QuasarApp/pe-parse
4
0
Fork 0
mirror of https://github.com/QuasarApp/pe-parse.git synced 2025-04-27 21:04:31 +00:00
Code Issues Projects Releases Wiki Activity
116 Commits 3 Branches 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Wesley Shields ab9775cce9 Clear strings. 
This was causing a problem where resources with strings would accumulate
the strings of previous resources in the directory.

For example, here is the output of test.py on
3f0961b7942f12bc96848509c04da2b6:

Resources: (4)
[+] MD5: (191649) 33a6345b919c7c733da9d33ee4ac64eb
    Type string: BINARY
    Name string:
1.165.3106.0_TO_1.165.3138.0_MPASDLTA.VDM._P
    Lang: 0x0
    Codepage: 0x4e4
    RVA: 0x51dc
    Size: 0x2eca1
    First 10 bytes: 0x4d50535091ec0200c263
[+] MD5: (293587) e4c9b9aa65e0b236cb180fa489502700
    Type string: BINARY
    Name string: 1.165.3106.0_TO_1.165.3138.0_MPASDLTA.VDM._P1.165.3106.0_TO_1.165.3138.0_MPAVDLTA.VDM._P

The second resource has the first resources name string in it.
2015-01-02 23:16:03 -05:00
dump-prog
Implement PE32+ and error reporting.
2014-03-07 13:18:24 -05:00
parser-library
Clear strings.
2015-01-02 23:16:03 -05:00
python
Implement PE32+ and error reporting.
2014-03-07 13:18:24 -05:00
.gitignore
Add python build stuff to .gitignore
2013-11-27 15:51:59 -05:00
CMakeLists.txt
.
2013-07-24 17:32:23 -04:00
LICENSE.txt
All files should have an ext.
2013-11-30 15:15:42 -08:00
README.md
Update README.md
2014-01-22 17:26:06 -05:00

README.md

pe-parse

pe-parse is a principled, lightweight parser for windows portable executable files. It was created to assist in compiled program analysis, potentially of programs of unknown origins. This means that it should be resistant to malformed or maliciously crafted PE files, and it should support questions that analysis software would ask of an executable program container. For example, listing relocations, describing imports and exports, and supporting byte reads from virtual addresses as well as file offsets.

pe-parse supports these use cases via a minimal API that provides methods for

  • Opening and closing a PE file
  • Iterating over the imported functions
  • Iterating over the relocations
  • Iterating over the exported functions
  • Iterating over sections
  • Iterating over resources
  • Reading bytes from specified virtual addresses
  • Retrieving the program entry point

The interface is defined in parser-library/parse.h. The program in dump-prog/dump.cpp is an example of using the parser-library API to dump information about a PE file.

Internally, the parser-library uses a bounded buffer abstraction to access information stored in the PE file. This should help in constructing a sane parser that allows for detection of the use of bogus values in the PE that would result in out of bounds accesses of the input buffer. Once data is read from the file it is sanitized and placed in C++ STL containers of internal types.

Building

pe-parse is built using cmake and depends on boost.

  1. Install dependencies:
  • Debian/Ubuntu: sudo apt-get install boost-dev cmake
  • RedHat/Fedora: sudo yum install boost-devel cmake
  • OSX: brew install boost cmake
  1. cmake .
  2. make

Authors

pe-parse was designed and implemented by Andrew Ruef (andrew@trailofbits.com), with significant contributions from Wesley Shields.

Description
No description provided
Readme MIT 708 KiB
Languages
C++ 85.8%
CMake 10.2%
Python 3.2%
Shell 0.5%
Dockerfile 0.3%