Aug 012012
 

Source: http://waleedassar.blogspot.de/2012/06/ida-pro-and-coff-debug-info.html

In this post i will share something that may be considered as a bug in IDA. The bug is as follows:

If we manipulate the value of the “NumberOfSymbols” field in the “IMAGE_COFF_SYMBOLS_HEADER” structure, we can force IDA to abort processing the whole PE and quickly terminate.

When manipulating this field, just make sure to set a compatible value for the “SizeOfData” field in the “IMAGE_DEBUG_DIRECTORY” structure and also have a compatible file size by appending null bytes to the file end.

When calculating the required memory size for symbol entries using the spoofed value, IDA detects an overflow.

After clicking the ok button in the image above, IDA quickly terminates.
You can find a demo here. It has the “NumberOfSymbols” field set to 0xE38EEDB5 and the “SizeOfData” fied set to 0xFFFFF. It has been tested on IDA 6.2 Demo version.
A quick workaround is to temporarily disable the “loaders\dbg.ldw” module.
Any comments or ideas are very welcome.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)