From 895b2106bb37358dfd4c094417b3313e4f7aff06 Mon Sep 17 00:00:00 2001 From: "m.prestel" Date: Thu, 5 Dec 2024 08:07:43 +0100 Subject: [PATCH] Loading an obfuscated file (obfuscated with RedGate SmartAssembly 6) results in an out of memory exception because the SizeOfData in the DebugHeader is invalid --> Ignore the DebugHeaderEntry if Characteristics != 0 --- Mono.Cecil.PE/ImageReader.cs | 6 ++++-- Test/Mono.Cecil.Tests/ImageReadTests.cs | 14 ++++++++++++++ .../Resources/assemblies/libhello_obfuscated.dll | Bin 0 -> 8704 bytes 3 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 Test/Resources/assemblies/libhello_obfuscated.dll diff --git a/Mono.Cecil.PE/ImageReader.cs b/Mono.Cecil.PE/ImageReader.cs index a34e64d36..f73401e0a 100644 --- a/Mono.Cecil.PE/ImageReader.cs +++ b/Mono.Cecil.PE/ImageReader.cs @@ -351,8 +351,10 @@ void ReadDebugHeader () AddressOfRawData = ReadInt32 (), PointerToRawData = ReadInt32 (), }; - - if (directory.PointerToRawData == 0 || directory.SizeOfData < 0) { + + // directory.Characteristics <-- has to be 0 (https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-debug-section) + // if this is not the case, an obfuscation of the file could be the case resulting in wrong SizeOfData + if (directory.PointerToRawData == 0 || directory.Characteristics != 0 || directory.SizeOfData < 0) { entries [i] = new ImageDebugHeaderEntry (directory, Empty.Array); continue; } diff --git a/Test/Mono.Cecil.Tests/ImageReadTests.cs b/Test/Mono.Cecil.Tests/ImageReadTests.cs index fb5c558c6..fc1a48f4b 100644 --- a/Test/Mono.Cecil.Tests/ImageReadTests.cs +++ b/Test/Mono.Cecil.Tests/ImageReadTests.cs @@ -214,6 +214,20 @@ public void Net471TargetingAssembly () Assert.AreEqual (0, module.Image.SubSystemMinor); }); } + + [Test] + public void ObfuscatedAssembly () + { + using (var image = GetResourceImage ("libhello_obfuscated.dll")) { + Assert.AreEqual (3, image.DebugHeader.Entries.Length); + Assert.AreEqual (67, image.DebugHeader.Entries[0].Data.Length); + Assert.AreEqual (0, image.DebugHeader.Entries[1].Data.Length); + Assert.AreEqual (0, image.DebugHeader.Entries[2].Data.Length); + } + + + } + [Test] public void LocallyScopedConstantArray () diff --git