-
Notifications
You must be signed in to change notification settings - Fork 953
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fileinfo tool reports strange section names #451
Comments
@s3rvac please note this fix changes detected section names in some samples. This might be relevant for the sample clustering - if it is done based on section names themselves, or related hashes. The old algorithm for PE section names:
This is obviously not ideal:
Solutions:
On section name length We collected section names from huge amount of samples and analyzed them.
Analysis:
The only problem that comes to my mind is a situation, where 2 samples have the same garbage name in string table, but these are on different offsets. In such a case, clustering might have put them together before based on the same garbage, but won't do now because of different offsets (e.g. |
@PeterMatula Thank you for the fix and explanation 👍 |
fileinfo
reports strange section names inside the unpacked binary from the original sample hash:4383FE67FEC6EA6E44D2C7D075B9693610817EDC68E8B2A76B2246B53B9186A1
. This seems to be related to unpacked sample only.Objdump crashes with the following output (running with unpacked sampe):
fileinfo
reports section names with filled with zeros with a huge size:The text was updated successfully, but these errors were encountered: