Resource Validator — Requirements

[malx-labs]

Resource Validator — Requirements Draft

The PE resource directory (.rsrc) is the most complex hierarchical structure in the PE format. A world‑class validator must ensure the resource tree is structurally valid, non‑overlapping, bounds‑checked, and non‑recursive, while remaining conservative and noise‑free.

Below is the full requirement set.

---

1. Inputs

The validator consumes:

• analysis["resources"]
  Parsed resource directory metadata (if available)
• analysis["sections"]
  For bounds + overlap checks
• analysis["file_size"]
  For raw bounds checks
• analysis["overlay_offset"]
  For overlay overlap detection
• metadata["optional_header"]["size_of_headers"]
  For header overlap detection

The validator must gracefully handle missing or partial metadata.

---

2. High‑Level Goals

The resource validator must detect:

• structural corruption
• invalid offsets
• invalid directory entries
• invalid data entries
• overlaps with other regions
• recursive / cyclic resource trees
• resource data out of file bounds
• resource directory out of section bounds

It must not:

• perform semantic checks (e.g., icon format, version info correctness)
• duplicate RVA graph checks
• produce cascading anomalies
• treat high entropy as a structural anomaly (entropy validator handles that)

---

3. Reason Codes Required

The validator must emit the following anomalies:

Directory‑level

• RESOURCE_DIRECTORY_INVALID
  Root directory missing required fields or malformed.

• RESOURCE_DIRECTORY_OUT_OF_BOUNDS
  Directory RVA/size outside .rsrc section or file.

• RESOURCE_DIRECTORY_LOOP
  Recursive or cyclic directory references detected.

Entry‑level

• RESOURCE_ENTRY_INVALID
  Entry missing required fields (name/id, offset, type).

• RESOURCE_ENTRY_OUT_OF_BOUNDS
  Entry points to a directory or data entry outside .rsrc.

Data‑level

• RESOURCE_DATA_OUT_OF_BOUNDS
  OffsetToData + Size exceeds file size or section bounds.

• RESOURCE_DATA_OVERLAPS_OTHER_DATA
  Resource data overlaps another section, overlay, or header.

Optional (if metadata available)

• RESOURCE_STRING_TABLE_CORRUPT
  String table entries malformed or out of bounds.

---

4. Structural Rules to Enforce

4.1 Directory Validity

• Root directory must exist and contain:
  • Characteristics
  • TimeDateStamp
  • MajorVersion
  • MinorVersion
  • NumberOfNamedEntries
  • NumberOfIdEntries
• Total entries = sum of named + ID entries
• Directory header must be within .rsrc

If any of these fail → RESOURCE_DIRECTORY_INVALID

---

4.2 Directory Bounds

For each directory:

• Directory RVA must lie inside .rsrc
• Directory header must not cross section boundary
• Directory must not overlap overlay or headers

If violated → RESOURCE_DIRECTORY_OUT_OF_BOUNDS

---

4.3 Entry Validity

Each entry must have:

• Name or ID
• OffsetToData or OffsetToDirectory
• Correct high‑bit flag (0x80000000) for directory entries

If malformed → RESOURCE_ENTRY_INVALID

---

4.4 Entry Bounds

For each entry:

• Target RVA must lie inside .rsrc
• Target must not exceed section bounds

If violated → RESOURCE_ENTRY_OUT_OF_BOUNDS

---

4.5 Data Entry Bounds

For each data entry:

• OffsetToData must be a valid file offset
• OffsetToData + Size must be ≤ file size
• Must not overlap:
  • headers
  • other sections
  • overlay

If violated → RESOURCE_DATA_OUT_OF_BOUNDS or RESOURCE_DATA_OVERLAPS_OTHER_DATA

---

4.6 Cycle Detection

Resource directories form a tree.
Cycles indicate corruption or malicious tampering.

If a directory is visited twice → RESOURCE_DIRECTORY_LOOP

---

4.7 Optional: String Table Validation

If metadata includes parsed string tables:

• Validate string entry count
• Validate offsets
• Validate UTF‑16 length fields

If malformed → RESOURCE_STRING_TABLE_CORRUPT

---

5. Noise‑Reduction Rules

To match your structural philosophy:

• If the root directory is invalid → stop early
• If a directory is out of bounds → do not descend into it
• If an entry is invalid → do not follow it
• If a data entry is out of bounds → do not check overlaps
• Never emit more than one anomaly per corrupted node

This keeps the validator deterministic and non‑noisy.

---

6. Tests Required

Must pass

• Valid resource tree
• Missing .rsrc section
• Empty resource directory
• Resource data inside bounds
• Resource directory inside bounds
• No cycles

Must detect

• Directory out of bounds
• Entry out of bounds
• Data entry out of bounds
• Overlap with overlay
• Overlap with section
• Cyclic directory
• Corrupt string table (if metadata exists)