hasherezade / bearparser Goto Github PK

View Code? Open in Web Editor NEW

633.0 633.0 103.0 302.35 MB

Portable Executable parsing library (from PE-bear)

Home Page: https://hasherezade.github.io/bearparser

License: BSD 2-Clause "Simplified" License

CMake 1.34% C++ 81.45% C 16.40% Shell 0.81%

bearparser multiplatform parser-library pe

bearparser's Introduction

📈 My GitHub Stats

📌 List of my PE injection demos

bearparser's People

Contributors

Stargazers

Watchers

Forkers

matugm uvbs idkwim yd0str akiraaisha ohio813 unforeseenocean correosdelbosque sangrail bugmeout m4dm0nk teme64 yang123vc olivierh59500 jackbro lxpe icqw m00zh33 techlord-rce vadimkotov aalekhm kzwkt niterain moha19 evol4 peterg75 manishshukla changmu811 securityresearchstaff ezhangle foxweek upiter crypticspawn avgirl anomous explife0011 kumarankamalanathan wgwjifeng chubbymaggie d-demirci fcccode heruix voraka evandowning alchemycyberblaze hmyit kernullist agileehsan 4n6strider qq3337 modulexcite malwarezone ryanbekabe 5l1v3r1 tzf-omkey cybertoxin asorini adam84luong tomay3000 jilvan1234 fengjixuchui kartoffelsaeckle clayne stjordanis ra2003 amadzirak hugmyndakassi pwntheworld crackercat newmai l1kw1d ohanaali santakd iamasbcx opensesamedoors yjd anarh1st47 jellykkk webstorage119 db1sh0p ltears asdlei99 unleashedmen ygemici anonymouslgd alegriabaile q-qaysaneah gmh5225 johnwax 0xff1e071f anylee2021 lainswork matrixsociety abeltampubolon x00tox01 st-rnd x-ecutionner jsonzilla rizwan3d lianquke

bearparser's Issues

SectionHdrWrapper::name possibly leaking memory

I might have missed something, but it doesn't seem to be deallocated anywhere.

Errors in parsing TLS callbacks

Test cases

tls_samples.zip

Issue:

A 64bit PE file with a TLS callback (b87496ef49f62ba06a423018512e8923) gives invalid parsing result:

$ einfo 15
[0] DOS Hdr
[1] Rich Hdr
[2] File Hdr
[3] Optional Hdr
[4] Data Directory
[5] Section Hdrs
[7] Imports
[8] Resources
[9] Exceptions Dir.
[11] Relocation Dir.
[12] Debug
[15] TLS
[16] LdConfig
wrapperNum: 
------
[TLS] size: 0028 fieldsCount: 6

[00038d70] StartAddressOfRawData	[000000014003B0C0 V]
[00038d78] EndAddressOfRawData	[000000014003B0C1 V]
[00038d80] AddressOfIndex	[0000000140040A70 V]
[00038d88] AddressOfCallBacks	[0000000140029408 V]
[00038d90] SizeOfZeroFill	[00000000 _]
[00038d94] Characteristics	[00100000 _]
------
Dump subentries of Index: : 0
$

Callback recognized by dumpbin:

    TLS Callbacks

          Address
          ----------------
          0000000140001120
          0000000000000000

In a module built as 32 bit TLS Callback (5718b0bcada97661a90b16e611795970)
tls_samples.zip
is also parsed invalidly: address of the callback is misinterpreted as raw, and as a result, wrong value is printed:

$ einfo 15
[0] DOS Hdr
[1] Rich Hdr
[2] File Hdr
[3] Optional Hdr
[4] Data Directory
[5] Section Hdrs
[7] Imports
[8] Resources
[11] Relocation Dir.
[12] Debug
[15] TLS
[16] LdConfig
wrapperNum: 
------
[TLS] size: 0018 fieldsCount: 6

[00030fc0] StartAddressOfRawData	[004333C0 V]
[00030fc4] EndAddressOfRawData	[004333C1 V]
[00030fc8] AddressOfIndex	[00436440 V]
[00030fcc] AddressOfCallBacks	[004261E8 V]
[00030fd0] SizeOfZeroFill	[00000000 _]
[00030fd4] Characteristics	[00100000 _]
------
Dump subentries of Index: : 0

------
[TLS Callback] size: 0004 fieldsCount: 1

[000261e8] TLS Callback	[0062002D V]
------
------
	 [TLS Callback] entriesCount: 0
$

Callback recognized by dumpbin:

    TLS Callbacks

          Address
          --------
          004010E0
          00000000

Migrate LGTM.com installation from OAuth to GitHub App

Hi There,

This project is still using an old implementation of LGTM's automated code review, which has now been disabled. To continue using automated code review, and receive checks on your Pull Requests, please install the GitHub App on this repository.