a/Test/Resources/assemblies/libhello_obfuscated.dll b/Test/Resources/assemblies/libhello_obfuscated.dll new file mode 100644 index 0000000000000000000000000000000000000000..dfed95123953db5b0bc19490a93c92c372c4f87e GIT binary patch literal 8704 zcmeHMeQ+Dcb$@#}91b7|@c;>=BvOPzQ-(wl=9eW(u`N<0CDB7#AEac`l}A1RM-mQ* zgK~n7GfO4gO=YcAWucTRlv2ZoCsOlv-pbV1 zN3QWz9~mJU69H;Gadfsi+MA?otrI%YCU7*5`)ohz6rKS*3{t2R&u(DSey(X55BOXH zH1J8H2Km2I`=lpAbI^M;;{!xr^85KsUUdgi6j&H?r`9xl0FffX3~EIOeW*qeWnAlw z3;Ovc0JO=uzGr-}@5oe~N)FA^wgDgBORpeAljm& zgG7-X`!B&jC5`At(io1LxGltOzi7R=D@f~D4aWL7fSSU1iZYdk<0DdaNZS`G)^ai9YeYiwBgN2LNm11rCznM zzN0Uh2z6{(!g^7S(8Gq-8#UC{y|)>msf5}QHA0P3iI5R$-P`kq5o9GsFnQhc(lSHZ z7MV)dLt{Dy;3naugw6)u$hPSAI&gPx3fXW+#L&|Qszms59F5y9Z}LRo*+?Q{M9vp5 zRGm?G4igfIs1Z$Gf`E{7{&HiYzN68I8udoRsBfIUXeZF?%Rr|R^q15Ee%yI(r4-1H;L=tW)a{ROwQi}cCKJ>2RLmB6+u zvCw)WY$GotOpy_X;L|1@rK!3#AXx)1b=8N`ANFg=74Wlk|3S0v4TprPOCev6r5jzc# zyl8J{8P3QZoTIH!j;@BXDhbtOBG~^f1~613crl{Ms9!=jy)`lL_h^z~x`gO?qcnQa zMmi=h!4-bA4NbAJcp{BX2OzSULm1Up0(c48<|%D$vUj2}5lSZXj$4e7pI%OqGC zq_<07>V%MHX8==IaVDIS!PA$n14E{SE@KszG3tmJI-IW?x)C~G=y^(C37NJ&v@#(X zJTGENFJ?h>!wNA}#Oy!3m?86tHq+Y?F9ucLVZ$(#C9F(!x`CFkTGgFhOK_Fio(QG8 zVAT>9ysE^>?gp_<+o@{_?eY(x>k6z&_kj6EvQCLEVRupW_Qt8`L-pa*GTKjd)`jar zoyVl7cZ6F9PIYbwx9&T&CA&&?s;;9u+}e7owP`iCwIMsTN@&X(YN{^X%XY~DLv|nV z^z{GQqe28-SC)!qD&GBbwCMo2a*xaSkQ)tB|Y*dh=qAgZ^qHuLR+YnK2FPYKm8hgf_|MoMW3e6 z&;#^Y`VBfu=jc3rjvl0k==1b2JwlJtWAvN!1-gJ8=C|l^`fd6mJwf{?Zr(3=dqLqd z`E*aFD|3Cx9hegqDN5k$=5dFRtlwAhb3ObL2(jw+wlo%!V2c4(RT3o z=rC$NKl0dJ+V&UiENCtu#jTGj=`c1W7?+X^pl}yvN(8@So^T+Z0X$G4t;5i=W=r4u zFvpvLM%~m8?+r=#GYJO-bCxCi1M!m3XrIEIF$upe;Va4y6^+6HhSy5CFTgUlO8BIN zuLfQZX!Oq#z9V5&Wtkf!Jfd=|E#ae*^G6c@vHGs6(KSJaT@nsR_+XIxUX<{OAdmYe z690~buLW5fX$+e*mOQFWYZ~3JeHQQu$@v%U9pFlcTjPLSu&1K1Hv}S)0v?n&r{X>u zq%hpAk^nVMmZZ=QYRRWGNqyd@LX!H1PwA3+*{8ywh+e0+s2(~abU&zi(ISGNVxStR zUs5V(1lsn|&1h2*CuJ_0Ds0~u`PQg}3ks%M$eIkPX z`!E_qtP!yf{BAlYHUVCg@T;N)_|sx5;1#hQ@JC`N;7`SMbcEf5H9<-b3@l6PQ%&oX zU7*fLs-bCvvKQ3ZHEoZqp&nmDePs>x^cw29H58!)h{wALBY4!yVuv!!Cpk)hUKYK| zC_GlBa>_C63NNOZevDjY3Ohto8&eNSJHvE`q#mP3mD}N^$FK1uUsQ64&wsVANY>GJ zwlU?