int main(int argc, char *argv[]) { PE_FILE pe; FILE *dbfile = NULL, *fp = NULL; QWORD ep_offset, pesize; char value[MAX_MSG]; unsigned char *pe_data; if (argc < 2) { usage(); exit(1); } memset(&config, 0, sizeof(config)); parse_options(argc, argv); // opcoes if ((fp = fopen(argv[argc-1], "rb")) == NULL) EXIT_ERROR("file not found or unreadable"); pe_init(&pe, fp); // inicializa o struct pe if (!is_pe(&pe)) EXIT_ERROR("invalid PE file"); if (!pe_get_optional(&pe)) EXIT_ERROR("unable to read optional header"); if (!(ep_offset = rva2ofs(&pe, pe.entrypoint))) EXIT_ERROR("unable to get entrypoint offset"); pesize = pe_get_size(&pe); pe_data = xmalloc(pesize); //if (fseek(pe.handle, ep, SEEK_SET)) //EXIT_ERROR("unable to seek to entrypoint offset"); if (!fread(pe_data, pesize, 1, pe.handle)) EXIT_ERROR("unable to read entrypoint data"); if (!loaddb(&dbfile)) fprintf(stderr, "warning: without valid database file, %s will search in generic mode only\n", PROGRAM); // packer by signature if (compare_signature(pe_data, ep_offset, dbfile, value)); // generic detection else if (generic_packer(&pe, ep_offset)) snprintf(value, MAX_MSG, "generic"); else snprintf(value, MAX_MSG, "no packer found"); free(pe_data); output("packer", value); if (dbfile) fclose(dbfile); pe_deinit(&pe); return 0; }
int main(int argc, char *argv[]) { PE_FILE pe; FILE *fp = NULL; unsigned long rva = 0; parse_options(argc, argv); // opcoes if (argc != 3) { usage(); exit(1); } if ((fp = fopen(argv[2], "rb")) == NULL) EXIT_ERROR("file not found or unreadable"); rva = (unsigned long) strtol(argv[1], NULL, 0); if (!rva) EXIT_ERROR("invalid RVA"); pe_init(&pe, fp); // inicializa o struct pe if (!is_pe(&pe)) EXIT_ERROR("not a valid PE file"); printf("%#"PRIx64"\n", rva2ofs(&pe, rva)); // libera a memoria pe_deinit(&pe); return 1; }
int main(int argc, char *argv[]) { Loader loader = NULL; printf("Hello world!\n"); if (argc < 2) { printf("Usage: %s <filename>\n", argv[0]); exit(1); } if (!is_pe(argv[1])) { printf("Error: %s is not a valid PE\n", argv[1]); exit(1); } loader = (Loader)calloc(1, sizeof(Struct_Loader)); if (loader == NULL) { printf("Error: cannot allocate memory for the loader\n"); exit(1); } init_loader(loader, x86_32_jump_far, 0x1); add_section(argv[1], loader); return 0; }
int main(int argc, char *argv[]) { PE_FILE pe; FILE *fp = NULL; WORD dllchar = 0; char field[MAX_MSG]; if (argc < 2) { usage(); exit(1); } parse_options(argc, argv); // opcoes if ((fp = fopen(argv[argc-1], "rb")) == NULL) EXIT_ERROR("file not found or unreadable"); pe_init(&pe, fp); // inicializa o struct pe if (!is_pe(&pe)) EXIT_ERROR("not a valid PE file"); if (!pe_get_optional(&pe)) return 1; if (pe.architecture == PE32) dllchar = pe.optional_ptr->_32->DllCharacteristics; else if (pe.architecture == PE64) dllchar = pe.optional_ptr->_64->DllCharacteristics; else return 1; // aslr snprintf(field, MAX_MSG, "ASLR"); output(field, (dllchar & 0x40) ? "yes" : "no"); // dep/nx snprintf(field, MAX_MSG, "DEP/NX"); output(field, (dllchar & 0x100) ? "yes" : "no"); // seh snprintf(field, MAX_MSG, "SEH"); output(field, (dllchar & 0x400) ? "no" : "yes"); // stack cookies snprintf(field, MAX_MSG, "Stack cookies (EXPERIMENTAL)"); output(field, stack_cookies(&pe) ? "yes" : "no"); // libera a memoria pe_deinit(&pe); return 0; }
