Improve PE size / overlay start calculations #254
Conversation
Make it so that the following are handled better: - EXEs with Authenticode signatures being treated as overlay data - EXEs with a COFF symbol table / string table - EXEs with section headers but no data after
|
Hi, |
| # For the Security / Certificate Table, the VirtualAddress is | ||
| # a file offset instead of an RVA | ||
| largest_offset_and_size = update_if_sum_is_larger_and_within_file( | ||
| (directory.VirtualAddress, directory.Size)) |
There was a problem hiding this comment.
The first item in the tuple given to update_if_sum_is_larger_and_within_file() should be a file offset, not a virtual address.
There was a problem hiding this comment.
The comment above the call is meant to clarify this - for IMAGE_DIRECTORY_ENTRY_SECURITY, a file offset is stored in the VirtualAddress field instead of an actual Relative Virtual Address like in the other DIRECTORY_ENTRYs. For reference, see: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#the-attribute-certificate-table-image-only .
|
Here are two examples for each case: EXEs with Authenticode signatures
EXEs with a COFF symbol table / string table
EXEs with section headers but no data after
|
Implements fixes for #253
Make it so that the following are handled better:
I can contribute tests and/or test binaries too - what's the preferred way of doing this, given that the test data appears encrypted?