Thanks,
The LGTM Team

Spelling Mistakes in File Header Characteristics

As you, and I, can see, there are a few spelling mistakes in the File Header Characteristics.

Stuck on parsing a malformed PE

Sample:

439ca9d490cb27c45fa08a807fc935e9b6260bc715854da42a8ce32ec79aebb4

Parser gets stuck on parsing this sample.

The sample has an atypical section alignment:

    "sections_aligmnent": "0x1000",
    "file_aligmnent": "0x1",

"sections": [
    {
      "name": "mbw",
      "raw_offset": "0x200",
      "raw_size": "0x580",
      "virtual_offset": "0x1000",
      "virtual_size": "0x580",
      "characteristics": "0x60000020",
      "entropy": 5.525607716586443
    },
    {
      "name": "hm",
      "raw_offset": "0x780",
      "raw_size": "0x30e",
      "virtual_offset": "0x2000",
      "virtual_size": "0x30e",
      "characteristics": "0x40000040",
      "entropy": 4.876276356664052
    },
    {
      "name": "therk",
      "raw_offset": "0xa8e",
      "raw_size": "0x4c",
      "virtual_offset": "0x3000",
      "virtual_size": "0x4c",
      "characteristics": "0x42000040",
      "entropy": 4.720582776146015
    }
  ]

The sample loads fine with PE-bear 0.5.5.3.

The issue appeared starting from the commit: 3330039

Support NB10 debug info

Currently only a debug info in RSDS format is displayed. Signature of a similar format: NB10 is recognized, but the table is not parsed.

Test sample:

dde61f86d8f6b4a43b70a87fb6f9a18ab54c0b8dd094e26f1045d1c9b6009535

The table should be parsed in the analogical way as RSDS.

Overeager detection of imports

I'm making a pe writer and after adding imports, my output file weren't working. I finally found out after comparing it with corkami's pe101.exe.

If file has .idata section at raw address 0x200 and at virtual address 0x1000, and import in data directory points at address 0x200, pe-bear shows no warnings and displays imports tab with content. But Windows won't populate import address table, resulting in segfault in most cases.

It might be worthwhile to add warning for this case, though it's not that important.

Also, pe-bear colour codes some fields, but there aren't explained in program. It might be helpful to add mouse-over tooltips for them.

value of the "characteristics" in the FileHeader tab is badly interpreted

I wanted to let you know that value of the "characteristics" in the FileHeader tab is badly interpreted and gives out a bad output.

For example:

I want to recieve following output:

2 - file is a executable (i.e. no unresolved external references) 10 - agressivelly trim working set 20 - app can handle > 2 GB addressess 400 - if image is on removable media, copy and run from the swap file 800 - if image is on net media, copy and run from the swap file
with is in 1200 (dec) -> 04DD (hex) but instead it gives the output:

200 - debugging info stripped from file in the .DBG file 1000 - system file

Inventory notification

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.

https://inventory.rawsec.ml/tools.html#bearparser
https://inventory.rawsec.ml/tools.html#Pe-bear

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

Open source: Every information is available and up to date. If an information is missing or deprecated, you are invited to (help us).
Practical: Content is categorized and table formatted, allowing to search, browse, sort and filter.
Fast: Using static and client side technologies resulting in fast browsing.
Rich tables: search, sort, browse, filter, clear
Fancy informational popups
Badges / Shields
Static API
Twitter bot

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why?

Specialized websites: Some websites are referencing tools but additional information is not available or browsable. Make additional searches take time.
Curated lists: Curated lists are not very exhaustive, up to date or browsable and are very topic related.
Search engines: Search engines sometimes does find nothing, some tools or resources are too unknown or non-referenced. These is where crowdsourcing is better than robots.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.

Badges

The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

Want to thank us?

If you want to thank us, you can help make the project better known by tweeting about it! For example:

So what?

That's all, this message is just to notify you if you care.

