This repository was archived by the owner on Jul 6, 2024. It is now read-only.
This repository was archived by the owner on Jul 6, 2024. It is now read-only.
Index mapping entry count off by several hundred in some cases #16
Description
In some mapping files I encountered, the mapping_entry_count is too high by several hundred entries, causing an EOF error when trying to parse it (https://github.com/fireeye/flare-wmi/blob/master/python-cim/cim/cim.py#L55).
This seems to only happens for the index mapping (hence the EOF). When "bruteforcing" (calculating backwards from the end of the file) the free_dword_count field, you can see that the actual amount of mapping entries should be way lower.
I haven't found any hint on how to calculate this offset, so I was hoping maybe you spotted something while researching the format that could explain this.
Unfortunately I'm unable to share said "corrupt" files. They still seem to work fine as far as Windows is concerned, though.