Playing with section names…

This post breaks my old tool PESectionExtractor.pl.

Any part of the .exe structure can be controlled by an attacker. This includes imported DLL names, imported function names, PDB paths, as well as section names.

My tool extracts PE sections by walking through them one by one and then dumps them to a file that is named according to the following scheme:

  • filename_sectionname_fileoffset_filesize_sectionflags

It works all and nice for your typical scenario, but fails miserably when a section name includes a colon e.g. .text:xy.

As you may guess the file name written by will be saved as an ADS e.g:

C:\test\test.exe_.text:xy_00000400_00001200_XR_CODE.dat

So, if you extract sections from PE files in an automatic way and use section name extracted from the file to build an output file name you may need to ensure colons are replaced with something else.

Fixed tool here.