Tuesday, April 10, 2012

OllyDbg NumberOfSections Crash

In this post i will be discussing another bug that i found in OllyDbg. The idea came to my mind while debugging link.exe shipped with Microsoft Visual Studio 2008.

Debugging link.exe, i was amazed to see that the maximum number of sections that a PE file can hold is 0xFEFF sections (as assumed by link.exe) not 96 (0x60, hex). In the beginning, i thought that i have an old PE/COFF documentation or that it is a mistake since the documentation says "the Windows loader limits the number of sections to 96".

By creating a PE file with 97 sections, i found out that the 96-section limit applies to Windows XP but not to Windows 7, 64-bit.
I quickly asked myself  "How will Olly Handle that?!!!".

Quickly opened Olly to debug another instance of it and went to the PE parsing code. See the image below.
As you can see in the image above, Olly takes 0x1FFF (8191, decimal) as the maximum number of sections. That's Cool!!
The C code looks something like this. See the image below.

As you can see, if we give it an executable with 0x2000 (8192, decimal) sections or more, Olly will crash.

Here you can find a Proof Of Concept.

Material in this post has been tried on Windows 7, Wow64 and OllyDbg v1.10. I will be glad if someone gives it a shot on Windows 7, 32 bit or Windows Vista.


1) Maximum number of sections that PE loader of Windows XP supports is 0x60 (96, decimal).
2) Maximum number of sections that PE loader of Windows Vista and later supports is 0xFFFF.
3) Maximum number of sections that OllyDbg v1.10 supports is 0x1FFF (8191, in decimal).
4) Maximum number of sections that link.exe (dumpbin.exe) of Visual Studio 2008 supports is 0xFEFF.

You can follow me on Twitter @waleedassar


  1. I'm just amazed of how many vulnerabilities are hidden inside Olly, haha.

  2. and maximum number of sections that Windows will support (Vista and later) is 0xffff!

    1. It is so weird that PE loader (of recent Windows versions) accepts files with up to 0xFFFF sections while dumpbin (link.exe /dump) of VS 2008 refuses to parse files with > 0xFEFF sections. Isn't it?

  3. Yeah, in BlackHat and papers PE Malformations, pe vs loader alexander liskin, show that maxim numerofsections in XP: 96, Vista >= 0xFFFF.

    Thanks for you test.
    Iván Portilla