Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strange COFF file detection #421

Closed
mbandzi opened this issue Oct 25, 2018 · 1 comment
Closed

Strange COFF file detection #421

mbandzi opened this issue Oct 25, 2018 · 1 comment
Labels
bug C-fileformat C-fileinfo T-format-coff T-format-pe

Comments

@mbandzi
Copy link
Contributor

mbandzi commented Oct 25, 2018

File 8801bfdaf3a3568da4f1696d382854c6ae8be141d3ff861ab019817b1237aee3 is detected by fileformat (fileinfo) as COFF:

Input file               : original
CRC32                    : 42e55020
MD5                      : eba181f43fd28a6eba6a38775d5d6af7
SHA256                   : 8801bfdaf3a3568da4f1696d382854c6ae8be141d3ff861ab019817b1237aee3
File format              : COFF
File class               : 64-bit
File type                : Relocatable file
Architecture             : Unknown machine type (0)
Overlay offset           : 0
Overlay size             : 0x13000
Warning: Unknown compiler or packer.

However, it really seems to be a 32-bit PE with some leading zeroes.
After manual removal of leading zeros:

Input file               : fixed
CRC32                    : 4dabcf5a
MD5                      : da5f09bc61c1940edf88675619a9b674
SHA256                   : 9718cbc48647ffa9d072d7d55d5ae185dd6fb9fcf3af81d08229a12a8f7a9296
File format              : PE
File class               : 32-bit
File type                : Executable file
Architecture             : x86
Endianness               : Little endian
Image base address       : 0x400000
Entry point address      : 0x402a0f
Entry point offset       : 0x2a0f
Entry point section name : .text
Entry point section index: 0
Bytes on entry point     : 5589e553575683ec188b45088904248945f0e885f3ffff8b4df08b51388b7134893424895424048945ece8bbf1ffff8b45f0
Detected tool            : Microsoft Linker (12.0) (linker), combined heuristic
Detected tool            : LCC or similar (compiler), 8 from 8 significant nibbles (100%)
Rich header offset       : 0x80
Rich header key          : 0xa47ad95b
Rich header signature    : 0093780900000005000100000000000b000000000000000100de520d00000001
Overlay offset           : 0x7000
Overlay size             : 0xb92b

This is probably a bug in the file format detection.
@mbandzi mbandzi mentioned this issue Nov 27, 2018
Closed
PeterMatula added a commit to avast/retdec-regression-tests that referenced this issue Mar 4, 2019
@PeterMatula
bugs: add tests for avast/retdec#421
1a03aa8
PeterMatula added a commit that referenced this issue Mar 4, 2019
@PeterMatula
CHANGELOG.md: add entry for #421 and #431.
cbbcb17
@PeterMatula
Copy link
Collaborator

The problem is, that code that decides this is a valid COFF is in LLVM - COFF object constructor succeeds.

I didn't want to hack it in LLVM so I added some additional checks of the parsed COFF object that will determine if it is a valid COFF.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug C-fileformat C-fileinfo T-format-coff T-format-pe
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mbandzi @PeterMatula