pe-parse/README.md

pe-parse
========

[![Build Status](https://img.shields.io/github/workflow/status/trailofbits/pe-parse/CI/master)](https://github.com/trailofbits/pe-parse/actions?query=workflow%3ACI)

pe-parse is a principled, lightweight parser for windows portable executable files.
It was created to assist in compiled program analysis, potentially of programs of unknown origins.
This means that it should be resistant to malformed or maliciously crafted PE files, and it should
support questions that analysis software would ask of an executable program container.
For example, listing relocations, describing imports and exports, and supporting byte reads from
virtual addresses as well as file offsets.

pe-parse supports these use cases via a minimal API that provides methods for
 * Opening and closing a PE file
 * Iterating over the imported functions
 * Iterating over the relocations
 * Iterating over the exported functions
 * Iterating over sections
 * Iterating over resources
 * Reading bytes from specified virtual addresses
 * Retrieving the program entry point

The interface is defined in `parser-library/parse.h`.

The program in `dump-prog/dump.cpp` is an example of using the parser-library API to dump
information about a PE file.

Internally, the parser-library uses a bounded buffer abstraction to access information stored in
the PE file. This should help in constructing a sane parser that allows for detection of the use
of bogus values in the PE that would result in out of bounds accesses of the input buffer.
Once data is read from the file it is sanitized and placed in C++ STL containers of internal types.

pe-parse includes Python bindings via `pepy`, which can be installed via `pip`:

```bash
$ pip3 install pepy
```

More information about `pepy` can be found in its [README](./pepy/README.md).

## Dependencies

### CMake
  * Debian/Ubuntu: `sudo apt-get install cmake`
  * RedHat/Fedora: `sudo yum install cmake`
  * OSX: `brew install cmake`
  * Windows: Download the installer from the [CMake page](https://cmake.org/download/)

## Building

### Generic instructions
```
git clone https://github.com/trailofbits/pe-parse.git
cd pe-parse

mkdir build
cd build

cmake -DCMAKE_BUILD_TYPE=Release ..
cmake --build .

# optional
cmake --build . --target install
```

PE files that have a Resource section with strings for the Type are encoded in UTF-16, but that
`std::string` expects UTF-8. Some cross-platform solution is desired.

You can let `cmake` choose one it finds in your build environment or you can choose one from the
following options yourself and specify it with the `-DUNICODE_LIBRARY` argument when generating the
project files with `cmake`:

* `icu` (preferred) - "[ICU](http://site.icu-project.org/) is a mature, widely used set of C/C++
and Java libraries providing Unicode and Globalization support for software applications"
* `codecvt` - A C++ library header file
([now deprecated](http://open-std.org/JTC1/SC22/WG21/docs/papers/2017/p0618r0.html)) supported
by some C++ runtimes

### Notes about Windows

If you are building on Windows with Visual Studio, the generator option can be used to select the
compiler version and the output architecture:

```
# Compile 64-bit binaries with Visual Studio 2017
cmake -G "Visual Studio 15 2017 Win64" ..

# Compile 32-bit binaries with Visual Studio 2017
cmake -G "Visual Studio 15 2017" ..
```

Visual Studio 2015 or higher is required to use codecvt, but you also have the option of using
[ICU](http://site.icu-project.org/). The easiest way to get started with ICU in Windows is with
[vcpkg](https://vcpkg.readthedocs.io/): `vcpkg install icu`.

Then, add the `-DCMAKE_TOOLCHAIN_FILE=C:\src\vcpkg\scripts\buildsystems\vcpkg.cmake` argument when
generating the project files with cmake to add the appropriate library and include directories to
the project.

## Using the library

Once the library is installed, linking to it is easy! Add the following lines in your CMake project:

```
find_package(peparse REQUIRED)

target_link_libraries(your_target_name ${PEPARSE_LIBRARIES})
target_include_directories(your_target_name PRIVATE ${PEPARSE_INCLUDE_DIRS})
```

You can see a full example in the examples/peaddrconv folder.

