77b72f3cc9
Teach the parser to properly handle PE32+ binaries. The major differences are: - Fields in the OptionalHeader which are not relative are now 64 bits. - Base addresses should all be 64 bits. - The BaseOfData field is not available on PE32+ There is now a 16 bit field tacked on to the end of nt_header_32 called OptionalMagic. This is a duplicate of the Magic field in optional_header_32 and optional_header_64, but is stored in nt_header_32 to make it easier to determine which optional header is being used. I also added support for better error reporting. Now when something fails to parse you can use a couple of functions to find out what happened and where it happened: - GetPEErr(): Return the error as an integer. - GetPEErrString(): Return the error as a string. - GetPEErrLoc(): Return the function and line number of the error. Made some changes to pepy to account for these changes. The interface into pepy is identical. Only externally visible changes are that pepy.parse() will now return the error string and location when parsing fails and the baseofdata attribute will throw an exception if the binary is PE32+. to_string.h is now included from parse.h, so remove it from dump.cpp. While here do a bunch of cleanups to make printing consistent. Use '0x' where appropriate and ensure exceptions are punctuated correctly.
pe-parse
pe-parse is a principled, lightweight parser for windows portable executable files. It was created to assist in compiled program analysis, potentially of programs of unknown origins. This means that it should be resistant to malformed or maliciously crafted PE files, and it should support questions that analysis software would ask of an executable program container. For example, listing relocations, describing imports and exports, and supporting byte reads from virtual addresses as well as file offsets.
pe-parse supports these use cases via a minimal API that provides methods for
- Opening and closing a PE file
- Iterating over the imported functions
- Iterating over the relocations
- Iterating over the exported functions
- Iterating over sections
- Iterating over resources
- Reading bytes from specified virtual addresses
- Retrieving the program entry point
The interface is defined in parser-library/parse.h. The program in dump-prog/dump.cpp is an example of using the parser-library API to dump information about a PE file.
Internally, the parser-library uses a bounded buffer abstraction to access information stored in the PE file. This should help in constructing a sane parser that allows for detection of the use of bogus values in the PE that would result in out of bounds accesses of the input buffer. Once data is read from the file it is sanitized and placed in C++ STL containers of internal types.
Building
pe-parse is built using cmake and depends on boost.
- Install dependencies:
- Debian/Ubuntu:
sudo apt-get install boost-dev cmake - RedHat/Fedora:
sudo yum install boost-devel cmake - OSX:
brew install boost cmake
cmake .make
Authors
pe-parse was designed and implemented by Andrew Ruef (andrew@trailofbits.com), with significant contributions from Wesley Shields.