int main(int argc, char *argv[])
{
PE_FILE pe;
FILE *fp, *datafile, *outfile;
IMAGE_SECTION_HEADER section;
unsigned long data_size, hole_size = 0;
unsigned char *buff;
fp = datafile = outfile = NULL;
if (argc < 4)
{
usage();
exit(1);
}
parse_options(argc, argv); // opcoes
//if (!(outfile = fopen(argv[argc-1], "w")))
// EXIT_ERROR("unable to write outfile");
if (!(fp = fopen(argv[argc-2], "r+b")))
EXIT_ERROR("PE file not found or unreadable");
if (!(datafile = fopen(datafile_path, "rb")))
EXIT_ERROR("datafile not found or unreadable");
pe_init(&pe, fp);
if (!ispe(&pe))
EXIT_ERROR("not a valid PE file");
// switch method
if (!find_section(&pe, §ion, true))
EXIT_ERROR("no code sections found");
hole_size = get_hole(&pe, §ion);
if (!hole_size)
EXIT_ERROR("no holes found");
printf("hole size: %ld\n", hole_size);
printf("hole addr: %ld\n", ftell(pe.handle));
// <pev> </pev>
fseek(datafile, 0L, SEEK_END);
data_size = ftell(datafile);
if (data_size + 11> hole_size)
EXIT_ERROR("not enough space");
rewind(datafile);
buff = xmalloc(data_size);
fread(buff, sizeof(buff), 1, datafile);
//'fwrite(buff, sizeof(buff), 1, pe.handle);
free(buff);
fclose(fp); fclose(outfile); fclose(datafile);
return 0;
}
int main(int argc, char *argv[])
{
PE_FILE pe;
FILE *fp = NULL;
unsigned long rva = 0;
parse_options(argc, argv); // opcoes
if (argc != 3)
{
usage();
exit(1);
}
if ((fp = fopen(argv[2], "rb")) == NULL)
EXIT_ERROR("file not found or unreadable");
rva = (unsigned long) strtol(argv[1], NULL, 0);
if (!rva)
EXIT_ERROR("invalid RVA");
pe_init(&pe, fp); // inicializa o struct pe
if (!ispe(&pe))
EXIT_ERROR("not a valid PE file");
printf("%#"PRIx64"\n", rva2ofs(&pe, rva));
// libera a memoria
pe_deinit(&pe);
return 1;
}
int main(int argc, char *argv[])
{
PE_FILE pe;
FILE *dbfile = NULL, *fp = NULL;
QWORD ep_offset, pesize;
char value[MAX_MSG];
unsigned char *pe_data;
if (argc < 2)
{
usage();
exit(1);
}
memset(&config, 0, sizeof(config));
parse_options(argc, argv); // opcoes
if ((fp = fopen(argv[argc-1], "rb")) == NULL)
EXIT_ERROR("file not found or unreadable");
pe_init(&pe, fp); // inicializa o struct pe
if (!ispe(&pe))
EXIT_ERROR("invalid PE file");
if (!pe_get_optional(&pe))
EXIT_ERROR("unable to read optional header");
if (!(ep_offset = rva2ofs(&pe, pe.entrypoint)))
EXIT_ERROR("unable to get entrypoint offset");
pesize = pe_get_size(&pe);
pe_data = (unsigned char *) xmalloc(pesize);
//if (fseek(pe.handle, ep, SEEK_SET))
//EXIT_ERROR("unable to seek to entrypoint offset");
if (!fread(pe_data, pesize, 1, pe.handle))
EXIT_ERROR("unable to read entrypoint data");
if (!loaddb(&dbfile))
fprintf(stderr, "warning: without valid database file, %s will search in generic mode only\n", PROGRAM);
// packer by signature
if (compare_signature(pe_data, ep_offset, dbfile, value));
// generic detection
else if (generic_packer(&pe, ep_offset))
snprintf(value, MAX_MSG, "generic");
else
snprintf(value, MAX_MSG, "no packer found");
