Add debug_details and load_config_timestamp to PE module. #1976
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fun fact: debug information is actually an array of structures. Historically, YARA has stopped parsing after finding the first entry with a PDB path (with some other restrictions around the type of debug entry this is). However, each entry can have different information (including pdb paths), so let's add an array of debug_infos structures which contain timestamp, type and pdb path. Just in testing I discovered legit binaries that have different PDB paths in them, which is actually kind of interesting.
Specifically, I'm only parsing out the timestamp field of the structure. While here, rename the newly created "debug_infos" array to "debug_details".
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Debug information is actually stored as an array of debug entries. Historically YARA has only parsed the first available PDB path from this array. However, different debug entries can have different details (including different PDB paths) so I'm choosing to add
pe.debug_detailsarray which exposes the type, timestamp and PDB path for each debug entry. I'm careful to maintain the current behavior of parsing the first available PDB path intope.pdb_pathso as to not break existing rules.Fun fact for the above: I've found at least one MSFT binary that has different PDB paths (
System.Data.Entity.ni.pdband
System.Data.Entity.pdb) in its respective debug entries.This PR also adds support for LOAD CONFIGURATION parsing. It currently only pulls out the timestamp from there, but can be extended to add more if considered useful. I thought about adding the SEHHandlerCount, and maybe some of the CFG stuff, but decided against it as I'm not sure how useful it will be. The timestamps stored in this area seem to be all over the place in my testing but it may be useful to compare with other timestamps.
I've added a test case for the PDB improvements but haven't found a legit, non-malicious, binary with a timestamp in the LOAD CONFIGURATION structure yet.