Jump to content
Nytro

Portable Executable Parser

By Nytro, in Programe utile

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Portable Executable Parser GoDoc Report Card codecov GitHub Workflow Status

pe parser is a go package for parsing the portable executable file format. This package was designed with malware analysis in mind, and being resistent to PE malformations.

Features

  • Works with PE32/PE32+ file fomat.
  • Supports Intel x86/AMD64/ARM7ARM7 Thumb/ARM8-64/IA64/CHPE architectures.
  • MS DOS header.
  • Rich Header (calculate checksum).
  • NT Header (file header + optional header).
  • COFF symbol table and string table.
  • Sections headers + entropy calculation.
  • Data directories
    • Import Table + ImpHash calculation.
    • Export Table
    • Resource Table
    • Exceptions Table
    • Security Table + Authentihash calculation.
    • Relocations Table
    • Debug Table (CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS debug types).
    • TLS Table
    • Load Config Directory (SEH, GFID, GIAT, Guard LongJumps, CHPE, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables).
    • Bound Import Table
    • Delay Import Table
    • COM Table (CLR Metadata Header, Metadata Table Streams)
  • Report several anomalies

Installing

Using peparser is easy. First, use go get to install the latest version of the library. This command will install the peparser generator executable along with the library and its dependencies: 

go get -u github.com/saferwall/pe

Next, include peparser in your application: 

import "github.com/saferwall/pe"

Using the library 

package main

import (
	peparser "github.com/saferwall/pe"
)

func main() {
    filename := "C:\\Binaries\\notepad.exe"
    pe, err := peparser.New(filename, nil)
	if err != nil {
		log.Fatalf("Error while opening file: %s, reason: %s", filename, err)
    }
    
    err = pe.Parse()
    if err != nil {
        log.Fatalf("Error while opening file: %s, reason: %s", filename, err)
    }

TODO:

  • imports MS-styled names demangling
  • PE: VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, object table

Fuzz Testing

To validate the parser we use the go-fuzz and a corpus of known malformed and tricky PE files from corkami.

References

 

Sursa: https://github.com/saferwall/pe

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...