Results 1 to 7 of 7

Thread: PEiD imports parsing DoS

  1. #1

    PEiD imports parsing DoS

    can be used as an "anti" trick ;p

    Hash: SHA1

    - - Orange Bat advisory -

    Name : PEiD v0.94 exe File Parsing DoS
    Class : DoS
    Published : 2008-08-18
    Credit : g_ (g_ # orange-bat # com)

    - - Details -

    When parsing .exe files, PEiD will allocate memory to hold the
    file content. Size of this memory chunk will be divisible by
    0x1000 (4KB). If the file size is a multiple of 4KB and if
    the import table is located at the end of the file, import parsing
    procedure could try to read data off the heap -- to check if
    there are more valid import descriptors, memory pointer is advanced
    without bounds checking and this leads to access violation:

    .text:0043958B loc_43958B:
    .text:0043958B mov eax, [esi+10h] ;Oooops!
    .text:0043958E add esi, 14h
    .text:00439591 cmp eax, ebx
    .text:00439593 mov [esp+60h+var_4C], esi
    .text:00439597 jnz loc_4393FE

    Exe file can still run normally after modifing the IAT btw, see POC.

    - - Proof of concept -

    - - PGP -

    All advisories from Orange Bat are signed. You can find our public
    key here:

    - - Disclaimer -

    This document and all the information it contains is provided "as is",
    without any warranty. Orange Bat is not responsible for the
    misuse of the information provided in this advisory. The advisory is
    provided for educational purposes only.

    Permission is hereby granted to redistribute this advisory, providing
    that no changes are made and that the copyright notices and
    disclaimers remain intact.

    (c) 2008

    Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70

    -----END PGP SIGNATURE-----
    Last edited by _g_; August 19th, 2008 at 08:58.

  2. #2
    there is a similar, anyhow useless, DoS in disassembler of PEiD 0.94,
    if it touchs a long instruction at the end of section.

  3. #3
    true, afaik it's wrapped with exception handler.

  4. #4
    hmm dunno about the exception handler, the issue is relatively straight forward
    the import table is present, and is valid, however its size is marked as 0x3C
    which = 3 import entries where only 2 are present, the last one would be a terminator
    and isn't 'included' in the exe file (its terminated physically on the file after the 2nd
    entry).. peid scans forward and effectively hits a buffer overrun as mentioned...

    protection id doesn't suffer from this 'bug'..

  5. #5
    Hm.. I tried scanning the POC file with PEiD and nothing seems to have gone wrong.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    check disassembly / imports.

  7. #7
    Ah, right. Don't know why I hadn't thought of that.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Fix imports in a dll?
    By ukguy99 in forum The Newbie Forum
    Replies: 2
    Last Post: November 3rd, 2009, 13:21
  2. C/C++ source for parsing PE header?
    By FrankRizzo in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: April 3rd, 2006, 02:50
  3. One final masm question about register parsing
    By kittmaster in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: March 17th, 2006, 12:17
  4. PEiD v0.92
    By v0kram in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: February 16th, 2004, 08:25
  5. PEiD v0.8
    By snaker in forum Tools of Our Trade (TOT) Messageboard
    Replies: 12
    Last Post: September 10th, 2002, 05:14


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts