Some Restorator Bugs

Version Affected: 3.70 Build 1747

1) A minor security issue when parsing .res files.

Demo:
http://www.4shared.com/file/yRtP77bP/Off_by_two.html

2) The size of the "IMAGE_OPTIONAL_HEADER" structure is assumed to be SizeOf(IMAGE_OPTIONAL_HEADER), 0xE0 in hex, while it can even be greater. Having the size to be of a greater value causes Restorator to discard the whole PE file.

Demo:
http://code.google.com/p/ollytlscatch/d ... x15DDs.exe

3) Restorator uses The "NumberOfRvaAndSizes" field, which can easily be forged to 0xFFFFFFFF. This causes Restorator to discard the whole PE file.

Demo:
http://code.google.com/p/ollytlscatch/d ... FFFFFF.exe

4) The section name can easily be changed from ".rsrc" to anything else. This causes Restorator to discard the whole PE.

Demo:
http://code.google.com/p/ollytlscatch/d ... o.rsrc.exe

5) Sections with the "Characteristics" field set to IMAGE_SCN_CNT_UNINITIALIZED_DATA among other characteristics are discarded by Restorator while parsed normally by PE loader.

Demo:
http://code.google.com/p/ollytlscatch/d ... IniSec.exe

N.B. Demo executables above are seen by Windows as valid ones.

Hi, thank you very much! interesting test cases, though I'm not sure you'll see many of such exe files "in the wild". I'll see to fix those issues for the next version.

Regards,
Florian

PS: I have trouble downloading the .res file (issue 1). Could you attach it to this forum? thanks.

There you go.