binmap icon indicating copy to clipboard operation
binmap copied to clipboard
verified publisher icon quarkslab

empty database after scanning file (windows)

Open p-state opened this issue 9 years ago • 6 comments

Hello again. I noticed that binmap can't scan some files and exits without any error.

Example file: http://rgho.st/8HLM52dqN

C:\test>binmap scan drweb32.dll -v2 -o test.dat
blacklisting: "/dev"
blacklisting: "/proc"
blacklisting: "/sys"
blacklisting: "/tmp"
ApiSetMap::parse_apisetmap_v2: not implemented

C:\test>type test.dat
22 serialization::archive 10 0 0 0 0 1 0 0 0 1462888107 3 1 0 0 0 0 0 0 0 0 0 0 0 17 0 0 0 0 0 0 17 0

Directory scanning will be stopped when such file occures.

p-state avatar May 10 '16 13:05 p-state

@serge-sans-paille Hello. Is somebody working on this problem?

p-state avatar May 20 '16 09:05 p-state

On Fri, May 20, 2016 at 02:35:10AM -0700, hardboost wrote:

@serge-sans-paille Hello. Is somebody working on this problem?

Ooops, totally forgot this one! I'll have a look this afternoon, thanks for the reminder!

serge-sans-paille avatar May 20 '16 10:05 serge-sans-paille

@hardboost : I managed to reproduce your issue, it's the PE parser that fails to understand that this DLL is actually a well formed dll, I'll keep you in touch!

serge-sans-paille avatar May 23 '16 08:05 serge-sans-paille

Hi @hardboost , we just checked the problem with @serge-sans-paille. It appears that all the section headers in this particular DLL have a Virtual Size set to 0. This prevents binmap to further calculate various virtual adresses inside the PE file. I'll check if it's possible to "emulate" the windows' loader behavior in this case.

neitsa avatar May 23 '16 08:05 neitsa

Could you, please, share windows executable?

scratcher28 avatar Aug 17 '16 09:08 scratcher28

@scratcher28 https://www.sendspace.com/file/qfumt0

p-state avatar Aug 18 '16 12:08 p-state