Skip to content

Commit 7ccfa70

Browse files
rabbitstackrabbitstack
committed
fix(processors): Fix parsing of image file characteristics
If the file can be opened, we proceed with parsing the PE metadata by directly accessing the file. On the contrary, the raw device access is performed to read the file data blob and pass it to the PE parser.
1 parent b600df7 commit 7ccfa70

File tree

1 file changed

+19
-17
lines changed

1 file changed

+19
-17
lines changed

internal/etw/processors/processor.go

+19-17
Original file line numberDiff line numberDiff line change
@@ -84,41 +84,43 @@ func (typ ProcessorType) String() string {
8484
}
8585

8686
// parseImageFileCharacteristics parses the PE structure for the file path
87-
// residing in the given event parameters. The preferred method for getting
88-
// the file data is accessing the raw device and consuming the blob data.
89-
// If this operation fails, we fallback to using the regular file access.
87+
// residing in the given event parameters. The preferred method for reading
88+
// the PE metadata is by directly accessing the file.
89+
// If this operation fails, the file data is read form the raw device and
90+
// the blob is passed to the PE parser.
9091
// The given event is decorated with various parameters extracted from PE
9192
// data. Most notably, parameters that indicate whether the file is a DLL,
9293
// executable image, or a Windows driver.
9394
func parseImageFileCharacteristics(e *kevent.Kevent) error {
95+
var pefile *pe.PE
9496
filename := e.GetParamAsString(kparams.FileName)
95-
data := make([]byte, os.Getpagesize())
9697
f, err := os.Open(filename)
9798
if err != nil {
9899
// read file data blob from raw device
99100
// if the regular file access fails
100101
ntfs := libntfs.NewFS()
101-
var n int
102-
data, n, err = ntfs.Read(filename, 0, int64(os.Getpagesize()))
102+
data, n, err := ntfs.Read(filename, 0, int64(os.Getpagesize()))
103103
defer ntfs.Close()
104104
if err != nil {
105105
return err
106106
}
107107
if n > 0 {
108108
data = data[:n]
109109
}
110-
goto parsePe
111-
}
112-
defer f.Close()
113-
if _, err = f.Read(data); err != nil {
114-
return err
115-
}
116-
parsePe:
117-
// parse image file
118-
pefile, err := pe.ParseBytes(data, pe.WithSections(), pe.WithSymbols())
119-
if err != nil {
120-
return err
110+
// parse PE file from byte slice
111+
pefile, err = pe.ParseBytes(data, pe.WithSections(), pe.WithSymbols())
112+
if err != nil {
113+
return err
114+
}
115+
} else {
116+
defer f.Close()
117+
// parse PE file from on-disk file
118+
pefile, err = pe.ParseFile(filename, pe.WithSections(), pe.WithSymbols())
119+
if err != nil {
120+
return err
121+
}
121122
}
123+
122124
// append parameters
123125
e.AppendParam(kparams.FileIsDLL, kparams.Bool, pefile.IsDLL)
124126
e.AppendParam(kparams.FileIsDriver, kparams.Bool, pefile.IsDriver)

0 commit comments

Comments
 (0)