VMProtect'd PE leads to "TLS Directory size is not the expected size"

[25pwn]

I've tried rev.ng on quite a few vmprotect samples, and it errors out on almost all of them. Of a subset of 31 samples, only 4 could be lifted; the others could not be lifted with the same error. Example revng --analyze lift --progress-plain output:

Starting revng-artifact (2)
  Starting Run analyses lists (2)
    Starting Analysis list revng-initial-auto-analysis (4)
      Starting Analysis execution (3)
        Starting Produce steps required up to initial (1)
          Starting Run step (3)
            Clone and filter input containers
            Starting Step initial (1)
              Merging back
            Ending Step initial
            Run the step
            Extract the requested targets
          Ending Run step
          initial
        Ending Produce steps required up to initial
        Produce step initial
        Starting Import binary (2)
          Import main binary
        Ending Import binary
        Run analysis
      Ending Analysis execution
      import-binary
    Ending Analysis list revng-initial-auto-analysis
TLS Directory size (72) is not the expected size (40).

[aleclearmind]

Please attach a reproducer.

Thanks for reporting this.

[25pwn]

This may be malware. password: infected efd56b8a0c9633395e66e91150ad6a638b7eaf6eeceeac16b1ced5721b65c256.zip

[aleclearmind]

We need to have better error reporting, but, as of now, this is an "invalid" PE according to LLVM (which we are based on for parsing PE).

We should:

1. Emit a better error message (e.g., "Failed to parse binary file: ...").
2. See if we can relax the assumptions LLVM makes, which is a bit risky.

I can see how malicious binaries might be doing tricks to let the parsing fail, it's something we'll have to tackle eventually.

In the meantime... maybe you can fix the binary and try again?