I am sure it is a driver file that has been successfully signed, but the return of pe. IsSigned is indeed false

Here is my code

filename := "/mnt/c/demo/driver_x64.sys"
	pe, err := peparser.New(filename, &peparser.Options{
		Fast: true,
	})
	if err != nil {
		fmt.Printf("fail to open file! %v\n", err)
		return
	}
	defer pe.Close()

	err = pe.Parse()
	if err != nil {
		fmt.Printf("Failed to parse file! %v\n", err)
		return
	}

	if pe.Is32 {
		fmt.Println("x86")
	}

	if pe.Is64 {
		fmt.Println("x64")
	}

	if pe.IsDLL() {
		fmt.Println("DLL")
	}

	if pe.IsEXE() {
		fmt.Println("EXE")
	}

	if pe.IsDriver() {
		fmt.Println("DRIVER")
	}

	if pe.IsSigned {
		fmt.Println("Signed")
	} else {
		fmt.Println("Unsigned")
	}

Hey,

In symbol.go:266 you preallocate a slice with the given value of pe.NtHeader.FileHeader.NumberOfSymbols, this can be abused by malware to force an OOM error by providing a fake and absurdly high value. I suggest adding a configurable/sensible limit to prevent this.

I forked and added a hardcoded value for my own use, but a new config option and/or a sensible limit may help others.

Thanks

this is https://github.com/pandasec888/taowu-cobalt-strike/blob/master/script/SharpBypassUAC.exe

I just want to get his moduleName..
Used to label the file name.

package main

import (
    "fmt"
    peparser "github.com/saferwall/pe"
)

func main() {
    filename:=`C:\Users\a3ro\Desktop\6FAD3A96FE407982818CE27F73C78B8AC3B0902BD85F104DC85EEF092F4186DE.exe`
    pe, err := peparser.New(filename, nil)
    if err != nil {
        fmt.Printf("Error while opening file: %s, reason: %s", filename, err)
    }

    err = pe.Parse()
    if err != nil {
        fmt.Printf("Error while opening file: %s, reason: %s", filename, err)
    }
}

the value of Authentihash is different from virustotal. and Value overflow occurred which cause panic.

Is there a way using this package to extract multiple certificate chains that are present in a PE file? I am currently looking at a PE file that has multiple certificate chains. However the Parse function seems to only result 1 of those chains with 2 certs, but seems to skip over the remaining cert chains. Is there a slight modification that can be made to get those? Or do you know of any other go packages that currently do that?

Finally, great job with this package! It was really easy to use compared to some other libraries that I found :)

should:

func (pe *File) adjustSectionAlignment(va uint32) uint32 {
	var fileAlignment, sectionAlignment uint32

	switch pe.Is64 {
	case true:
		fileAlignment = pe.NtHeader.OptionalHeader.(ImageOptionalHeader64).FileAlignment
		sectionAlignment = pe.NtHeader.OptionalHeader.(ImageOptionalHeader64).SectionAlignment // here
	case false:
		fileAlignment = pe.NtHeader.OptionalHeader.(ImageOptionalHeader32).FileAlignment // here
		sectionAlignment = pe.NtHeader.OptionalHeader.(ImageOptionalHeader32).SectionAlignment
	}

	if fileAlignment < FileAlignmentHardcodedValue &&
		fileAlignment != sectionAlignment {
		pe.Anomalies = append(pe.Anomalies, ErrInvalidSectionAlignment)
	}

        if section_alignment < 0x1000:  # page size
            section_alignment = file_alignment

	// 0x200 is the minimum valid FileAlignment according to the documentation
	// although ntoskrnl.exe has an alignment of 0x80 in some Windows versions
	if sectionAlignment != 0 && va%sectionAlignment != 0 {
		return sectionAlignment * (va / sectionAlignment)
	}
	return va
}

While running a fuzzing session using the corkami corpus (corpus/) a certain file triggers a divide by zero panic when computing the modulo against section alignment of the file.

Resulting crash :

panic: runtime error: integer divide by zero

goroutine 1 [running]:
github.com/saferwall/pe.(*File).ParseNTHeader.func6(...)
	/home/echo/projects/saferwall/pe/ntheader.go:444
github.com/saferwall/pe.(*File).ParseNTHeader(0xc0000ac240, 0x0, 0x0)
	/home/echo/projects/saferwall/pe/ntheader.go:444 +0xf3e
github.com/saferwall/pe.(*File).Parse(0xc0000ac240, 0xc0000ac240, 0x604e02c3)
	/home/echo/projects/saferwall/pe/file.go:129 +0x127
github.com/saferwall/pe.Fuzz(0x7f0e504b5000, 0x138, 0x138, 0x4)
	/home/echo/projects/saferwall/pe/fuzz.go:10 +0x146
go-fuzz-dep.Main(0xc00004ff70, 0x1, 0x1)
	go-fuzz-dep/main.go:36 +0x1b8
main.main()
	github.com/saferwall/pe/go.fuzz.main/main.go:15 +0x52
exit status 2

Code responsible :

// The msdn states that SizeOfImage must be a multiple of the section
	// alignment. This is not true though. Adding it as anomaly.
	if (pe.Is32 && oh32.SizeOfImage%oh32.SectionAlignment != 0) ||
		(pe.Is64 && oh64.SizeOfImage%oh64.SectionAlignment != 0) {
		pe.Anomalies = append(pe.Anomalies, AnoInvalidSizeOfImage)
	}

This issue has been fixed and is here as reference.

saferwall/pe provides access to the parsed certificates. However, neither saferwall/pe nor the used pkcs7 module allow access the to the raw certificates content.

