-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manipulated PE can't execute #1
Comments
@jymcheong We've been looking at this over the last several weeks. This is caused by a parsing error in LIEF (https://lief.quarkslab.com/), the library used for parsing and manipulating PE files. Namely, some PE files parsed and re-written by LIEF are not functional whether or not they have been mutated. For example (no mutation): import lief
pe = lief.parse('putty.exe')
builder = lief.PE.Builder(pe)
builder.build_imports(True)
builder.patch_imports(True)
# if you remove the lines above (rebuild nothing), then the putty32-mod.exe should work
builder.build()
builder.write('putty32-mod.exe') Results in $ ./putty32-mod.exe
Segmentation fault This appears directly related to the LIEF library parsing errors you observed. If the target PE binary is already malformed (as is the case for a lot of malware and some benignware) the PE builder will a have some difficulties rebuilding a valid one, whether or not any functionality-preserving manipulations were performed. We've opened a dialog with authors of LIEF about this issue, and are hoping to help with a resolution. In the meantime, an unfortunate workaround is pre-filter PE files for which LIEF doesn't complain (no parsing errors). We're hoping to provide a simple python script for this as a stop-gap until LIEF parser errors are resolved. |
Thanks @drhyrum. It make senses now. I also chance upon this I guess we have to pre-filter the PEs for the time being. Btw, are there any resellers/reps of Endgame in asia, specifically Singapore? We are to keen to explore the product. |
Maybe this is due to the permissions of win10. |
Hi, I'm still getting similar issues right now. Since this is an old thread, I'm curious if there is a solution to this? I'm using MacOS and python 3.6 |
Those repo is no longer maintained. Can you try moving to this new repo:
https://github.com/bfilar/malware_rl
…On Tue, Jan 26, 2021, 10:58 AM Aritran Piplai ***@***.***> wrote:
Hi, I'm still getting similar issues right now. Since this is an old
thread, I'm curious if there is a solution to this? I'm using MacOS and
python 3.6
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB3UVB24SJK2AVII6LOLBDDS337CPANCNFSM4D5B3P4Q>
.
|
I wrote a strip down script to test manipulate.modify_without_breaking
The result PE was executed within a Windows 7 32bit but not executable/functional.
The only action that produced functional PE was overlay_append which didn't use LIEF. I tested both GUI & console windows PEs with overlay_append, the resultant files have different sha256-sum from the originals and are functional.
Unfortunately, for other actions that involved LIEF are used, the new file is not functional. I am using macOS python3.6 for this test.
When I ran the script in console, I did notice some error message for all actions that involved LIEF:
Any idea what could be the issue? Thanks!
The text was updated successfully, but these errors were encountered: