PEFile: A Portable Executable Parser for Python
Ero Carrera created an excellent portable executable parser for python called PEFile. We've taken his file and run it across our entire malware collection for use in a future version of our malware analyzer. Attached is a collection of all the bug fixes we've made. If anyone has any comments on the modifications, I would very much appreciate hearing them.
Read the full article for all the bugs that have been fixed.
Here's a list of bugs fixed:
- Handle poorly sized header entry, causing the parser to read too much or too little information
- DOS based malware does not have an entry to the OPTIONAL_HEADERS field, this should be ignored
- The NT_HEADERS field can be missing or mangled.
- Properly recover from a missing FILE header
- Create too many RVAs (relative virtual addresses) to cause resource exhaustion.
- Handle a missing directory entry
- Recover from omitting raw data sections that are referred to in the directories
- Recover from mangled directory shennanigans
- BOUND_FORWARDER reference can sometimes be missing for a non-used section of the PE file.
- Skip bad RVA's that have no use in the code, but cause an analysis program to die
- Handle recursive directory entries in a PE
- Die gracefully when the import loader table, or the import address table. These are two references to the functions that need to be imported from DLL's.
- Missized strings are now handled correctly