pe-parse/README.md

pe-parse
=========================================

[![Build Status](https://travis-ci.org/trailofbits/pe-parse.svg?branch=master)](https://travis-ci.org/trailofbits/pe-parse)
[![Coverity Scan Build Status](https://scan.coverity.com/projects/3671/badge.svg)](https://scan.coverity.com/projects/3671)

pe-parse is a principled, lightweight parser for windows portable executable files. It was created to assist in compiled program analysis, potentially of programs of unknown origins. This means that it should be resistant to malformed or maliciously crafted PE files, and it should support questions that analysis software would ask of an executable program container. For example, listing relocations, describing imports and exports, and supporting byte reads from virtual addresses as well as file offsets. 

pe-parse supports these use cases via a minimal API that provides methods for
 * Opening and closing a PE file
 * Iterating over the imported functions
 * Iterating over the relocations
 * Iterating over the exported functions
 * Iterating over sections
 * Iterating over resources
 * Reading bytes from specified virtual addresses
 * Retrieving the program entry point

The interface is defined in `parser-library/parse.h`. The program in `dump-prog/dump.cpp` is an example of using the parser-library API to dump information about a PE file. 

Internally, the parser-library uses a bounded buffer abstraction to access information stored in the PE file. This should help in constructing a sane parser that allows for detection of the use of bogus values in the PE that would result in out of bounds accesses of the input buffer. Once data is read from the file it is sanitized and placed in C++ STL containers of internal types.

Dependencies
========
### CMake
  * Debian/Ubuntu: `sudo apt-get install cmake`
  * RedHat/Fedora: `sudo yum install cmake`
  * OSX: `brew install cmake`
  * Windows: Download the installer from the [CMake page](https://cmake.org/download/)

Building
========
### Generic instructions
```
git clone https://github.com/trailofbits/pe-parse.git
cd pe-parse

mkdir build
cd build

cmake -DCMAKE_BUILD_TYPE=Release ..
cmake --build . --config Release

# optional
cmake --build . --config Release --target install
```

PE files that have a Resource section with strings for the Type are encoded in UTF-16, but that `std::string` expects UTF-8. Some cross-platform solution
is desired. You can let cmake choose one it finds in your build environment or you can choose one from the following options yourself and specify it with
the `-DUNICODE_LIBRARY` argument when generating the project files with cmake:
* `icu` (preferred) - "[ICU](http://site.icu-project.org/) is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications"
* `codecvt` - A C++ library header file ([now deprecated](http://open-std.org/JTC1/SC22/WG21/docs/papers/2017/p0618r0.html)) supported by some C++ runtimes

### Notes about Windows

If you are building on Windows with Visual Studio, the generator option can be used to select the compiler version and the output architecture:

```
# Compile 64-bit binaries with Visual Studio 2017
cmake -G "Visual Studio 15 2017 Win64" -DCMAKE_BUILD_TYPE=Release ..

# Compile 32-bit binaries with Visual Studio 2017
cmake -G "Visual Studio 15 2017" -DCMAKE_BUILD_TYPE=Release ..
```

Visual Studio 2015 or higher is required to use codecvt, but you also have the option of using [ICU](http://site.icu-project.org/). The easiest way to
get started with ICU in Windows is with [vcpkg](https://vcpkg.readthedocs.io/): `vcpkg install icu`. Then add the
`-DCMAKE_TOOLCHAIN_FILE=C:\src\vcpkg\scripts\buildsystems\vcpkg.cmake` argument when generating the project files with cmake to add the appropriate
library and include directories to the project.

Using the library
=======
Once the library is installed, linking to it is easy! Add the following lines in your CMake project:

```
find_package(peparse REQUIRED)

target_link_libraries(your_target_name ${PEPARSE_LIBRARIES})
target_include_directories(your_target_name PRIVATE ${PEPARSE_INCLUDE_DIRS})
```

You can see a full example in the examples/peaddrconv folder.

Authors
=======
pe-parse was designed and implemented by Andrew Ruef (andrew@trailofbits.com), with significant contributions from [Wesley Shields](https://github.com/wxsBSD).
Update README.md 2013-11-22 19:25:24 -05:00			`pe-parse`
. 2013-11-19 20:13:37 -05:00			`=========================================`
add a travis button 2014-08-08 17:44:43 -04:00
			`[![Build Status](https://travis-ci.org/trailofbits/pe-parse.svg?branch=master)](https://travis-ci.org/trailofbits/pe-parse)`
moar badges 2014-12-10 20:29:57 -05:00			`[![Coverity Scan Build Status](https://scan.coverity.com/projects/3671/badge.svg)](https://scan.coverity.com/projects/3671)`
add a travis button 2014-08-08 17:44:43 -04:00
Fixed a typo. 2013-11-22 16:40:21 -08:00			pe-parse is a principled, lightweight parser for windows portable executable files. It was created to assist in compiled program analysis, potentially of programs of unknown origins. This means that it should be resistant to malformed or maliciously crafted PE files, and it should support questions that analysis software would ask of an executable program container. For example, listing relocations, describing imports and exports, and supporting byte reads from virtual addresses as well as file offsets.
. 2013-11-22 19:19:18 -05:00
			`pe-parse supports these use cases via a minimal API that provides methods for`
			`* Opening and closing a PE file`
			`* Iterating over the imported functions`
			`* Iterating over the relocations`
			`* Iterating over the exported functions`
			`* Iterating over sections`
Implement resource parsing. While here, fix a memory leak in pepy as I was not decrementing the reference counter on self->data in section_dealloc(). 2013-12-24 12:41:59 -05:00			`* Iterating over resources`
. 2013-11-22 19:19:18 -05:00			`* Reading bytes from specified virtual addresses`
			`* Retrieving the program entry point`

Update README.md 2013-11-22 19:25:24 -05:00			The interface is defined in `parser-library/parse.h`. The program in `dump-prog/dump.cpp` is an example of using the parser-library API to dump information about a PE file.
. 2013-11-22 19:19:18 -05:00
Update README.md 2013-11-22 19:25:24 -05:00			`Internally, the parser-library uses a bounded buffer abstraction to access information stored in the PE file. This should help in constructing a sane parser that allows for detection of the use of bogus values in the PE that would result in out of bounds accesses of the input buffer. Once data is read from the file it is sanitized and placed in C++ STL containers of internal types.`
. 2013-11-22 19:28:04 -05:00
Docs: Update the build instructions 2018-03-26 14:30:34 +02:00			`Dependencies`
. 2013-11-22 19:28:04 -05:00			`========`
Docs: Update the build instructions 2018-03-26 14:30:34 +02:00			`### CMake`
Remove boost from README 2017-03-11 19:25:58 -05:00			* Debian/Ubuntu: `sudo apt-get install cmake`
			* RedHat/Fedora: `sudo yum install cmake`
			* OSX: `brew install cmake`
Docs: Update the build instructions 2018-03-26 14:30:34 +02:00			`* Windows: Download the installer from the [CMake page](https://cmake.org/download/)`

			`Building`
			`========`
			`### Generic instructions`
			```
			`git clone https://github.com/trailofbits/pe-parse.git`
			`cd pe-parse`

			`mkdir build`
			`cd build`

			`cmake -DCMAKE_BUILD_TYPE=Release ..`
			`cmake --build . --config Release`

			`# optional`
			`cmake --build . --config Release --target install`
			```

