  • OS: Linux - Fedora Silverblue 34, Flatpak
  • Java Version: 11.0.8
  • Ghidra Version: 9.2.2
  • Ghidra Origin: Flathub
@kspalaiologos
Copy link

@kspalaiologos kspalaiologos commented Mar 22, 2021
edited

The license with which the file is distributed explicitly disallows copying, reverse-engineering (in this context: mostly mentioning the results of it) and redistributing; the issue attachment(s) are a violation of the license. link
@oxy
Copy link
Author

@oxy oxy commented Mar 22, 2021

Reverse engineering is often explicitly permitted in laws of various countries, including mine, and any attempt by a license to restrict said rights are considered void. See section 52(1)(ac) of the Indian Copyright Act, for instance, which permits:

observation, study or test of functioning of the computer programme in order to determine the ideas and principles which underline any elements of the programme while performing such acts necessary for the functions for which the computer programme was supplied

I have removed the attachment and replaced it with a link to VirusTotal.
@ryanmkurtz ryanmkurtz added Feature: Loader/PE Type: Bug labels Mar 22, 2021
@ryanmkurtz
Copy link
Collaborator

@ryanmkurtz ryanmkurtz commented Mar 22, 2021
edited

The PE optional header is only 8 bytes, which Ghidra can't handle. When that is fixed (and possibly other parsing issues), the best Ghidra will be able to show is just the header, since there are no sections defined. There is probably unpacking code in the header tho.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature: Loader/PE Type: Bug
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@ryanmkurtz @oxy @kspalaiologos