int main(int argc, char *argv[]) { PE_FILE pe; FILE *fp, *datafile, *outfile; IMAGE_SECTION_HEADER section; unsigned long data_size, hole_size = 0; unsigned char *buff; fp = datafile = outfile = NULL; if (argc < 4) { usage(); exit(1); } parse_options(argc, argv); // opcoes //if (!(outfile = fopen(argv[argc-1], "w"))) // EXIT_ERROR("unable to write outfile"); if (!(fp = fopen(argv[argc-2], "r+b"))) EXIT_ERROR("PE file not found or unreadable"); if (!(datafile = fopen(datafile_path, "rb"))) EXIT_ERROR("datafile not found or unreadable"); pe_init(&pe, fp); if (!ispe(&pe)) EXIT_ERROR("not a valid PE file"); // switch method if (!find_section(&pe, §ion, true)) EXIT_ERROR("no code sections found"); hole_size = get_hole(&pe, §ion); if (!hole_size) EXIT_ERROR("no holes found"); printf("hole size: %ld\n", hole_size); printf("hole addr: %ld\n", ftell(pe.handle)); // <pev> </pev> fseek(datafile, 0L, SEEK_END); data_size = ftell(datafile); if (data_size + 11> hole_size) EXIT_ERROR("not enough space"); rewind(datafile); buff = xmalloc(data_size); fread(buff, sizeof(buff), 1, datafile); //'fwrite(buff, sizeof(buff), 1, pe.handle); free(buff); fclose(fp); fclose(outfile); fclose(datafile); return 0; }
int main(int argc, char *argv[]) { PE_FILE pe; FILE *fp = NULL; unsigned long rva = 0; parse_options(argc, argv); // opcoes if (argc != 3) { usage(); exit(1); } if ((fp = fopen(argv[2], "rb")) == NULL) EXIT_ERROR("file not found or unreadable"); rva = (unsigned long) strtol(argv[1], NULL, 0); if (!rva) EXIT_ERROR("invalid RVA"); pe_init(&pe, fp); // inicializa o struct pe if (!ispe(&pe)) EXIT_ERROR("not a valid PE file"); printf("%#"PRIx64"\n", rva2ofs(&pe, rva)); // libera a memoria pe_deinit(&pe); return 1; }
int main(int argc, char *argv[]) { PE_FILE pe; FILE *dbfile = NULL, *fp = NULL; QWORD ep_offset, pesize; char value[MAX_MSG]; unsigned char *pe_data; if (argc < 2) { usage(); exit(1); } memset(&config, 0, sizeof(config)); parse_options(argc, argv); // opcoes if ((fp = fopen(argv[argc-1], "rb")) == NULL) EXIT_ERROR("file not found or unreadable"); pe_init(&pe, fp); // inicializa o struct pe if (!ispe(&pe)) EXIT_ERROR("invalid PE file"); if (!pe_get_optional(&pe)) EXIT_ERROR("unable to read optional header"); if (!(ep_offset = rva2ofs(&pe, pe.entrypoint))) EXIT_ERROR("unable to get entrypoint offset"); pesize = pe_get_size(&pe); pe_data = (unsigned char *) xmalloc(pesize); //if (fseek(pe.handle, ep, SEEK_SET)) //EXIT_ERROR("unable to seek to entrypoint offset"); if (!fread(pe_data, pesize, 1, pe.handle)) EXIT_ERROR("unable to read entrypoint data"); if (!loaddb(&dbfile)) fprintf(stderr, "warning: without valid database file, %s will search in generic mode only\n", PROGRAM); // packer by signature if (compare_signature(pe_data, ep_offset, dbfile, value)); // generic detection else if (generic_packer(&pe, ep_offset)) snprintf(value, MAX_MSG, "generic"); else snprintf(value, MAX_MSG, "no packer found"); free(pe_data); output("packer", value); if (dbfile) fclose(dbfile); pe_deinit(&pe); return 0; }