Exception limit is too small for large binaries.

bearparser/parser/pe/ExceptionDirWrapper.cpp

Line 4 in 6e0a817

uint64_t ExceptionDirWrapper::EntriesLimit = 10000;

I think that the current limit for exceptions is too small. Large binaries such as ntoskrnl.exe can have over 30,000 entries while bearparser will only parse the first 10,000. This really caught me off guard while using PE-Bear 😅. On a similar note, the number of entries is just DIRECTORY_SIZE / sizeof(ENTRY), so there shouldn't be a need to check for a null-terminator in here:

bearparser/parser/pe/ExceptionDirWrapper.cpp

Lines 29 to 32 in 6e0a817

    
           if (entry->getPtr() == NULL) { 
        
               delete entry; 
        
               break; 
        
           }

...although it does make sense if you're expecting to deal with malformed binaries.

Bug in parsing LoadConfigDirectory

The number of fields should be calculated from the size in the header. Currently it is not, as a result redundant fields are displayed.

Example:

Error in mapping Raw Size to Virtual Size (when Virtual Size is smaller)

Test cases:

Both samples have Virtual Size smaller than the Raw Size. It means not the whole Raw Size is going to be mapped.
However, Bearparser mistakenly uses the Raw Size as defined in the headers, over the Virtual Size. This leads to further errors in interpretation of the addresses.

What is really mapped in memory?

Example: cfccf5e157c00dc7104a750b2f9a8fc00fd323507277e8d616536c9084dc7586

This sample has Virtual Size defined as: 24B5 and Raw Size defined as 9400.
What is really mapped in memory is not exactly the Virtual Size, but the Virtual Size rounded up to File Alignment:

So, 24B5 rounded up to the File Alignment is 3000. We can make an experiment by appending a test string at the end of the section in the raw format:

And this is the end of the section in memory:

As we can see, indeed whole 3000 bytes from the file has been mapped in this section.

Error in get LastMapped: empty sections are not excluded

Test case:

f75f4237a016c9a7ea362cf7557edc6b5076815d20733097a3668f3c7de42577

Bearparser mistakenly detects the beginning of the new section as the Last RVA. However, this section has a mapped size 0 - means, it won't be mapped at all.
So, in reality the Last mapped RVA is the end of the section that was before: 1EE00.

heap-use-after-free on address 0x607000003198 at pc 0x55ec9fe3e839 bp 0x7fffc26256b0 sp 0x7fffc26256a0

Hi, I found a bug, heap-use-after-free at brach f99ddb8

Steps to reproduce

git clone https://github.com/hasherezade/bearparser.git
mkdir build
cd build
export CXXFLAGS="-fsanitize=address -static-libasan -g"
cmake ../bearparser
make -j 8
./commander/bearcommander ./poc

Platform

g++ (Ubuntu 11.2.0-19ubuntu1) 11.2.0
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

ASAN

=================================================================
==4013525==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000003198 at pc 0x55e654fb4839 bp 0x7fffcf4473d0 sp 0x7fffcf4473c0
READ of size 8 at 0x607000003198 thread T0
    #0 0x55e654fb4838 in ResourceLeafWrapper::getExe() /tmp/bearparser/parser/include/bearparser/pe/rsrc/../ResourceLeafWrapper.h:42
    #1 0x55e654fb4570 in ResourceContentFactory::makeResContentWrapper(pe::resource_type, ResourceLeafWrapper*) /tmp/bearparser/parser/pe/rsrc/ResourceContentFactory.cpp:9
    #2 0x55e654fa6815 in ResourcesAlbum::wrapLeafsContent() /tmp/bearparser/parser/pe/rsrc/ResourcesAlbum.cpp:78
    #3 0x55e654f57383 in PEFile::wrap(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:116
    #4 0x55e654f562ad in PEFile::PEFile(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:50
    #5 0x55e654f56032 in PEFileBuilder::build(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:36
    #6 0x55e654f4dfb0 in ExeFactory::build(AbstractByteBuffer*, ExeFactory::exe_type) /tmp/bearparser/parser/ExeFactory.cpp:51
    #7 0x55e654f21cae in main /tmp/bearparser/commander/main.cpp:74
    #8 0x7effb7367d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7effb7367e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #10 0x55e654e4ba74 in _start (/tmp/build/commander/bearcommander+0x40a74)