int main(int argc, char *argv[]) { PE_FILE pe; FILE *fp = NULL; DWORD ep, stub_offset; int callbacks; double entropy; // unsigned int num_sections; if (argc < 2) { usage(); exit(1); } parse_options(argc, argv); // opcoes if ((fp = fopen(argv[argc-1], "rb")) == NULL) EXIT_ERROR("file not found or unreadable"); pe_init(&pe, fp); // inicializa o struct pe if (!is_pe(&pe)) EXIT_ERROR("not a valid PE file"); // File entropy entropy = calculate_entropy_file(&pe); if(entropy < 7.0) snprintf(value, MAX_MSG, "normal (%f)", entropy); else snprintf(value, MAX_MSG, "packed (%f)", entropy); output("file entropy", value); memset(&value, 0, sizeof(value)); if (!pe_get_optional(&pe)) return 1; ep = (pe.optional_ptr->_32 ? pe.optional_ptr->_32->AddressOfEntryPoint : (pe.optional_ptr->_64 ? pe.optional_ptr->_64->AddressOfEntryPoint : 0)); // fake ep if (ep == 0) snprintf(value, MAX_MSG, "null"); else if (pe_check_fake_entrypoint(&pe, &ep)) if (config.verbose) snprintf(value, MAX_MSG, "fake - va: %#x - raw: %#"PRIx64, ep, rva2ofs(&pe, ep)); else snprintf(value, MAX_MSG, "fake"); else if (config.verbose) snprintf(value, MAX_MSG, "normal - va: %#x - raw: %#"PRIx64, ep, rva2ofs(&pe, ep)); else snprintf(value, MAX_MSG, "normal"); output("entrypoint", value); // dos stub memset(&value, 0, sizeof(value)); if (!normal_dos_stub(&pe, &stub_offset)) { if (config.verbose) snprintf(value, MAX_MSG, "suspicious - raw: %#x", stub_offset); else snprintf(value, MAX_MSG, "suspicious"); } else snprintf(value, MAX_MSG, "normal"); output("DOS stub", value); // tls callbacks callbacks = pe_get_tls_callbacks(&pe); if (callbacks == 0) snprintf(value, MAX_MSG, "not found"); else if (callbacks == -1) snprintf(value, MAX_MSG, "found - no functions"); else if (callbacks >0) snprintf(value, MAX_MSG, "found - %d function(s)", callbacks); output("TLS directory", value); memset(&value, 0, sizeof(value)); // section analysis print_strange_sections(&pe); // no imagebase if (!normal_imagebase(&pe)) { if (config.verbose) snprintf(value, MAX_MSG, "suspicious - %#"PRIx64, pe.imagebase); else snprintf(value, MAX_MSG, "suspicious"); } else { if (config.verbose) snprintf(value, MAX_MSG, "normal - %#"PRIx64, pe.imagebase); else snprintf(value, MAX_MSG, "normal"); } output("imagebase", value); // invalid timestamp IMAGE_COFF_HEADER coff; if (!pe_get_coff(&pe, &coff)) EXIT_ERROR("unable to read coff header"); print_timestamp(&coff.TimeDateStamp); pe_deinit(&pe); return 0; }
int main(int argc, char *argv[]) { PE_FILE pe; FILE *fp = NULL; if (argc < 2) { usage(); exit(1); } parse_options(argc, argv); // opcoes if ((fp = fopen(argv[argc-1], "rb")) == NULL) EXIT_ERROR("file not found or unreadable"); pe_init(&pe, fp); // inicializa o struct pe if (!is_pe(&pe)) EXIT_ERROR("not a valid PE file"); // dos header if (config.dos || config.all_headers || config.all) { IMAGE_DOS_HEADER dos; if (pe_get_dos(&pe, &dos)) print_dos_header(&dos); else { EXIT_ERROR("unable to read DOS header"); } } // coff/file header if (config.coff || config.all_headers || config.all) { IMAGE_COFF_HEADER coff; if (pe_get_coff(&pe, &coff)) print_coff_header(&coff); else { EXIT_ERROR("unable to read COFF file header"); } } // optional header if (config.opt || config.all_headers || config.all) { if (pe_get_optional(&pe)) print_optional_header(&pe); else { EXIT_ERROR("unable to read Optional (Image) file header"); } } // directories if (config.dirs || config.all) { if (pe_get_directories(&pe)) print_directories(&pe); else { EXIT_ERROR("unable to read the Directories entry from Optional header"); } } // imports if (config.imports || config.all) { if (pe_get_directories(&pe)) print_imports(&pe); else { EXIT_ERROR("unable to read the Directories entry from Optional header"); } } // exports if (config.exports || config.all) { if (pe_get_directories(&pe)) print_exports(&pe); else { EXIT_ERROR("unable to read directories from optional header"); } } // sections if (config.all_sections || config.all) { if (pe_get_sections(&pe)) print_sections(&pe); else { EXIT_ERROR("unable to read sections"); } } // free pe_deinit(&pe); return 0; }