//试毒员 QWORD prelibation(char* memaddr) { /* //是视频文件 if( ismp4(memaddr) !=0 )return ; //'mp4' if( isrmvb(memaddr) !=0 )return ; //'rmvb' //是音乐文件 if( ismp3(memaddr) !=0 )return ; //'mp3' if( iswav(memaddr) !=0 )return ; //'wav' //是图片 if( isjpeg(memaddr) !=0 )return ; //'jpeg' if( ispng(memaddr) !=0 )return ; //'png' //办公文件 if( isdoc(memaddr) !=0 )return ; //'doc' if( ispdf(memaddr) !=0 )return ; //'pdf' //3d模型 //网络协议包 if( isethernet(memaddr) !=0 )return ; //'ethernet' if( isarp(memaddr) !=0 )return ; //'arp' if( isudp(memaddr) !=0 )return ; //'udp' if( istcp(memaddr) !=0 )return ; //'tcp' */ //是可执行文件 if( iself(memaddr) !=0 )return 0x666c65; //'elf' if( ismacho(memaddr) !=0 )return 0x6f6863616d; //'macho' if( ispe(memaddr) !=0 )return 0x6570; //'pe' //是压缩包 if( is7z(memaddr) !=0 )return 0x7a37; //'7z' if( iscpio(memaddr) !=0 )return 0x6f697063; //'cpio' if( isgz(memaddr) !=0 )return 0x7a67; //'gz' if( istar(memaddr) !=0 )return 0x726174; //'tar' if( iszip(memaddr) !=0 )return 0x70697a; //'zip' //是文件系统 if( isfat(memaddr) !=0 )return 0x746166; //'fat' if( isntfs(memaddr) !=0 )return 0x7366746e; //'ntfs' if( isext(memaddr) !=0 )return 0x747865; //'ext' if( ishfs(memaddr) !=0 )return 0x736668; //'hfs' //是分区表头 //if( isapm(memaddr) !=0)return ; //'apm' //apple partition map //if( isbsd(memaddr) !=0)return ; //'bsd' //bsd label if( isgpt(memaddr) !=0 )return 0x747067; //'gpt' if( ismbr(memaddr) !=0 )return 0x72626d; //'mbr',特殊,只能放最后 //什么都不像,返回失败 return 0; //'unknown' }
int main(int argc, char *argv[]) { PE_FILE pe; FILE *fp = NULL; WORD dllchar = 0; char field[MAX_MSG]; if (argc < 2) { usage(); exit(1); } parse_options(argc, argv); // opcoes if ((fp = fopen(argv[argc-1], "rb")) == NULL) EXIT_ERROR("file not found or unreadable"); pe_init(&pe, fp); // inicializa o struct pe if (!ispe(&pe)) EXIT_ERROR("not a valid PE file"); if (!pe_get_optional(&pe)) return 1; if (pe.architecture == PE32) dllchar = pe.optional_ptr->_32->DllCharacteristics; else if (pe.architecture == PE64) dllchar = pe.optional_ptr->_64->DllCharacteristics; else return 1; // aslr snprintf(field, MAX_MSG, "ASLR"); output(field, (dllchar & 0x40) ? "yes" : "no"); // dep/nx snprintf(field, MAX_MSG, "DEP/NX"); output(field, (dllchar & 0x100) ? "yes" : "no"); // seh snprintf(field, MAX_MSG, "SEH"); output(field, (dllchar & 0x400) ? "no" : "yes"); // stack cookies snprintf(field, MAX_MSG, "Stack cookies (EXPERIMENTAL)"); output(field, stack_cookies(&pe) ? "yes" : "no"); // libera a memoria pe_deinit(&pe); return 0; }
int explainpe(QWORD sector,char* addr) { int ret=0; //得到本分区的开始扇区位置,再得到3个buffer的位置 fshome=addr+0; first64k=fshome+0x10000; dirhome=addr+0x100000; datahome=addr+0x200000; //读分区前8扇区,检查magic值 ret=readsystem(first64k,sector,0,0x8); //0x1000 ret=ispe(first64k); if( ret == 0 ) return -1; //读出关键数据 ret=explainpehead(); if(ret<0)return ret; return 0; }