Icu and codecvt 2 (#88) * Support for Windows codecvt and icu4c * Add dependency for Travis * Update README * Fix codecvt build for linux * Fix linux builds * Fix copyright 2019-09-16 17:59:24 -07:00			PE files that have a Resource section with strings for the Type are encoded in UTF-16, but that `std::string` expects UTF-8. Some cross-platform solution
			`is desired. You can let cmake choose one it finds in your build environment or you can choose one from the following options yourself and specify it with`
			the `-DUNICODE_LIBRARY` argument when generating the project files with cmake:
			* `icu` (preferred) - "[ICU](http://site.icu-project.org/) is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications"
			* `codecvt` - A C++ library header file ([now deprecated](http://open-std.org/JTC1/SC22/WG21/docs/papers/2017/p0618r0.html)) supported by some C++ runtimes

Docs: Update the build instructions 2018-03-26 14:30:34 +02:00			`### Notes about Windows`

			`If you are building on Windows with Visual Studio, the generator option can be used to select the compiler version and the output architecture:`

			```
			`# Compile 64-bit binaries with Visual Studio 2017`
			`cmake -G "Visual Studio 15 2017 Win64" -DCMAKE_BUILD_TYPE=Release ..`

			`# Compile 32-bit binaries with Visual Studio 2017`
			`cmake -G "Visual Studio 15 2017" -DCMAKE_BUILD_TYPE=Release ..`
			```
. 2013-11-22 19:31:11 -05:00
Icu and codecvt 2 (#88) * Support for Windows codecvt and icu4c * Add dependency for Travis * Update README * Fix codecvt build for linux * Fix linux builds * Fix copyright 2019-09-16 17:59:24 -07:00			`Visual Studio 2015 or higher is required to use codecvt, but you also have the option of using [ICU](http://site.icu-project.org/). The easiest way to`
			get started with ICU in Windows is with [vcpkg](https://vcpkg.readthedocs.io/): `vcpkg install icu`. Then add the
			`-DCMAKE_TOOLCHAIN_FILE=C:\src\vcpkg\scripts\buildsystems\vcpkg.cmake` argument when generating the project files with cmake to add the appropriate
			`library and include directories to the project.`

Install public headers, add Arch package, build pepy under Travis and more (#57) * CMake: Added install directives * CMake: Added support for find_package(pe-parse) * Fixed a compilation error on Linux * CMake: Fix cmake module installation * Added ArchLinux package * Finished implementing the address converted example * peaddrconv: Print the image base address. * peaddrconv: Enable more warnings. * Update travis to also build the examples * Fix a compilation warning on Ubuntu 14.04 * Travis: Add macOS support. * Better output for Travis, fix a compilation error on macOS. * Travis: Do not build examples under macOS. * Travis: Also compile the python module (pepy) * Readme: Add a section to show how to use the library. * Windows: Fix a compilation error, enable /analyze (see details). The nt-headers.h include file is defining several constexpr values using reserved (by windows.h) names. These names (i.e.: IMAGE_FILE_MACHINE_UNKNOWN) are in fact macros defined inside the Windows header files, and causes the preprocessor to break definitions such as the following one: constexpr std::uint16_t IMAGE_FILE_MACHINE_UNKNOWN = 0x0; The fix (for now) consists in including the nt-headers.h file before windows.h, but we should probably choose whether to use different names or avoid defining those values (since they are inside the system header anyway). 2017-11-25 22:01:53 +01:00			`Using the library`
			`=======`
			`Once the library is installed, linking to it is easy! Add the following lines in your CMake project:`

			```
			`find_package(peparse REQUIRED)`

			`target_link_libraries(your_target_name ${PEPARSE_LIBRARIES})`
			`target_include_directories(your_target_name PRIVATE ${PEPARSE_INCLUDE_DIRS})`
			```

			`You can see a full example in the examples/peaddrconv folder.`

. 2013-11-22 19:31:11 -05:00			`Authors`
			`=======`
Update README.md 2014-01-22 17:26:06 -05:00			`pe-parse was designed and implemented by Andrew Ruef (andrew@trailofbits.com), with significant contributions from [Wesley Shields](https://github.com/wxsBSD).`