-
Notifications
You must be signed in to change notification settings - Fork 107
Home
hasherezade edited this page Aug 22, 2014
·
30 revisions
Portable Executable parsing library
WARNING: this is an early beta version, some elements are unfinished!
Please report any bugs and remarks to: hasherezade@op.pl
Requires:
- Qt4 Core
- cmake http://www.cmake.org/
mkdir re-bear git clone https://github.com/hasherezade/bearparser.git mkdir build cd build cmake -G [some generator] ../bearparser/ make
Done!
You can test it running the commander:
./commander/bearcommander [optional: path to exe]
WARNING: Commander is very basic tool, used only for the purpose of testing the library capabilities.
It's not a fully functional tool - or at least not yet!
Type [whatever] to see all commands, i.e
$ ? No such command Available commands: 17 Rv - Convert: RAW -> RVA Vr - Convert: RVA -> RAW cR - Fetch content by Raw address cV - Fetch content by Virtual address cl - Clear chosen wrapper dump - Dump chosen wrapper info edump - Dump wrapper entries fdump - Dump chosen wrapper into a file hR - Fetch content by Raw address - HEX hV - Fetch content by Virtual address - HEX info - Exe Info q - Quit rs - Resource Info rsrcs - List Resource Types rstrings - Print Strings from resources secR - Section by RAW secV - Section by RVA
Sample usage:
hshrzd@kali:~/re-bear/build$ ./commander/bearcommander Starting... Path to executable: /home/hshrzd/vm_shared/corkami_samples/exe/cfbogus.exe Type: PE Buffering... Parsing executable... $ info Bit mode: 32 Entry point: 0x1000v Raw size: 0x400 Virtual size: 0x2000 Raw align.: 0x200 Virtual align.: 0x1000 Contains: [ 0] DOS Hdr [ 1] File Hdr [ 2] Optional Hdr [ 3] Data Directory [ 4] Section Hdrs [ 5] Imports [12] LdConfig
Use dump command to see the details of particular structure,
i.e.
$ dump [ 0] DOS Hdr [ 1] File Hdr [ 2] Optional Hdr [ 3] Data Directory [ 4] Section Hdrs [ 5] Imports [12] LdConfig wrapperNum: 12 ------ [LdConfig] size: 0x5c fieldsCount: 25 [0250] Size : [0000005C _] [0254] TimeDateStamp : [00000000 _] [0258] MajorVersion : [0000 _] [025A] MinorVersion : [0000 _] [025C] GlobalFlagsClear : [00000000 _] [0260] GlobalFlagsSet : [00000000 _] [0264] CriticalSectionDefaultTimeout : [00000000 _] [0268] DeCommitFreeBlockThreshold : [00000000 _] [026C] DeCommitTotalFreeThreshold : [00000000 _] [0270] LockPrefixTable : [00000000 V] [0274] MaximumAllocationSize : [00000000 _] [0278] VirtualMemoryThreshold : [00000000 _] [027C] ProcessHeapFlags : [00000000 _] [0280] ProcessAffinityMask : [00000000 _] [0284] CSDVersion : [0000 _] [0286] Reserved : [0000 _] [0288] EditList : [00000000 V] [028C] SecurityCookie : [004010AC V] [0290] SEHandlerTable : [00000000 V] [0294] SEHandlerCount : [00000000 _] [0298] GuardCFCheckFunctionPtr : [004010B4 V] [029C] Reserved2 : [00000000 _] [02A0] GuardCFFunctionTable : [004010B9 V] [02A4] GuardCFFunctionCount : [00000006 _] [02A8] GuardFlags : [00000500 _]
Some wrappers have subentries, you can dump them using edump
$ edump [ 0] DOS Hdr [ 1] File Hdr [ 2] Optional Hdr [ 3] Data Directory [ 4] Section Hdrs [ 5] Imports [12] LdConfig wrapperNum: 5 ------ [Imports] size: 0x3c fieldsCount: 2 [02D5] kernel32.dll : [00001120 _] [00000000 _] [00000000 _] [00001180 _] [00001160 _] [02E9] msvcrt.dll : [00001128 _] [00000000 _] [00000000 _] [0000118D _] [00001168 _] ------ Dump subentries of Index: 1 ------ [msvcrt.dll] size: 0x14 fieldsCount: 5 [02E9] OriginalFirstThunk : [00001128 v] [02ED] TimeDateStamp : [00000000 _] [02F1] Forwarder : [00000000 _] [02F5] NameRVA : [0000118D v] [02F9] FirstThunk : [00001168 v] ------ ------ [msvcrt.dll] entriesCount: 1 Entry 0: ------ [[msvcrt.dll].printf] size: 0x4 fieldsCount: 4 [0328] Original Thunk : [0000114E v] [0368] Thunk : [0000114E v] [034E] Hint : [0000 _] ------
Preview at chosen offset:
$ hR raw: 0 Fetched: 4d 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 50 45 00 00 4c 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 20 10 b0 10 00 00 00 00 00 00 00 00 00 00 $ cR raw: 0 Fetched: MZ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00PE\x00\x00L\x10\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x20\x10\xb0\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 $
~ hasherezade (@hasherezade), 2014-2015 ~