Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

debug/pe: unable to parse most windows files at tip #16084

Closed
mirtchovski opened this issue Jun 16, 2016 · 9 comments
Closed

debug/pe: unable to parse most windows files at tip #16084

mirtchovski opened this issue Jun 16, 2016 · 9 comments
Labels
FrozenDueToAge
Milestone
Go1.7

Comments

@mirtchovski
Copy link
Contributor

Please answer these questions before submitting your issue. Thanks!

  1. What version of Go are you using (go version)?
    1.6.2 and 1.7
  2. What operating system and processor architecture are you using (go env)?
    $ go env
    GOARCH="amd64"
    GOBIN=""
    GOEXE=""
    GOHOSTARCH="amd64"
    GOHOSTOS="darwin"
    GOOS="darwin"
    GOPATH="/Users/aam"
    GORACE=""
    GOROOT="/Users/aam/go1.6.2"
    GOTOOLDIR="/Users/aam/go1.6.2/pkg/tool/darwin_amd64"
    GO15VENDOREXPERIMENT="1"
    CC="clang"
    GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fno-common"
    CXX="clang++"
    CGO_ENABLED="1"

and:

$ go env
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/aam"
GORACE=""
GOROOT="/Users/aam/go"
GOTOOLDIR="/Users/aam/go/pkg/tool/darwin_amd64"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"

  1. What did you do?
    Compiled the attached simple program (cross-compiled for windows too). The PE binary is readable by debug/pe:

$ ./t1.6.2 t.exe
timeBeginPeriod:winmm.dll
WSAGetOverlappedResult:ws2_32.dll
NtWaitForSingleObject:ntdll.dll
CryptReleaseContext:advapi32.dll
[...]
$ ./t1.7 t.exe
timeBeginPeriod:winmm.dll
WSAGetOverlappedResult:ws2_32.dll
NtWaitForSingleObject:ntdll.dll
CryptReleaseContext:advapi32.dll
[...]

Unfortunately other binaries (attached) do not work:

$ ./t1.6.2 PsService.exe
$ ./t1.7 PsService.exe
can not create PE structure for PsService.exe: fail to read string table: unexpected EOF
$

  1. What did you expect to see?
    The nascent Go port of the pefile python script (https://github.com/erocarrera/pefile) available here: https://github.com/soluwalana/pefile-go is able to parse more from the file:

$ pefile-go PsService.exe
2016/06/16 10:58:13 Size of OptionalHeader
2016/06/16 10:58:13 0x26e7e == VERSION.dll
2016/06/16 10:58:13 0x26e8a == WS2_32.dll
2016/06/16 10:58:13 0x26eba == NETAPI32.dll
2016/06/16 10:58:13 0x26ef8 == MPR.dll
2016/06/16 10:58:13 0x2712c == KERNEL32.dll
2016/06/16 10:58:13 0x271d8 == USER32.dll
2016/06/16 10:58:13 0x2722e == GDI32.dll
2016/06/16 10:58:13 0x27244 == COMDLG32.dll
2016/06/16 10:58:13 0x274dc == ADVAPI32.dll
2016/06/16 10:58:13 0x0 == MZ?
2016/06/16 10:58:13 PsService.exe
2016/06/16 10:58:13 [IMAGE_DOS_HEADER]
0x0 0x0 E_magic 0x5A4D
0x2 0x2 E_cblp 0x90
0x4 0x4 E_cp 0x3
0x6 0x6 E_crlc 0x0
0x8 0x8 E_cparhd 0x4
0xA 0xA E_minalloc 0x0
0xC 0xC E_maxalloc 0xFFFF
0xE 0xE E_ss 0x0
0x10 0x10 E_sp 0xB8
0x12 0x12 E_csum 0x0
0x14 0x14 E_ip 0x0
0x16 0x16 E_cs 0x0
0x18 0x18 E_lfarlc 0x40
0x1A 0x1A E_ovno 0x0
0x1C 0x1C E_res
0x24 0x24 E_oemid 0x0
0x26 0x26 E_oeminfo 0x0
0x28 0x28 E_res2
0x3C 0x3C E_lfanew 0xE0
[...]
@mirtchovski
Copy link
Contributor Author

PsService.exe test file.

PsService.zip

@mirtchovski
Copy link
Contributor Author

Go test program:

$ cat /tmp/t.go 
package main

import (
    "debug/pe"
    "fmt"
    "os"
)

func main() {
    for _, v := range os.Args[1:] {
        f, err := pe.Open(v)
        if err != nil {
            fmt.Fprintf(os.Stderr, "can not create PE structure for %s: %v\n", v, err)
            continue
        }
        defer f.Close()

        libs, err := f.ImportedSymbols()
        if err != nil {
            fmt.Fprintf(os.Stderr, "can not get imported symbols: %v\n", err)
            continue
        }
        for _, v := range libs {
            fmt.Printf("%s\n", v)
        }
    }
}

@mirtchovski
Copy link
Contributor Author

Found an example that is readable by 1.6.2 but not readable by 1.7:

$ ./t1.7 test.exe 
can not create PE structure for test.exe: fail to read string table: unexpected EOF
$ ./t1.6.2 test.exe 
CreateMutexA:KERNEL32.dll
CreateMutexW:KERNEL32.dll
GetModuleHandleW:KERNEL32.dll
VirtualQuery:KERNEL32.dll
GetModuleFileNameW:KERNEL32.dll
GetProcessHeap:KERNEL32.dll
[...]

test.zip

@ianlancetaylor ianlancetaylor added this to the Go1.7 milestone Jun 16, 2016
@ianlancetaylor
Copy link
Contributor

CC @alexbrainman

@alexbrainman
Copy link
Member

All these executables have no symbol table and no string table. I will try and send a fix sometime today.