free(pe_data);
output("packer", value);
if (dbfile)
fclose(dbfile);
pe_deinit(&pe);
return 0;
}
//试毒员
QWORD prelibation(char* memaddr)
{
/*
//是视频文件
if( ismp4(memaddr) !=0 )return ; //'mp4'
if( isrmvb(memaddr) !=0 )return ; //'rmvb'
//是音乐文件
if( ismp3(memaddr) !=0 )return ; //'mp3'
if( iswav(memaddr) !=0 )return ; //'wav'
//是图片
if( isjpeg(memaddr) !=0 )return ; //'jpeg'
if( ispng(memaddr) !=0 )return ; //'png'
//办公文件
if( isdoc(memaddr) !=0 )return ; //'doc'
if( ispdf(memaddr) !=0 )return ; //'pdf'
//3d模型
//网络协议包
if( isethernet(memaddr) !=0 )return ; //'ethernet'
if( isarp(memaddr) !=0 )return ; //'arp'
if( isudp(memaddr) !=0 )return ; //'udp'
if( istcp(memaddr) !=0 )return ; //'tcp'
*/
//是可执行文件
if( iself(memaddr) !=0 )return 0x666c65; //'elf'
if( ismacho(memaddr) !=0 )return 0x6f6863616d; //'macho'
if( ispe(memaddr) !=0 )return 0x6570; //'pe'
//是压缩包
if( is7z(memaddr) !=0 )return 0x7a37; //'7z'
if( iscpio(memaddr) !=0 )return 0x6f697063; //'cpio'
if( isgz(memaddr) !=0 )return 0x7a67; //'gz'
if( istar(memaddr) !=0 )return 0x726174; //'tar'
if( iszip(memaddr) !=0 )return 0x70697a; //'zip'
//是文件系统
if( isfat(memaddr) !=0 )return 0x746166; //'fat'
if( isntfs(memaddr) !=0 )return 0x7366746e; //'ntfs'
if( isext(memaddr) !=0 )return 0x747865; //'ext'
if( ishfs(memaddr) !=0 )return 0x736668; //'hfs'
//是分区表头
//if( isapm(memaddr) !=0)return ; //'apm' //apple partition map
//if( isbsd(memaddr) !=0)return ; //'bsd' //bsd label
if( isgpt(memaddr) !=0 )return 0x747067; //'gpt'
if( ismbr(memaddr) !=0 )return 0x72626d; //'mbr',特殊,只能放最后
//什么都不像,返回失败
return 0; //'unknown'
}
int main(int argc, char *argv[])
{
PE_FILE pe;
FILE *fp = NULL;
WORD dllchar = 0;
char field[MAX_MSG];
if (argc < 2)
{
usage();
exit(1);
}
parse_options(argc, argv); // opcoes
if ((fp = fopen(argv[argc-1], "rb")) == NULL)
EXIT_ERROR("file not found or unreadable");
pe_init(&pe, fp); // inicializa o struct pe
if (!ispe(&pe))
EXIT_ERROR("not a valid PE file");
if (!pe_get_optional(&pe))
return 1;
if (pe.architecture == PE32)
dllchar = pe.optional_ptr->_32->DllCharacteristics;
else if (pe.architecture == PE64)
dllchar = pe.optional_ptr->_64->DllCharacteristics;
else
return 1;
// aslr
snprintf(field, MAX_MSG, "ASLR");
output(field, (dllchar & 0x40) ? "yes" : "no");
// dep/nx
snprintf(field, MAX_MSG, "DEP/NX");
output(field, (dllchar & 0x100) ? "yes" : "no");
// seh
snprintf(field, MAX_MSG, "SEH");
output(field, (dllchar & 0x400) ? "no" : "yes");
// stack cookies
snprintf(field, MAX_MSG, "Stack cookies (EXPERIMENTAL)");
output(field, stack_cookies(&pe) ? "yes" : "no");
// libera a memoria
pe_deinit(&pe);
return 0;
}
int explainpe(QWORD sector,char* addr)
{
int ret=0;
//得到本分区的开始扇区位置,再得到3个buffer的位置
fshome=addr+0;
first64k=fshome+0x10000;
dirhome=addr+0x100000;
datahome=addr+0x200000;
//读分区前8扇区,检查magic值
ret=readsystem(first64k,sector,0,0x8); //0x1000
ret=ispe(first64k);
if( ret == 0 ) return -1;
//读出关键数据
ret=explainpehead();
if(ret<0)return ret;
return 0;
}
