Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

get_memory_mapped_image leaves trash data in alignment regions #392

Open
heck-gd opened this issue Jan 30, 2024 · 0 comments
Open

get_memory_mapped_image leaves trash data in alignment regions #392

heck-gd opened this issue Jan 30, 2024 · 0 comments
Assignees
@erocarrera
Labels
bug

Comments

@heck-gd
Copy link

heck-gd commented Jan 30, 2024

In a memory mapped image, regions that exist due to section/page alignment requirements should contain zeroes. Currently, pefile bleeds section data into such regions.

Reproduction: Take any Windows binary that has file-aligned sections (so not a memory dump) and check what's at offset 0x400 (which in most common binaries is where the PE header ends).

>>> import pefile
>>> pe = pefile.PE(name="C:\\Windows\\explorer.exe")
>>> image = pe.get_memory_mapped_image()
>>> assert image[0x400:0x1000] != image[0x1000:0x1C00]
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AssertionError

This can cause considerable confusion if you're doing a regex search over the mapped image and RIP-relative data references get screwed up.
@erocarrera erocarrera self-assigned this Jan 30, 2024
@erocarrera erocarrera added the bug label Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@erocarrera erocarrera

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erocarrera @heck-gd