Issue #42 new

[err!] Error getting description of /: Can't get field "subsystem" from /pe_opt_header

created an issue

While using hachoir-subfile against a file, i.e. ProcExp.exe from Sysinternals, produces an error on two files it says it found embedded "[err!] Error getting description of /: Can't get field "subsystem" from /pe_opt_header" . This error is produced both with and without supplying the '--parser=exe' option. The error stated above is displayed for two files it says it found and carved, both of which aren't actually valid PE files. My understanding is that once the magic is found (MZ) it does other sanity checks with pefile/hachoir-parser to try and validate if it's truly a PE file.

The other (4) files it finds/carves are valid PE files but I was wondering if this was a bug or just the way it works. When I open the (2) invalid PE files in a hex editor I see they have the keywords "MZ" and somewhere else in the entire file "PE" but they're out of context and just happen to be there.

*nix 'file' and 'trid' both make the same wrong assumption about them being valid PE files but using PEfile shows they're not PE files.

Comments (1)

  1. Robert Xiao

    Cause seems to be that the validation routine isn't strict enough. Seems like the best solution here is just to check that self.description works in the exe validation routine.

    Try adding

    try: self.description # check description for validity
    except Exception, e: return str(e)

    to the validate routine and see if that solves the problem.

  2. Log in to comment