A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #30314  by Mondragon
 Sun May 07, 2017 2:38 am
I analyze malware and much of the time, I get this error. What are some causes of this error? I inspect the file in HxD and many times, the PE header seems to be intact, I also try on x64 and x86.
 #30317  by zerosum0x0
 Sun May 07, 2017 4:15 pm
There are many reasons which could possibly be the problem. You'll need to reverse Ldr* functions in ntdll.dll, or maybe take a look at ReactOS Ldr code.

Maybe if you post a sample and we can see which headers look bad.

Any any rate here is a list of some relevant NT status codes:
0x4000000E
STATUS_IMAGE_MACHINE_TYPE_MISMATCH
{Machine Type Mismatch} The image file %hs is valid but is for a machine type other than the current machine. Select OK to continue, or CANCEL to fail the DLL load.

0x40000023
STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE
{Machine Type Mismatch} The image file %hs is valid but is for a machine type other than the current machine.

0xC000007B
STATUS_INVALID_IMAGE_FORMAT
{Bad Image} %hs is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.

0xC000012E
STATUS_INVALID_IMAGE_LE_FORMAT
The specified image file did not have the correct format: it appears to be LE format.

0xC000012F
STATUS_INVALID_IMAGE_NOT_MZ
The specified image file did not have the correct format: it did not have an initial MZ.

0xC0000130
STATUS_INVALID_IMAGE_PROTECT
The specified image file did not have the correct format: it did not have a proper e_lfarlc in the MZ header.

0xC0000131
STATUS_INVALID_IMAGE_WIN_16
The specified image file did not have the correct format: it appears to be a 16-bit Windows image.

0xC00001A3
STATUS_IMAGE_SUBSYSTEM_NOT_PRESENT
The subsystem needed to support the image type is not present.

0xC0000221
STATUS_IMAGE_CHECKSUM_MISMATCH
{Bad Image Checksum} The image %hs is possibly corrupt. The header checksum does not match the computed checksum.

0xC0000249
STATUS_IMAGE_MP_UP_MISMATCH
{UP/MP Image Mismatch} The image %hs has been modified for use on a uniprocessor system, but you are running it on a multiprocessor machine. Reinstall the image file.

0xC0000251
STATUS_BAD_DLL_ENTRYPOINT
{Invalid DLL Entrypoint} The dynamic link library %hs is not written correctly. The stack pointer has been left in an inconsistent state. The entry point should be declared as WINAPI or STDCALL. Select YES to fail the DLL load. Select NO to continue execution. Selecting NO might cause the application to operate incorrectly.

0xC0000359
STATUS_INVALID_IMAGE_WIN_32
The specified image file did not have the correct format; it appears to be a 32-bit Windows image.

0xC000035A
STATUS_INVALID_IMAGE_WIN_64
The specified image file did not have the correct format; it appears to be a 64-bit Windows image.
 #30319  by Brock
 Tue May 09, 2017 7:22 pm
You might start by statically analyzing the program in question with a tool like CFF Explorer and looking for any invalid values contained within the image's PE structures, assuming an unpacked sample. These fields are usually highlighted in Red by the program to give you a visual indication of "invalid" data entries and will save you a lot of time before you start digging further into dynamic analysis (running the actual sample). If you're still getting the error you describe yet everything "looks" alright to you, definitely investigate the loader functions as mentioned by zerosum0x0 as a next step down the chain. Also, you can upload your sample if you feel inclined so that we can see for ourselves what you're dealing with. Good day
 #31008  by Mondragon
 Sat Nov 18, 2017 11:32 pm
Brock wrote:You might start by statically analyzing the program in question with a tool like CFF Explorer and looking for any invalid values contained within the image's PE structures, assuming an unpacked sample. These fields are usually highlighted in Red by the program to give you a visual indication of "invalid" data entries and will save you a lot of time before you start digging further into dynamic analysis (running the actual sample). If you're still getting the error you describe yet everything "looks" alright to you, definitely investigate the loader functions as mentioned by zerosum0x0 as a next step down the chain. Also, you can upload your sample if you feel inclined so that we can see for ourselves what you're dealing with. Good day
Thanks you guys. Gosh, I forgot I posted this a while ago but I ended up doing what you suggested, and even reversing/studying the NtCreateSection code which is responsible for most of the PE header checks. What I found out was that the header was intact but the sections were corrupted and screwing the alignment up.