* Try to detect incorrect Delayed Import.

+ TPEImage.ReadAnsiStringLen (to specify max possible string length).

Author: vdisasmdev

PE.Common.pas

@@ -56,6 +56,8 @@ interface
   TParserOptions = set of TParserOption;
 
 const
+  MAX_PATH_WIN = 260;
+
   SUSPICIOUS_MIN_LIMIT_EXPORTS = $10000;
   DEFAULT_SECTOR_SIZE          = 512;
   DEFAULT_PAGE_SIZE            = 4096;

PE.Image.pas

@@ -204,7 +204,10 @@   TPEImage = class
     procedure Skip(Count: integer);
 
     // Read 1-byte 0-terminated string.
-    function ReadAnsiString: String; overload;
+    function ReadAnsiString: String;
+
+    // MaxLen: 0 - no limit
+    function ReadAnsiStringLen(MaxLen: integer; out Len: integer; out Str: string): boolean;
 
     // Read 2-byte UTF-16 string with length prefix (2 bytes).
     function ReadUnicodeStringLenPfx2: String;
@@ -1183,28 +1186,56 @@ function TPEImage.ReadEx(var Buffer; Size: cardinal): boolean;
 
 function TPEImage.ReadAnsiString: string;
 var
-  len, available: uint32;
+  len: Integer;
+begin
+  if not ReadAnsiStringLen(0, len, result) then
+    result := '';
+end;
+
+function TPEImage.ReadAnsiStringLen(MaxLen: integer; out Len: integer; out Str: string): boolean;
+var
+  available: uint32;
+  pBegin, pCur, pEnd: PAnsiChar;
 begin
-  if Assigned(FCurrentSec) then
+  Len := 0;
+  Str := '';
+  Result := false;
+
+  if not Assigned(FCurrentSec) then
+    exit;
+
+  available := FCurrentSec.AllocatedSize - FCurrentOfs;
+
+  if (MaxLen <> 0) and (MaxLen < available) then
+    available := MaxLen;
+
+  pBegin := @FCurrentSec.Mem[FCurrentOfs];
+  pCur := pBegin;
+  pEnd := pBegin + available;
+  while pCur < pEnd do
   begin
-    available := FCurrentSec.AllocatedSize - FCurrentOfs;
-    len := 0;
-    while len < available do
+    if pCur^ = #0 then
     begin
-      if FCurrentSec.Mem[FCurrentOfs + len] = 0 then
-      begin
-        // Get string.
-        Result := String(PAnsiChar(@FCurrentSec.Mem[FCurrentOfs]));
-        // Move next.
-        inc(len);
-        inc(FPositionRVA, len);
-        inc(FCurrentOfs, len);
-        exit;
-      end;
-      inc(len);
+      Result := true;
+      break;
     end;
+    inc(pCur);
+  end;
+
+  Len := pCur - pBegin;
+
+  if Result then
+  begin
+    // String.
+    Str := string(pBegin);
+
+    // Include null at end.
+    inc(len);
+
+    // Move current position.
+    inc(FPositionRVA, Len);
+    inc(FCurrentOfs, Len);
   end;
-  exit('');
 end;
 
 function TPEImage.ReadUnicodeStringLenPfx2: string;

PE.Parser.ImportDelayed.pas

@@ -28,13 +28,12 @@ implementation
   PE.Imports.Func,
   PE.Imports.Lib;
 
-type
-  TFuncs = TList<TPEImportFunctionDelayed>;
-
-procedure ParseTable(
+// Testing mode: check if read fields are correct.
+function ParseTable(
   const PE: TPEImage;
   const Table: TDelayLoadDirectoryTable;
-  const Funcs: TFuncs);
+  Testing: boolean
+  ): boolean;
 var
   DllName: string;
   FnName: string;
@@ -43,23 +42,54 @@ procedure ParseTable(
   Ilt: TImportLookupTable;
   iFunc: uint32;
 var
+  iLen: integer;
   Ordinal: UInt16;
   Hint: UInt16 absolute Ordinal;
   Iat: TRVA;
-  SubValue: UInt32;
+  SubValue: uint32;
   Lib: TPEImportLibrary;
 begin
   if Table.UsesVA then
     SubValue := PE.ImageBase
   else
     SubValue := 0;
 
+  if Testing then
+  begin
+    if (Table.Name = 0) or (Table.Name < SubValue) then
+    begin
+      PE.Msg.Write('Delayed Import: Name address incorrect.');
+      exit(false);
+    end;
+
+    if (Table.DelayImportNameTable = 0) or (Table.DelayImportNameTable < SubValue) then
+    begin
+      PE.Msg.Write('Delayed Import: Name table address incorrect.');
+      exit(false);
+    end;
+
+    if (Table.DelayImportAddressTable = 0) or (Table.DelayImportAddressTable < SubValue) then
+    begin
+      PE.Msg.Write('Delayed Import: Address table incorrect.');
+      exit(false);
+    end;
+  end;
+
   if not PE.SeekRVA(Table.Name - SubValue) then
-    exit;
+    exit(false);
 
-  DllName := PE.ReadANSIString;
-  Lib := TPEImportLibrary.Create(DLLName);
-  PE.ImportsDelayed.Add(Lib);
+  if not PE.ReadAnsiStringLen(MAX_PATH_WIN, iLen, DllName) then
+    exit(false);
+
+  if not Testing then
+  begin
+    Lib := TPEImportLibrary.Create(DllName);
+    PE.ImportsDelayed.Add(Lib);
+  end
+  else
+  begin
+    Lib := nil; // compiler friendly
+  end;
 
   iFunc := 0;
   Iat := Table.DelayImportAddressTable - SubValue;
@@ -84,17 +114,26 @@ procedure ParseTable(
     begin
       // Import by name. Get hint/name
       if not PE.SeekRVA(HintNameRva - SubValue) then
-        raise Exception.Create('Error reading delayed import hint/name.');
+      begin
+        PE.Msg.Write('Delayed Import: incorrect Hint/Name RVA encountered.');
+        exit(false);
+      end;
+
       Hint := PE.ReadWord(2);
       FnName := PE.ReadANSIString;
     end;
 
-    Fn := TPEImportFunctionDelayed.Create(FnName, Ordinal);
-    Lib.Functions.Add(Fn);
+    if not Testing then
+    begin
+      Fn := TPEImportFunctionDelayed.Create(FnName, Ordinal);
+      Lib.Functions.Add(Fn);
+    end;
 
     inc(Iat, PE.ImageWordSize);
     inc(iFunc);
   end;
+
+  exit(true);
 end;
 
 function TPEImportDelayedParser.Parse: TParserResult;
@@ -104,33 +143,32 @@ function TPEImportDelayedParser.Parse: TParserResult;
   ofs: uint32;
   Table: TDelayLoadDirectoryTable;
   Tables: TList<TDelayLoadDirectoryTable>;
-  Funcs: TFuncs;
   TablesUseRVA: boolean;
 begin
   PE := TPEImage(FPE);
 
-  Result := PR_ERROR;
+  result := PR_ERROR;
 
   // If no imports, it's ok.
   if not PE.DataDirectories.Get(DDIR_DELAYIMPORT, @ddir) then
-    Exit(PR_OK);
+    exit(PR_OK);
   if ddir.IsEmpty then
-    Exit(PR_OK);
+    exit(PR_OK);
 
   // Seek import dir.
   if not PE.SeekRVA(ddir.VirtualAddress) then
-    Exit;
+    exit;
 
   Tables := TList<TDelayLoadDirectoryTable>.Create;
   try
 
     // Delay-load dir. tables.
     ofs := 0;
-    TablesUseRVA := True; // default, compiler-friendly
-    while True do
+    TablesUseRVA := true; // default, compiler-friendly
+    while true do
     begin
       if ofs > ddir.Size then
-        Exit(PR_ERROR);
+        exit(PR_ERROR);
 
       if not PE.ReadEx(Table, SizeOf(Table)) then
         break;
@@ -150,7 +188,7 @@ function TPEImportDelayedParser.Parse: TParserResult;
       begin
         // Normally all tables must use either VA or RVA. No mix allowed.
         // If mix found it must be not real table.
-        // For example, Delphi (some versions for sure) use(d) such optimization.
+        // For example, some Delphi versions used such optimization.
         break;
       end;
 
@@ -159,18 +197,13 @@ function TPEImportDelayedParser.Parse: TParserResult;
     end;
 
     // Parse tables.
-    if Tables.Count = 0 then
-      Exit(PR_OK);
-
-    Funcs := TFuncs.Create;
-    try
-      for Table in Tables do
-        ParseTable(PE, Table, Funcs);
-    finally
-      Funcs.Free;
-    end;
+    for Table in Tables do
+      // First test if fields are correct
+      if ParseTable(PE, Table, true) then
+        // Then do real reading.
+        ParseTable(PE, Table, false);
 
-    Result := PR_OK;
+    exit(PR_OK);
   finally
     Tables.Free;
   end;

PE.Types.Directories.pas

@@ -76,9 +76,8 @@ function TImageDataDirectory.Contain(rva: uint32): boolean;
 
 function TImageDataDirectory.IsEmpty: boolean;
 begin
-//  Result := (VirtualAddress = 0) or (Size = 0);
-  Result := (VirtualAddress = 0);
   // In some cases Size can be 0, but VirtualAddress will point to valid data.
+  Result := (VirtualAddress = 0);
 end;