I would like to read the raw certificates content using saferwall/pe, to persist and analyze it externally.

Hi,

I'm so happy I've found this package/library! Great work. I'm planning to sunset the PE introspection functionality I've initially built into Fibratus in favour of your package. I was glancing at the code and noticed you rely on certutil to fetch the certificates you later use for validation. Since certutil is frequently abused by threats actors for nefarious purposes, I'm wondering if there is a way to download the certificates by interacting with some specific Windows API?

saferwall/pe makes use of the log package in exception.go which prevents me from using it in a CLI application:

2022/03/31 03:14:39 Wrong unwind opcode 15
2022/03/31 03:14:39 Wrong unwind opcode 15
2022/03/31 03:14:39 Wrong unwind opcode 14
2022/03/31 03:14:39 Wrong unwind opcode 13
2022/03/31 03:14:39 Wrong unwind opcode 12
…

saferwall/pe should not use logging on its own, as this often results in unexpected behavior.

The question is: shall we just drop that line and the log depedency as it is just a warning or do we need some logger-Interface/callback methods to be passed in the constructors?

https://github.com/saferwall/pe/blob/main/file.go：

should：

// Close closes the File.
func (pe *File) Close() error {
	if pe.data != nil {
		_ = pe.data.Unmap()
	}

	if pe.f != nil {
		return pe.f.Close()
	}
	return nil
}

I was interested in re-creating sbsign tool in golang, the only obstacle is that Authenticode hashes seem to be a headache. I found this library which looks very promising.

Am pretty sure there's an issue with the Authentihash function. I created a digest for a specific file using this library and then created another hash for the same file using: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/tree/src/image.c#n510

I got different values. I'm pretty confident on the result of sbsign, I signed my kernel with that and UEFI secure boot verifies it. I'm sorry I can't provide much more details or logs. I would like to be more helpful than just pointing things out. I thought it was still worth opening this.

Cheers.

#74

I want to disable logging like this: "Failed to parse data directory Relocation, reason: invalid relocation information. Base Relocation VirtualAddress is outside of PE Image" but i didn't found out how to do it?

I want to pass in byte[] file for memory scanning.. You know
test

func NewBytes(buffer []byte, opts *Options) (*File, error) {

	tmpfile, err := ioutil.TempFile("", "example")
	_, _ = tmpfile.Write(buffer)

	// Memory map the file insead of using read/write.
	data, err := mmap.Map(tmpfile, mmap.RDONLY, 0)

	file := File{}
	if opts != nil {
		file.opts = opts
	} else {
		file.opts = &Options{}
	}
	file.data = data
	file.size = uint32(len(file.data))
	file.f = tmpfile
	return &file, nil
}

When the code is executed to print end, the file is still occupied and cannot be deleted

func main() {
	var wg sync.WaitGroup
	wg.Add(1)

	go func() {
		filename := "C:\\test.exe"
		pe, err := peparser.New(filename, &peparser.Options{Fast: true})
		if err == nil {
			pe.Close()
		}
		wg.Done()
	}()

	wg.Wait()
	fmt.Println("end")
}

How to get the certificate signature time of the pe file???

This will help on cases where someone has chosen explicitly a fast-load option, then later tried to parse a directory that depended on another directory.

Hi,

after running the pods i get an interanal error 500. cannot access ui

The check on line 302 in security.go should be "if !skipCertVerification" so that VerifyWithChain will be called.

https://learn.microsoft.com/en-us/windows/win32/menurc/versioninfo-resource

hi ,
would it be possible to rename pe.getOffsetFromRva to pe.GetOffsetFromRva so that one can get the offset in file of a specific rva ?
Thanks :)

• Load Config

It looks like there is some code that can output to stdout when using this library:

In anchore/syft you can see this with:

syft -o json --platform windows/amd64 registry:mcr.microsoft.com/windows/servercore:ltsc2019 > /tmp/file.txt

# cat /tmp/file.txt | more
unhandled metadata table 38 File offset 0x944426 cols 5
unhandled metadata table 38 File offset 0xafdd82 cols 5
unhandled metadata table 38 File offset 0x1e720 cols 1
unhandled metadata table 38 File offset 0x3015aa cols 5
unhandled metadata table 38 File offset 0x1e718 cols 1
unhandled metadata table 38 File offset 0x30171e cols 5
unhandled metadata table 38 File offset 0x45a cols 1
unhandled metadata table 38 File offset 0x45a cols 1
unhandled metadata table 38 File offset 0x45a cols 1
unhandled metadata table 38 File offset 0x45a cols 1
unhandled metadata table 38 File offset 0x45a cols 1
unhandled metadata table 38 File offset 0x45a cols 1
unhandled metadata table 38 File offset 0x43c cols 1
unhandled metadata table 38 File offset 0x44470 cols 1
unhandled metadata table 38 File offset 0x92d34e cols 5
unhandled metadata table 38 File offset 0x583f4 cols 1
unhandled metadata table 38 File offset 0xadac8a cols 5
{
 "artifacts": [
  {
   "id": "845df080a5c1592e",
   "name": " ",
   "version": "10.0.0.0",
   "type": "dotnet",
   "foundBy": "dotnet-portable-executable-cataloger",
...

Ideally there shouldn't be printing to stdout in library calls, instead returning an error or writing directly to a logger object would be preferred. The reason why is because the stdout from syft is expected to be valid JSON, which this prevents (where a logger would write this to stderr).