Fix bug with data after section when sections have identical names

mandiant · Oct 26, 2022 · cc825c7 · cc825c7
1 parent 18266f5
commit cc825c7
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 30 deletions.
diff --git a/debug/elf/file.go b/debug/elf/file.go
@@ -589,21 +589,23 @@ func getString(section []byte, start int) (string, bool) {
 	return "", false
 }
 
-func (f *File) DataAfterSection(name string) []byte {
+func (f *File) DataAfterSection(target *Section) []byte {
 	data := []byte{}
 	found := false
 	for _, s := range f.Sections {
-		if s.Name == name {
+		if s.Addr == target.Addr && s.Name == target.Name {
 			found = true
 		}
 
-		raw, err := s.Data()
-		if found && raw != nil {
-			data = append(data, raw[:]...)
-		}
+		if found {
+			raw, err := s.Data()
+			if raw != nil {
+				data = append(data, raw[:]...)
+			}
 
-		if err != nil {
-			break
+			if err != nil {
+				break
+			}
 		}
 	}
 	return data

diff --git a/debug/macho/file.go b/debug/macho/file.go
@@ -572,21 +572,23 @@ func (f *File) Segment(name string) *Segment {
 	return nil
 }
 
-func (f *File) DataAfterSection(name string) []byte {
+func (f *File) DataAfterSection(target *Section) []byte {
 	data := []byte{}
 	found := false
 	for _, s := range f.Sections {
-		if s.Name == name {
+		if s.Addr == target.Addr && s.Name == target.Name {
 			found = true
 		}
 
-		raw, err := s.Data()
-		if found && raw != nil {
-			data = append(data, raw[:]...)
-		}
+		if found {
+			raw, err := s.Data()
+			if raw != nil {
+				data = append(data, raw[:]...)
+			}
 
-		if err != nil {
-			break
+			if err != nil {
+				break
+			}
 		}
 	}
 	return data

diff --git a/debug/pe/file.go b/debug/pe/file.go
@@ -211,21 +211,23 @@ func (f *File) Section(name string) *Section {
 	return nil
 }
 
-func (f *File) DataAfterSection(name string) []byte {
+func (f *File) DataAfterSection(target *Section) []byte {
 	data := []byte{}
 	found := false
 	for _, s := range f.Sections {
-		if s.Name == name {
+		if s.VirtualAddress == target.VirtualAddress && s.Name == target.Name {
 			found = true
 		}
 
-		raw, err := s.Data()
-		if found && raw != nil {
-			data = append(data, raw[:]...)
-		}
+		if found {
+			raw, err := s.Data()
+			if raw != nil {
+				data = append(data, raw[:]...)
+			}
 
-		if err != nil {
-			break
+			if err != nil {
+				break
+			}
 		}
 	}
 	return data

diff --git a/objfile/elf.go b/objfile/elf.go
@@ -105,7 +105,7 @@ ExitScan:
 		}
 
 		// malware can split the pclntab across multiple sections, re-merge
-		data := f.elf.DataAfterSection(sec.Name)
+		data := f.elf.DataAfterSection(sec)
 		if !foundpcln {
 			// https://github.com/golang/go/blob/2cb9042dc2d5fdf6013305a077d013dbbfbaac06/src/debug/gosym/pclntab.go#L172
 			pclntab_sigs := [][]byte{[]byte("\xFB\xFF\xFF\xFF\x00\x00"), []byte("\xFA\xFF\xFF\xFF\x00\x00"), []byte("\xF0\xFF\xFF\xFF\x00\x00"),
@@ -190,7 +190,7 @@ scan:
 		}
 
 		// malware can split the pclntab across multiple sections, re-merge
-		data := f.elf.DataAfterSection(sec.Name)
+		data := f.elf.DataAfterSection(sec)
 		if !foundsym {
 			// fall back to scanning for structure using address of pclntab, which is first value in struc
 			var pclntabVA_bytes []byte

diff --git a/objfile/macho.go b/objfile/macho.go
@@ -122,7 +122,7 @@ func (f *machoFile) pcln_scan() (candidates []PclntabCandidate, err error) {
 ExitScan:
 	for _, sec := range f.macho.Sections {
 		// malware can split the pclntab across multiple sections, re-merge
-		data := f.macho.DataAfterSection(sec.Name)
+		data := f.macho.DataAfterSection(sec)
 
 		if !foundpcln {
 			// https://github.com/golang/go/blob/2cb9042dc2d5fdf6013305a077d013dbbfbaac06/src/debug/gosym/pclntab.go#L172
@@ -205,7 +205,7 @@ func (f *machoFile) moduledata_scan(pclntabVA uint64, is64bit bool, littleendian
 scan:
 	for _, sec := range f.macho.Sections {
 		// malware can split the pclntab across multiple sections, re-merge
-		data := f.macho.DataAfterSection(sec.Name)
+		data := f.macho.DataAfterSection(sec)
 		if !foundsym {
 			// fall back to scanning for structure using address of pclntab, which is first value in struc
 			var pclntabVA_bytes []byte

diff --git a/objfile/pe.go b/objfile/pe.go
@@ -157,7 +157,7 @@ func (f *peFile) pcln_scan() (candidates []PclntabCandidate, err error) {
 ExitScan:
 	for _, sec := range f.pe.Sections {
 		// malware can split the pclntab across multiple sections, re-merge
-		data := f.pe.DataAfterSection(sec.Name)
+		data := f.pe.DataAfterSection(sec)
 
 		if !foundpcln {
 			// https://github.com/golang/go/blob/2cb9042dc2d5fdf6013305a077d013dbbfbaac06/src/debug/gosym/pclntab.go#L172
@@ -250,7 +250,7 @@ func (f *peFile) moduledata_scan(pclntabVA uint64, is64bit bool, littleendian bo
 scan:
 	for _, sec := range f.pe.Sections {
 		// malware can split the pclntab across multiple sections, re-merge
-		data := f.pe.DataAfterSection(sec.Name)
+		data := f.pe.DataAfterSection(sec)
 
 		if !foundmodule {
 			// fall back to scanning for structure using address of pclntab, which is first value in struc