[BinHandler] Error in section reading

[enkomio]

Describe the bug
I have a PE with the following sections:

Sec name | Virtual Size | Virtual Address | Raw Size | Raw Address
.text | 0x12A56 | 0x401000 | 0x12C00 | 0x400
.data | 0x1278 | 0x414000 | 0x200 | 0x13000
.reloc | 0x980 | 0x416000 | 0xA00 | 0x13200

If I try to read the content of the data section I receive the following error:

System.ArgumentException: 'Invalid address or size is given.
Parameter name: ReadBytes'

To Reproduce
Steps to reproduce the behavior:

1. Consider the following source code:

        handler.FileInfo.GetSections()
        |> Seq.iter(fun section ->
            Console.Write("Read all data from section: {0} => ", section.Name)
            handler.ReadBytes(section.Address, int32 section.Size) |> ignore
            Console.WriteLine("DONE")
        )

2. See error

Read all data from section: .text => DONE
Read all data from section: .data =>

System.ArgumentException: 'Invalid address or size is given.
Parameter name: ReadBytes'

Expected behavior
The full content of the section is read.

Environment (please complete the following information):

• OS: Windows
• B2R2 version 0.2.0

Additional context
This problem seems to be caused by a check on invalid range. It wasn't present in previous version.

[sangkilc]

Thanks for reporting the bug! I currently cannot reproduce the bug. I tried with some windows files such as calc.exe, ntdll.dll, etc., but none of them seems to produce the bug. Can you upload your PE file somewhere?

[enkomio]

Hi,

find attached a base64 encoded version (as you can image it is a malware):

malware.txt

In order to trigger the bug, run the following code:

        let handler =        
            BinHandler.Init(
                ISA.OfString "x86", 
                ArchOperationMode.NoMode, 
                true, 
                Addr.MinValue, 
                (System.IO.File.ReadAllText >> System.Convert.FromBase64String)("malware.txt")
            )

        handler.FileInfo.GetSections()
        |> Seq.iter(fun section ->
            Console.Write("Read all data from section: {0} => ", section.Name)
            handler.ReadBytes(section.Address, int32 section.Size) |> ignore
            Console.WriteLine("DONE")
        )

[sangkilc]

Hmm.. this is really weird. I cannot reproduce it.

So I downloaded the malware.txt file (on Linux) and decoded the file to create a PE file called m.exe.

$ file m.exe
m.exe: PE32 executable (GUI) Intel 80386, for MS Windows

The SHA-1 hash of the PE file, before/after decoding is as follows:

5d13a5ebfb2f015ec6dd646872395f239bc5dae2  malware.txt
6ac0829d260061ea5a139cbfeb383808e5797feb  m.exe

And then I copy pasted your code (without base64 decoding) on a local project, and ran the following:

$ dotnet run -- ./m.exe
Read all data from section: .text => DONE
Read all data from section: .data => DONE
Read all data from section: .reloc => DONE

No problem as you can see. To be clear, I didn't create an FSX script, but just used a dotnet project.

To help debug this issue, I just created a branch called debug. You can see my modification here: 29479e6

May I ask you to checkout the debug branch, and go to the src/Utilities/FileViewer directory, and then run dotnet run -- <your PE file>? If you can still produce the issue with the same PE file on the branch, please let me know.

[enkomio]

Hi,

sure, I'll do as you said and check if I can reproduce the problem in my environment.

[enkomio]

Hi @sangkilc,

I did a test as you said and I didn't received any errors. After digging a bit I discovered that the problem was due to the fact that my project is not .NET Core and my Start Up point project didn't referenced B2R2.Core. This cause some really weird behavior (I wasn't able to step into the Core routine due to a missing debug symbol file, ...).

In my case, the solution was to directly reference the B2R2.Core library, and not only the used libraries.

So in the end, this is definitely not a B2R2 bug but maybe it can be useful as reference for others that have a mixed solution.

[sangkilc]

Thanks for your report. May I ask what kind .NET project it was? Was it .NET framework 4.8? I really would be interested to reproduce this bug because I think "not referencing B2R2.Core" should not create this problem. A minimal example project would definitely help.

[sangkilc]

Hi @enkomio ,

I have created a minimal project for .NET framework 4.7.2 @ https://github.com/sangkilc/testdotnet, but I still cannot reproduce the issue that you reported. Could you test with the project if you can reproduce it?

The project uses the B2R2 nuget package, and I presume you are using a different approach? If you can create a minimal project that looks like the one that I showed, and if the project triggers the same bug that you described, it will be extremely helpful for me to understand the problem. Please let me know, and thank you very much for your help!

[enkomio]

I'll try to create a Visual Studio project that trigger the problem

[sangkilc]

Thank you! Let me reopen this issue for now.

[enkomio]

Hi,

I tried to create a basic solution that trigger the problem but after many tries I wasn't able to reproduce it. When I encountered the error I referenced the B2R2 framework as sub-module in my solution. I tried also in this way, by creating a simple project that doesn't reference B2R2.Core (since this was the problem at the time). The solution doesn't compile (of course) since it is unable to create a BinHandler.

So in the end, I think it was a very border situation due to some problem with Visual Studio. Definitely not a bug in B2R2 (it is a False Report). Sorry for the wrong report.

[sangkilc]

No problem at all. Thank you for letting me know! Let me close this issue.