crackinglandia / pype32 Goto Github PK

There are some malware samples that use #- instead of #~ and still operate correctly.
pype32 can not handle these files.

>>> pe = pype32.PE('Lum_1.exe')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Python27\lib\site-packages\pype32\pype32.py", line 126, in __init__
    self._internalParse(rd)
  File "C:\Python27\lib\site-packages\pype32\pype32.py", line 493, in _internalParse
    self._parseDirectories(self.ntHeaders.optionalHeader.dataDirectory, self.PE_TYPE)
  File "C:\Python27\lib\site-packages\pype32\pype32.py", line 938, in _parseDirectories
    dataDirectoryInstance[directory[0]].info = directory[1](dir.rva.value, dir.size.value, magic)
  File "C:\Python27\lib\site-packages\pype32\pype32.py", line 1429, in _parseNetDirectory
    for i in netDirectoryClass.netMetaDataStreams["#~"].info.tables["ManifestResource"]:
KeyError: '#~'
>>>

WARNING LIVE MALWARE

Have provided a sample for Testing FileName 'Lum_1.exe'

http://repo.doesntexist.com/public.php?service=files&t=1bf02f3de6eae2762f9c8304fc0af29f

There are no tests. I'd recommend looking into a corpus of PE files and using Travis CI, Shippable, or Circle Ci to ensure that all of the files parse correctly. In particular, it's probably worth getting some really old (16-bit) and really new (Windows 10), and relatively uncommon (Windows on ARM) files to make sure that everything parses.

Currently, pype32 only supports the Python 2.x branch. It would be useful to support the branch 3.x as well.

When parsing these files, pype32 adds extra data to the #strings structure.

https://www.dropbox.com/s/ihul6in1f3xobup/samples.rar

At least, _parseExportDirectory, needs some refactoring. When loading certain files, the loading process is too slow.

This issue happends with a PE file dumped from memory that will not run because import directory (and probably other fields) is invalid.

The import directory contains an rva that is out of the file. When pype32 tries to read the string at that rva, it enters an infinite loop into the function readStringAtRva:

    d = self.getDataAtRva(rva,  1)
    resultStr = datatypes.String("")
    while d != "\x00":
        resultStr.value += d
        rva += 1
        **d = self.getDataAtRva(rva, 1)**
    return resultStr

The variable 'rva' is increased infinitely, and self.getDataAtRva seems to return an empty string because it cant read from the given rva, and the execution never leaves the while loop.

Ran into this executable which ended up consuming 32GB of RAM. Not actually sure what the causes is, so including the hash so you can download.

~/bug$ cat bug.py
import pype32
data = open("test.exe", "rb").read()
pe = pype32.PE(data=data)

~/bug$ md5sum test.exe
ca25e1bf52a1848512cac8a07c9c0d30  test.exe

~/bug$ pip list | grep pype
pype32 (0.1-alpha4)

Hello,
I want to package your software for Arch Linux. Could you please change your version format?Don't use -alphaX as prefix. In nearly all linux distributions is the character - forbidden in the version number. It would make packaging easier.. thx

Since the changes to the net parser the old version of pype32 is not compatible with my scripts.

The new version is not on pip so anyone installing from there can not use my code base.

When trying to install pype32 with pip (Python 2.7.9 (default, Dec 10 2014, 12:24:55) [MSC v.1500 32 bit (Intel)] on win32) an error occurs and the package cannot be installed.

The command was:

D:\Python27>pip search pype32
pype32 - Yet another Python library to read and write
PE/PE+ files.

D:\Python27>pip install pype32
Downloading/unpacking pype32
Could not find a version that satisfies the requirement pype32 (from versions:
0.1-alpha4)
Cleaning up...
No distributions matching the version for pype32
Storing debug log for failure in C:\Users\XXXX\pip\pip.log

The pip.log file contents:

Downloading/unpacking pype32
Getting page https://pypi.python.org/simple/pype32/
URLs to search for versions for pype32:

• https://pypi.python.org/simple/pype32/
  Analyzing links from page https://pypi.python.org/simple/pype32/
  Found link https://pypi.python.org/packages/source/p/pype32/pype32-0.1-alpha4.zip#md5=4217494e5d8b9eb1d8aa637d8fe73dda (from https://pypi.python.org/simple/pype32/), version: 0.1-alpha4
  Ignoring link https://pypi.python.org/packages/source/p/pype32/pype32-0.1-alpha4.zip#md5=4217494e5d8b9eb1d8aa637d8fe73dda (from https://pypi.python.org/simple/pype32/), version 0.1-alpha4 is a pre-release (use --pre to allow).
  Could not find a version that satisfies the requirement pype32 (from versions: 0.1-alpha4)
  Cleaning up...
  Removing temporary dir d:\systmp\pip_build_XXXX...
  No distributions matching the version for pype32
  Exception information:
  Traceback (most recent call last):
  File "D:\Python27\lib\site-packages\pip\basecommand.py", line 122, in main
  status = self.run(options, args)
  File "D:\Python27\lib\site-packages\pip\commands\install.py", line 278, in run
  requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "D:\Python27\lib\site-packages\pip\req.py", line 1177, in prepare_files
  url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "D:\Python27\lib\site-packages\pip\index.py", line 322, in find_requirement
  raise DistributionNotFound('No distributions matching the version for %s' % req)
  DistributionNotFound: No distributions matching the version for pype32

Read the data from each .NET Resource

And then parse each resource from a .resources file. - https://msdn.microsoft.com/en-us/library/system.resources.resourcereader(v=vs.110).aspx

WARNING LIVE MALWARE

Have provided some samples for testing

http://repo.doesntexist.com/public.php?service=files&t=1bf02f3de6eae2762f9c8304fc0af29f