Giter Club home page Giter Club logo

pe-library's Introduction

PE

Lightweight Portable Executable format parsing library for Windows programs. Handy for malware analysis and development purposes. Probably really buggy, potentially vulnerable to all sorts of memory corruptions :-) Written agos ago, refactored, fixed, improved, enhanced ad-hoc without a will to rewrite it properly or attempt to find & fix any outstanding memory handling issues.

Usage

Following analysis endpoints are exposed:

  • PE::AnalyseFile - locally available files analysis
  • PE::AnalyseDump - raw process memory dump analysis
  • PE::AnalyseMemory - analyses memory region mapped at specified process
  • PE::AnalyseProcess - analyses remote process main module.
  • PE::AnalyseProcessModule - analyses specifed module mapped in the remote process virtual memory.

Other exposed functionality worth taking a shot:

  • PE::InsertShellcode - inserts input shellcode into a newly injected PE section
  • PE::ReadBytes and PE::WriteBytes - file/process I/O
  • PE::HookIAT and PE::HookEAT - for hooking IAT/EAT thunks (running it on a local file won't do any magic, cause IAT/EAT will be populated by the OS Loader during program's launch anyway, thus clobbering our hook)
  • PE::CreateSection and PE::RemoveSection - adds/remove PE section
  • PE::HasOverlay and PE::ReadOverlay - for working with file's overlay
  • PE::UpdateHeaders - adjusts OptionalHeader after any PE structures field was altered.
  • PE::ReadSection - reads specified section bytes.

Demo

For demo purposes of how to use the library, the small utility peParser is included. Its use is straightforward:

cmd> peParser86.exe

Usage:

    1) Analyse file:
    cmd> peParser file <filepath>

    2) Analyse process:
    cmd> peParser process <PID>

    3) Analyse process' module:
    cmd> peParser module <PID> <moduleName|0xModuleAddress>

    4) Analyse dump file:
    cmd> peParser dump <filepath>

    5) Analyse injected, not-mapped (MEM_PRIVATE) shellcode:
    cmd> peParser memory <PID> <address>

Known Issues

Billions and billions and billions and billions and billions and billions and billions and billions and billions and billions and billions and billions and billions and billions and billions and billions and billions [...] and billions of programming errors were probably made in its implementation. As said, I've got no will to find & fix them.

My typical use of this library is for the Malware Development for Red Team purposes. Such use case requires merely a lightweight codebase capable of analysing mostly well-structured system binaries and for these needs a current implementation excels pretty well.

You are free to go ahead and train your vulnerability analysis & exploitation skills by crafting dodgy PE structures attempting to exploit my tasty bugs. :-) Ohhh, and if you do - please do mind opening an issue as I would be keen on fixing them eventually!


☕ Show Support ☕

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! 💪


Author

   Mariusz Banach / mgeeky, 21
   <mb [at] binary-offensive.com>
   (https://github.com/mgeeky)

pe-library's People

Contributors

mgeeky avatar hypn4 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.