Alex

@alexbrainman
Copy link
Member

@mirtchovski please try https://go-review.googlesource.com/24200 to see if it fixes your problem. Thank you.

Alex

@gopherbot
Copy link

CL https://golang.org/cl/24200 mentions this issue.

@mirtchovski
Copy link
Contributor Author

@alexbrainman, while this makes 1.7 print the imported symbols for test.exe I still don't see any imported symbols for the first binary I attached: PsService.exe. According to https://github.com/erocarrera/pefile I expect to see (in different format, but still):

----------Imported symbols----------

[IMAGE_IMPORT_DESCRIPTOR]
0x252A4    0x0   OriginalFirstThunk:            0x26E18   
0x252A4    0x0   Characteristics:               0x26E18   
0x252A8    0x4   TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
0x252AC    0x8   ForwarderChain:                0x0       
0x252B0    0xC   Name:                          0x26E7E   
0x252B4    0x10  FirstThunk:                    0x202AC   

VERSION.dll.GetFileVersionInfoA Hint[0]
VERSION.dll.GetFileVersionInfoSizeA Hint[3]
VERSION.dll.VerQueryValueA Hint[13]

[IMAGE_IMPORT_DESCRIPTOR]
0x252B8    0x0   OriginalFirstThunk:            0x26E28   
0x252B8    0x0   Characteristics:               0x26E28   
0x252BC    0x4   TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
0x252C0    0x8   ForwarderChain:                0x0       
0x252C4    0xC   Name:                          0x26E8A   
0x252C8    0x10  FirstThunk:                    0x202BC   

WS2_32.dll.inet_ntoa Ordinal[12] (Imported by Ordinal)
WS2_32.dll.gethostbyname Ordinal[52] (Imported by Ordinal)
WS2_32.dll.gethostname Ordinal[57] (Imported by Ordinal)
WS2_32.dll.WSAStartup Ordinal[115] (Imported by Ordinal)

[IMAGE_IMPORT_DESCRIPTOR]
0x252CC    0x0   OriginalFirstThunk:            0x26DE0   
0x252CC    0x0   Characteristics:               0x26DE0   
0x252D0    0x4   TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
0x252D4    0x8   ForwarderChain:                0x0       
0x252D8    0xC   Name:                          0x26EBA   
0x252DC    0x10  FirstThunk:                    0x20274   

NETAPI32.dll.NetServerEnum Hint[213]
NETAPI32.dll.NetApiBufferFree Hint[100]

[IMAGE_IMPORT_DESCRIPTOR]
0x252E0    0x0   OriginalFirstThunk:            0x26DD4   
0x252E0    0x0   Characteristics:               0x26DD4   
0x252E4    0x4   TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
0x252E8    0x8   ForwarderChain:                0x0       
0x252EC    0xC   Name:                          0x26EF8   
0x252F0    0x10  FirstThunk:                    0x20268   

MPR.dll.WNetAddConnection2A Hint[5]
MPR.dll.WNetCancelConnection2A Hint[11]

[IMAGE_IMPORT_DESCRIPTOR]
0x252F4    0x0   OriginalFirstThunk:            0x26C14   
0x252F4    0x0   Characteristics:               0x26C14   
0x252F8    0x4   TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
0x252FC    0x8   ForwarderChain:                0x0       
0x25300    0xC   Name:                          0x2712C   
0x25304    0x10  FirstThunk:                    0x200A8   

KERNEL32.dll.WideCharToMultiByte Hint[1248]
KERNEL32.dll.GetVersion Hint[672]
KERNEL32.dll.GetModuleFileNameA Hint[528]
KERNEL32.dll.SetEvent Hint[1065]
KERNEL32.dll.ConnectNamedPipe Hint[101]
KERNEL32.dll.lstrlenA Hint[1307]
KERNEL32.dll.EnumSystemLocalesA Hint[266]
KERNEL32.dll.GetCurrentProcess Hint[445]
KERNEL32.dll.SizeofResource Hint[1152]
KERNEL32.dll.GetDateFormatA Hint[451]
KERNEL32.dll.GetTimeFormatA Hint[659]
KERNEL32.dll.GetStringTypeW Hint[614]
KERNEL32.dll.GetStringTypeA Hint[611]
[...]

@alexbrainman
Copy link
Member

I still don't see any imported symbols for the first binary I attached: PsService.exe.

I filled #16103 for that. I am pretty sure it is always been like that.

Alex

@koron koron mentioned this issue Jun 18, 2016
Closed
@golang golang locked and limited conversation to collaborators Jun 19, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.7
Development

No branches or pull requests
4 participants
@mirtchovski @ianlancetaylor @gopherbot @alexbrainman