0x607000003198 is located 8 bytes inside of 72-byte region [0x607000003190,0x6070000031d8)
freed by thread T0 here:
    #0 0x55e654ede16f in operator delete(void*, unsigned long) (/tmp/build/commander/bearcommander+0xd316f)
    #1 0x55e654fa10bc in ResourceLeafWrapper::~ResourceLeafWrapper() /tmp/bearparser/parser/include/bearparser/pe/ResourceLeafWrapper.h:25
    #2 0x55e654f9fc76 in ResourceEntryWrapper::clear() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:154
    #3 0x55e654fa15ca in ResourceEntryWrapper::~ResourceEntryWrapper() /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:86
    #4 0x55e654fa15f5 in ResourceEntryWrapper::~ResourceEntryWrapper() /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:86
    #5 0x55e654f9f5ec in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:93
    #6 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
    #7 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
    #8 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
    #9 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
    #10 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
    #11 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
    #12 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
    #13 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
    #14 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
    #15 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
    #16 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
    #17 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
    #18 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
    #19 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
    #20 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
    #21 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
    #22 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
    #23 0x55e654f57197 in PEFile::wrap(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:108
    #24 0x55e654f562ad in PEFile::PEFile(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:50
    #25 0x55e654f56032 in PEFileBuilder::build(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:36
    #26 0x55e654f4dfb0 in ExeFactory::build(AbstractByteBuffer*, ExeFactory::exe_type) /tmp/bearparser/parser/ExeFactory.cpp:51
    #27 0x55e654f21cae in main /tmp/bearparser/commander/main.cpp:74
    #28 0x7effb7367d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x55e654edd107 in operator new(unsigned long) (/tmp/build/commander/bearcommander+0xd2107)
    #1 0x55e654f9fe8b in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:172
    #2 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
    #3 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
    #4 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
    #5 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
    #6 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
    #7 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
    #8 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
    #9 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
    #10 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
    #11 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
    #12 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
    #13 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
    #14 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
    #15 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
    #16 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
    #17 0x55e654f9fe4f in ResourceEntryWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:169
    #18 0x55e654fa1552 in ResourceEntryWrapper::ResourceEntryWrapper(PEFile*, ResourceDirWrapper*, unsigned long, long, ResourcesAlbum*) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:83
    #19 0x55e654f9f51a in ResourceDirWrapper::wrap() /tmp/bearparser/parser/pe/ResourceDirWrapper.cpp:90
    #20 0x55e654f5c881 in ResourceDirWrapper::ResourceDirWrapper(PEFile*, ResourcesAlbum*, unsigned long, long, long) /tmp/bearparser/parser/include/bearparser/pe/ResourceDirWrapper.h:33
    #21 0x55e654f57197 in PEFile::wrap(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:108
    #22 0x55e654f562ad in PEFile::PEFile(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:50
    #23 0x55e654f56032 in PEFileBuilder::build(AbstractByteBuffer*) /tmp/bearparser/parser/pe/PEFile.cpp:36
    #24 0x55e654f4dfb0 in ExeFactory::build(AbstractByteBuffer*, ExeFactory::exe_type) /tmp/bearparser/parser/ExeFactory.cpp:51
    #25 0x55e654f21cae in main /tmp/bearparser/commander/main.cpp:74
    #26 0x7effb7367d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/bearparser/parser/include/bearparser/pe/rsrc/../ResourceLeafWrapper.h:42 in ResourceLeafWrapper::getExe()
Shadow bytes around the buggy address:
  0x0c0e7fff85e0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff85f0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff8600: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8610: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8620: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
=>0x0c0e7fff8630: fa fa fd[fd]fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8640: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e7fff8650: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff8660: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff8670: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8680: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4013525==ABORTING

poc: poc.zip

"ExeFactory.cpp" doesn't compile with Clang under Termux when running "build_qt5.sh"

(Originally found in PE-Bear, thought it should go here)

Was building PE-Bear and all went well until make reached "ExeFactory.cpp" and Clang spat out a massive warning/error message.

Clang error message:

In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:4:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_undoc.h:5:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
    5 | #include "../win_hdrs/pshpack4.h" // ensure that 4 byte packing (the default) is used
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/pshpack4.h:30:9: note: previous '#pragma pack' directive that modifies alignment is here
   30 | #pragma pack(4)
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:40:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
   40 | #include "../win_hdrs/pshpack4.h"                   // 4 byte packing is the default
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/pshpack4.h:30:9: note: previous '#pragma pack' directive that modifies alignment is here
   30 | #pragma pack(4)
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:41:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
   41 | #include "../win_hdrs/pshpack2.h"                   // 16 bit headers are 2 byte packed
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/pshpack2.h:30:9: note: previous '#pragma pack' directive that modifies alignment is here
   30 | #pragma pack(2)
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:152:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
  152 | #include "../win_hdrs/poppack.h"                    // Back to 4 byte packing
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/poppack.h:34:9: note: previous '#pragma pack' directive that modifies alignment is here
   34 | #pragma pack()
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:455:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
  455 | #include "../win_hdrs/pshpack2.h"                       // Symbols, relocs, and linenumbers are 2 byte packed
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/pshpack2.h:30:9: note: previous '#pragma pack' directive that modifies alignment is here
   30 | #pragma pack(2)
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:632:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
  632 | #include "../win_hdrs/poppack.h"
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/poppack.h:34:9: note: previous '#pragma pack' directive that modifies alignment is here
   34 | #pragma pack()
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:1120:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
 1120 | #include "../win_hdrs/pshpack8.h"                       // Use align 8 for the 64-bit IAT.
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/pshpack8.h:30:9: note: previous '#pragma pack' directive that modifies alignment is here
   30 | #pragma pack(8)
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:1132:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
 1132 | #include "../win_hdrs/poppack.h"                        // Back to 4 byte packing
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/poppack.h:34:9: note: previous '#pragma pack' directive that modifies alignment is here
   34 | #pragma pack()
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:1348:11: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
 1348 |  #include "../win_hdrs/pshpack4.h"                       // Use align 4
      |           ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/pshpack4.h:30:9: note: previous '#pragma pack' directive that modifies alignment is here
   30 | #pragma pack(4)
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:1461:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
 1461 | #include "../win_hdrs/poppack.h"                        // Back to the previous packing
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/poppack.h:34:9: note: previous '#pragma pack' directive that modifies alignment is here
   34 | #pragma pack()
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:1731:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
 1731 | #include "../win_hdrs/pshpack4.h"                   // 4 byte packing (DWORD alligned)
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/pshpack4.h:30:9: note: previous '#pragma pack' directive that modifies alignment is here
   30 | #pragma pack(4)
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:1804:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
 1804 | #include "../win_hdrs/poppack.h"                // Back to the initial value
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/poppack.h:34:9: note: previous '#pragma pack' directive that modifies alignment is here
   34 | #pragma pack()
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:1806:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
 1806 | #include "../win_hdrs/pshpack2.h"                   // 2 byte packing (WORD alligned)
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/pshpack2.h:30:9: note: previous '#pragma pack' directive that modifies alignment is here
   30 | #pragma pack(2)
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:4:
In file included from /data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DosHdrWrapper.h:6:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/pe_formats.h:1897:10: warning: the current #pragma pack alignment value is modified in the included file [-Wpragma-pack]
 1897 | #include "../win_hdrs/poppack.h"                // Back to the initial value
      |          ^
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/../win_hdrs/poppack.h:34:9: note: previous '#pragma pack' directive that modifies alignment is here
   34 | #pragma pack()
      |         ^
In file included from /data/data/com.termux/files/home/bearparser/parser/ExeFactory.cpp:3:
/data/data/com.termux/files/home/bearparser/parser/include/bearparser/pe/DOSExe.h:56:22: error: expected unqualified-id
   56 |         const size_t PAGE_SIZE = 0x200;
      |                      ^
/data/data/com.termux/files/usr/include/sys/user.h:38:19: note: expanded from macro 'PAGE_SIZE'
   38 | #define PAGE_SIZE 4096
      |                   ^
14 warnings and 1 error generated.

Output of `clang -v`:

clang version 17.0.5
Target: aarch64-unknown-linux-android24
Thread model: posix
InstalledDir: /data/data/com.termux/files/usr/bin

Steps to reproduce:

1. Install all necessary packages

pkg in build-essentials \
clang \
cmake \
git \
qt5-qmake qt5-qtbase qt5-qtbase-cross-tools qt5-qtbase-gtk-platformtheme qt5-qtdeclarative qt5-qtdeclarative-cross-tools qt5-qtgraphicaleffects qt5-qtlocation qt5-qtmultimedia qt5-qtquickcontrols qt5-qtquickcontrols2 qt5-qtscript qt5-qtsensors qt5-qtserialport qt5-qtsvg qt5-qttools qt5-qttools-cross-tools qt5-qtwebchannel qt5-qtwebengine qt5-qtwebkit qt5-qtwebsockets qt5-qtx11extras qt5-qtxmlpatterns qt5ct

2. Clone `bearparser`:

git clone https://github.com/hasherezade/bearparser --depth=1

3. Run `./build_qt5.sh`:

cd bearparser && ./build_qt5.sh

null ptr dereference in PEFile::getRichHeaderBgn

crashes pe-bear, too!
poc.zip
edit: whoops i linked the wrong one by accident

Building PE bear

Hello all,

I try to rebuild PE bear from source, unfortunately it seems that only pecommander is built. I cannot find the binary with GUI anywhere. Does the source code contain only the command line tool?

Many thanks for any response.