Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Magic: MWDB recognizes PE files as zip archives #969

Open
1 of 4 tasks
yankovs opened this issue Aug 15, 2024 · 1 comment
Open
1 of 4 tasks

Magic: MWDB recognizes PE files as zip archives #969

yankovs opened this issue Aug 15, 2024 · 1 comment
Labels
type:bug Something isn't working

Comments

@yankovs
Copy link
Contributor

yankovs commented Aug 15, 2024

Environment information

  • MWDB version (from /about): v2.12.0
  • Installation method:
    • mwdb.cert.pl service
    • From PyPi (pip install mwdb-core)
    • From docker-compose
    • Other (please explain)

Behaviour the bug (what happened?)

PE files sometimes get identified as being zip. They get the wrong magic identification in the type field

Expected behaviour

Have PE magic as normal

Screenshots

image
image

Additional context

PE files that get correctly identified by VT but wrong by MWDB:

  • ca74de5cdb4699b19f64ce28ae674b04a30f5004ccb407c552d73af32590c28b
  • a4d806800a7e2db9c3b0f91a7eb5560d78ccf172921a7dea732db40ede0ed92d
  • 969e044d2c3de643992af80d374f5e0a6bb308b0ae7c5ea5287028b5e3614531
  • 5b1be150225de6a35e9d3db41e566780138d4bc8bec6099be5b15de230f612a7

In our database, we've identified more than 2500 such samples, so there are more examples if needed.
@psrok1 psrok1 added the type:bug Something isn't working label Aug 19, 2024
@psrok1
Copy link
Member

psrok1 commented Aug 20, 2024

MWDB uses libmagic for that (the same thing as in file command) and it's regression in libmagic 5.44 (problem persists in 5.45)

$ ./file -m ../magic/magic.mgc -v
file-5.43
magic file from ../magic/magic.mgc

$ ./file -m ../magic/magic.mgc ~/ca74de5cdb4699b19f64ce28ae674b04a30f5004ccb407c552d73af32590c28b 
ca74de5cdb4699b19f64ce28ae674b04a30f5004ccb407c552d73af32590c28b: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

vs

$ ./file -m ../magic/magic.mgc -v
file-5.44
magic file from ../magic/magic.mgc

$ ./file -m ../magic/magic.mgc ~/ca74de5cdb4699b19f64ce28ae674b04a30f5004ccb407c552d73af32590c28b 
ca74de5cdb4699b19f64ce28ae674b04a30f5004ccb407c552d73af32590c28b: Zip archive, with extra data prepended

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@psrok1 @yankovs