+wvPU44fVHcs5c~~!Ol6kHU%|f2`kjb3z@oWP@&s^2V|?DdC5O7;jn z;CY$`+(o8@1;D?ArOX+n&jqd`l8kSs-w$YFl>R&r6%SEBT`w+BLTv)vqBbLnX?3gk z8vTlTE#N(BM%+)IR(r%B(ihd;;Cx*j5Z|U(z_~#Gpl+hyqkjbc3N#-8+z^})uTy_; zO8hk)44wo&2K;rJl<=g4dA~Iaeo=B3B)rGx7r_4n@K-S6T|9d5jQA;iBlsm@h&O{z z0sedN8L?4>v~OY-TeNS>(f7wCDdS&7o0YFmN7r0oLEzS<*R)oxG>@tQWM42pz$2=cFLW57e9 zqkz%SE;=f<0A>)s3Sffn1>B5NAVbgM1jtbveGlhH8@)!qBjHPcZ(?OL42U-RA$?1H z1oCeIe+|KBJfO7EPmlq8H>{_h;R^MlxGc6S)5<&I`^XtDZ#m0W3h(7ehFTGX*HFJO ze-5c%&!)S&$|B7>IlBT`I-I@J%DFVL=(yHA zj0(`8iz6z#;94|n-(tImvoi}$&UCF6{=~dlaR(j8n$H#&Gc~^BbvS}g0jq@9Dw$j? zzqd`w{~Z3feR`GXLCf`yPFg$quvN5XVVy(c3q`k(Gaa|eqH!2#RgPIR&XJ0JX7N2e z57`Tjb$DjTtmGZ49?K`p;)2D-z}ssF@+C$}IXjONoQ~LcTNNw6f3Y@y`m^)o`T3Ap z$`>tIrE!-bq%uuBNc9X)<1GDCK;h{%BL zWDZ&-t5V3V^cb^qAEO-Wtr~7i^#nH^;_&;v%H&)diJOy^?S*>Ya_8(kjh0T^AG4@H z`>okR$)`pKoyAh_nB~BiB=I4$Sj?JoG#?o$<$dXjCpT2F5P%hDSN-ph3rFI0#uKPT zu-Z=2&-UGzo5UbMj(k1hKK6XMP&9e|$E>1xMqh8=gz*;UzB<4>BES<7|k-oF0sJu~^4 zd}p>Nx4W}%X4jrhGrOy+vnSiNyL*p?m%!fZ@8fXr)DBeac|Rw7yO>+$SdLvhEtAgY zpx1$dRYY3KYP2+CSF-}i>}Lh-FO)bD4-`$jPI}&#lCba8E#|!C=QJ@rW|d~$If)L< znH9Ll8+2UeLe&t@muq+)vEOtoo{LAVnvKV(4Lj;gxbSvP4kT@tfvpAHON1H;jYmv; zMzmZDCe_fIx*A7n8JRD;i&FD3%U!6HJk^UObH0%C?0CPEG9&W^mn|P1lWWN2<**t* zTpq&LN{7bs2<)jY@@SIXJYKio*5lW`emy~xW}%qF@*rL#5}YnnT(}n7X?3NKoXJ^b zPGVxeSF;jJw9Hc;Efw5?SuEUR4OS}VB6-kH5$QiaG}X!i|0WUh2bbrAssf(KbVPR{&;$yNkMj z^#JQaEBCQb_u%P;uKVQsXvg893uphPW9WshYoGi|?@zu*`Zw=6d17PVn-2uE_%#8| z*bvZK0;u~GEe13g(l*35Dtb)8Yl@~QnvTOf7D$mmErKaUG&kYfVocXlfq07^-`X4m z6>s6&h|ZUgcstOT4jB<+pzFf>LO@&iHZ!RtZ>^Z+TkKLT8xcnPZbzv6`kWTj<{xIM z>|$!osh8T7>F&;SXZpJE2?L`FV-Ixm#g+)jReax*NV9xr0cV&Q+%zDOKuE-JF^abv zH=?(3qaI3$miVACg4yv5+2(-GO-FT>J8m2WS5Z?GZ`VnQ-yUy|PX|-f5;vo%AST`3 z0#3UWD8PevNt^D{;3MNMDCa6Zt)&F_l%8we8cLwcU`)~VfF7TY-ws_mwCHgwUH~$v z<7Ow~%l8}0p9~Vkmmko0yybH+!q}jOU_1-}UB6<$@;OCLWZD?n5DLc!SygR=J&W0cM`yD=)3f=5d)#dA z&5POI96rOW6b0xIo_5@R+wtM|*u?O}kH6M2^ZKD9qi4HM7anfigybO_*?ST%hUJsB z*T8)001jH`hBTwHU}lc#p1YGD0y$BmL=a? zueMWa;C=l*Wc*)vfWK}KzJ<~9T5Y^j5O%fq^I7f?p2-3Hj>ma}GN#~TB%PoM{9<;3 zM(7x@Q94YwfF1=r0G!Jot8e2AIBQ;8@X1dW70_4db4czX0$NSnxenk3wTL}-luFo# zZ7Fk&ydh1Z)dbf;yNSD00j(up$202F7*fC{7g7cAXMc{S&q$dr%-Q?vle;?6PFN&r z^1~S2!CAn1%4^0+VYDu6v@5bFAX|a-iY;BZDXu((-y7;7&$Dr*Yzej(;V+ZsLF4*{ zzFC?Bj@uh%l);I_7?-rPYYc6(veyvW%d{vhn?)bKPp0q;%P|i7e4agzQS~HKA3Ro{ zoYxWPuwlUh=Irx-s4_!Yjzf2DxIQTL^&#l^@ Of0@I5sQdqy2mTvierlfp literal 0 HcmV?d00001