## Authors

pe-parse was designed and implemented by Andrew Ruef (andrew@trailofbits.com), with significant
contributions from [Wesley Shields](https://github.com/wxsBSD).
Update README.md 2013-11-22 19:25:24 -05:00			`pe-parse`
Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			`========`
add a travis button 2014-08-08 17:44:43 -04:00
Github actions (#103) 2019-12-23 09:28:47 -06:00			`[![Build Status](https://img.shields.io/github/workflow/status/trailofbits/pe-parse/CI/master)](https://github.com/trailofbits/pe-parse/actions?query=workflow%3ACI)`
add a travis button 2014-08-08 17:44:43 -04:00
Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			`pe-parse is a principled, lightweight parser for windows portable executable files.`
			`It was created to assist in compiled program analysis, potentially of programs of unknown origins.`
			`This means that it should be resistant to malformed or maliciously crafted PE files, and it should`
			`support questions that analysis software would ask of an executable program container.`
			`For example, listing relocations, describing imports and exports, and supporting byte reads from`
			`virtual addresses as well as file offsets.`
. 2013-11-22 19:19:18 -05:00
			`pe-parse supports these use cases via a minimal API that provides methods for`
			`* Opening and closing a PE file`
			`* Iterating over the imported functions`
			`* Iterating over the relocations`
			`* Iterating over the exported functions`
			`* Iterating over sections`
Implement resource parsing. While here, fix a memory leak in pepy as I was not decrementing the reference counter on self->data in section_dealloc(). 2013-12-24 12:41:59 -05:00			`* Iterating over resources`
. 2013-11-22 19:19:18 -05:00			`* Reading bytes from specified virtual addresses`
			`* Retrieving the program entry point`

Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			The interface is defined in `parser-library/parse.h`.
. 2013-11-22 19:19:18 -05:00
Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			The program in `dump-prog/dump.cpp` is an example of using the parser-library API to dump
			`information about a PE file.`

			`Internally, the parser-library uses a bounded buffer abstraction to access information stored in`
			`the PE file. This should help in constructing a sane parser that allows for detection of the use`
			`of bogus values in the PE that would result in out of bounds accesses of the input buffer.`
			`Once data is read from the file it is sanitized and placed in C++ STL containers of internal types.`

			pe-parse includes Python bindings via `pepy`, which can be installed via `pip`:

			```bash
			`$ pip3 install pepy`
			```

			More information about `pepy` can be found in its [README](./pepy/README.md).

			`## Dependencies`
. 2013-11-22 19:28:04 -05:00
Docs: Update the build instructions 2018-03-26 14:30:34 +02:00			`### CMake`
Remove boost from README 2017-03-11 19:25:58 -05:00			* Debian/Ubuntu: `sudo apt-get install cmake`
			* RedHat/Fedora: `sudo yum install cmake`
			* OSX: `brew install cmake`
Docs: Update the build instructions 2018-03-26 14:30:34 +02:00			`* Windows: Download the installer from the [CMake page](https://cmake.org/download/)`

Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			`## Building`

Docs: Update the build instructions 2018-03-26 14:30:34 +02:00			`### Generic instructions`
			```
			`git clone https://github.com/trailofbits/pe-parse.git`
			`cd pe-parse`

			`mkdir build`
			`cd build`

			`cmake -DCMAKE_BUILD_TYPE=Release ..`
Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			`cmake --build .`
Docs: Update the build instructions 2018-03-26 14:30:34 +02:00
			`# optional`
Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			`cmake --build . --target install`
Docs: Update the build instructions 2018-03-26 14:30:34 +02:00			```

Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			`PE files that have a Resource section with strings for the Type are encoded in UTF-16, but that`
			`std::string` expects UTF-8. Some cross-platform solution is desired.

			You can let `cmake` choose one it finds in your build environment or you can choose one from the
			following options yourself and specify it with the `-DUNICODE_LIBRARY` argument when generating the
			project files with `cmake`:

			* `icu` (preferred) - "[ICU](http://site.icu-project.org/) is a mature, widely used set of C/C++
			`and Java libraries providing Unicode and Globalization support for software applications"`
			* `codecvt` - A C++ library header file
			`([now deprecated](http://open-std.org/JTC1/SC22/WG21/docs/papers/2017/p0618r0.html)) supported`
			`by some C++ runtimes`
Icu and codecvt 2 (#88) * Support for Windows codecvt and icu4c * Add dependency for Travis * Update README * Fix codecvt build for linux * Fix linux builds * Fix copyright 2019-09-16 17:59:24 -07:00
Docs: Update the build instructions 2018-03-26 14:30:34 +02:00			`### Notes about Windows`

Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			`If you are building on Windows with Visual Studio, the generator option can be used to select the`
			`compiler version and the output architecture:`
Docs: Update the build instructions 2018-03-26 14:30:34 +02:00
			```
			`# Compile 64-bit binaries with Visual Studio 2017`
Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			`cmake -G "Visual Studio 15 2017 Win64" ..`
Docs: Update the build instructions 2018-03-26 14:30:34 +02:00
			`# Compile 32-bit binaries with Visual Studio 2017`
Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			`cmake -G "Visual Studio 15 2017" ..`
Docs: Update the build instructions 2018-03-26 14:30:34 +02:00			```
. 2013-11-22 19:31:11 -05:00
Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			`Visual Studio 2015 or higher is required to use codecvt, but you also have the option of using`
			`[ICU](http://site.icu-project.org/). The easiest way to get started with ICU in Windows is with`
			[vcpkg](https://vcpkg.readthedocs.io/): `vcpkg install icu`.

			Then, add the `-DCMAKE_TOOLCHAIN_FILE=C:\src\vcpkg\scripts\buildsystems\vcpkg.cmake` argument when
			`generating the project files with cmake to add the appropriate library and include directories to`
			`the project.`

			`## Using the library`
Icu and codecvt 2 (#88) * Support for Windows codecvt and icu4c * Add dependency for Travis * Update README * Fix codecvt build for linux * Fix linux builds * Fix copyright 2019-09-16 17:59:24 -07:00
Install public headers, add Arch package, build pepy under Travis and more (#57) * CMake: Added install directives * CMake: Added support for find_package(pe-parse) * Fixed a compilation error on Linux * CMake: Fix cmake module installation * Added ArchLinux package * Finished implementing the address converted example * peaddrconv: Print the image base address. * peaddrconv: Enable more warnings. * Update travis to also build the examples * Fix a compilation warning on Ubuntu 14.04 * Travis: Add macOS support. * Better output for Travis, fix a compilation error on macOS. * Travis: Do not build examples under macOS. * Travis: Also compile the python module (pepy) * Readme: Add a section to show how to use the library. * Windows: Fix a compilation error, enable /analyze (see details). The nt-headers.h include file is defining several constexpr values using reserved (by windows.h) names. These names (i.e.: IMAGE_FILE_MACHINE_UNKNOWN) are in fact macros defined inside the Windows header files, and causes the preprocessor to break definitions such as the following one: constexpr std::uint16_t IMAGE_FILE_MACHINE_UNKNOWN = 0x0; The fix (for now) consists in including the nt-headers.h file before windows.h, but we should probably choose whether to use different names or avoid defining those values (since they are inside the system header anyway). 2017-11-25 22:01:53 +01:00			`Once the library is installed, linking to it is easy! Add the following lines in your CMake project:`

			```
			`find_package(peparse REQUIRED)`

			`target_link_libraries(your_target_name ${PEPARSE_LIBRARIES})`
			`target_include_directories(your_target_name PRIVATE ${PEPARSE_INCLUDE_DIRS})`
			```

			`You can see a full example in the examples/peaddrconv folder.`

Release 1.0 prep work (#113) Co-authored-by: Eric Kilmer <eric.d.kilmer@gmail.com> 2020-03-17 13:38:56 -04:00			`## Authors`

			`pe-parse was designed and implemented by Andrew Ruef (andrew@trailofbits.com), with significant`
			`contributions from [Wesley Shields](https://github.com/wxsBSD).`