Skip to content

PE: parser hangs while processing corkami's manyimportsW7.exe #523

@prettyroseslover

Description

@prettyroseslover

Current version of goblin hangs on parsing corkami's manyimportsW7.exe , which is described as:

W7-only binary use the TLS AddressOfIndex trick to clean its imports. On disk, the import table is full of bogus descriptors, which will be ignored on loading

Snippet to reproduce this behavior:

use std::fs;

use goblin::pe::options::ParseOptions;
use goblin::pe::options::ParseMode;
use goblin::pe;

fn main() {
    let path = "manyimportsW7.exe";
    let content = fs::read(path).unwrap();
    let mut parse_options = ParseOptions::default();
    parse_options.parse_mode = ParseMode::Permissive;

    let pe_file = pe::PE::parse_with_opts(&content, &parse_options).unwrap();
}

Other PE parsers, for example pedump catch this trick:

[!] catched the 'imports terminator in TLS trick'

Taking into account, this sample is valid and somewhat popular with the community (as it is supported by other PE parsers, etc), it would be nice to catch fake imports usage in order not to load them all.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions