PE: Possible invalid value for security_cookie

[Wenzel]

Describe the bug
requesting the load_configuration.security_cookie can return an invalid value.

To Reproduce
Steps to reproduce the behavior:

• download cmd.zip and uncompress it to get cmd.exe (winxp executable
• load it with lief in python
• get the security cookie

In [1]: import lief

In [2]: pe = lief.parse("/home/wenzel/local/cmd.exe")
Unable to find the section associated with BOUND_IMPORT

In [3]: pe.load_configuration.security_cookie
Out[3]: 1255357304

Expected behavior
The issue is that winchecksec is telling me that cmd.exe doesn't have a stack cookie:

$ winchecksec cmd.exe
Dynamic Base    : "NotPresent"
ASLR            : "NotPresent"
High Entropy VA : "NotPresent"
Force Integrity : "NotPresent"
Isolation       : "Present"
NX              : "NotPresent"
SEH             : "Present"
CFG             : "NotPresent"
RFG             : "NotPresent"
SafeSEH         : "NotPresent"
GS              : "NotPresent"
Authenticode    : "NotPresent"
.NET            : "NotPresent"

And winchecksec GS check is implemented here, by verifying that the security cookie is != 0.
So, assuming that winchecksec is correct, lief should return 0 and not 1255357304

Environment (please complete the following information):

• System and Version : Ubuntu 20.04
• Target format PE
• LIEF commit version: 0.11.0-f58605f but also reproductible with 0.10.0

Thanks !

[sudhackar]

I looked at this issue. I used pefile as a reference since I have used it in the past

In [1]: import pefile

In [2]: pe = pefile.PE("/tmp/cmd.exe")

In [3]: hex(pe.DIRECTORY_ENTRY_LOAD_CONFIG.struct.SecurityCookie)
Out[3]: '0x4ad33b78'

pestudio says the file had

Looking at this I looked at other implementations and libraries I have looked at in the past -
https://github.com/saferwall/pe/blob/main/loadconfig.go#L118
matches the size 0x48 identified by the pestudio and it has a SecurityCookie field and building a sample program like such also prints the same cookie

package main

import (
        "log"

        peparser "github.com/saferwall/pe"
)

func main() {
        filename := "/tmp/cmd.exe"
        pe, err := peparser.New(filename, nil)
        if err != nil {
                log.Fatalf("Error while opening file: %s, reason: %v", filename, err)
        }

        err = pe.Parse()
        if err != nil {
                log.Fatalf("Error while parsing file: %s, reason: %v", filename, err)
        }

        log.Printf("%x\n", pe.LoadConfig.LoadCfgStruct.(peparser.ImageLoadConfigDirectory32v2).SecurityCookie)
}

(test3) [petest] ./petest
2021/11/30 13:52:50 4ad33b78

I don't know what to use as a source of truth maybe @Wenzel can help?

[sudhackar]

Also are you sure you ran winchecksec with this attached file?

[build] ./winchecksec -j /tmp/cmd.exe | jq -r ".[].mitigations.gs.presence"
Present
[build] ./winchecksec /tmp/cmd.exe
Results for: /tmp/cmd.exe
Dynamic Base    : "NotPresent"
ASLR            : "NotPresent"
High Entropy VA : "NotPresent"
Force Integrity : "NotPresent"
Isolation       : "Present"
NX              : "NotPresent"
SEH             : "Present"
CFG             : "NotPresent"
RFG             : "NotPresent"
SafeSEH         : "Present"
GS              : "Present"
Authenticode    : "NotPresent"
.NET            : "NotPresent"
[build] md5sum /tmp/cmd.exe
eeb024f2c81f0d55936fb825d21a91d6  /tmp/cmd.exe

[sudhackar]

This is what IDA thinks as well

[romainthomas]

I guess this is fixed now.