int main(int argc, char *argv[])
{
PE_FILE pe;
FILE *dbfile = NULL, *fp = NULL;
QWORD ep_offset, pesize;
char value[MAX_MSG];
unsigned char *pe_data;
if (argc < 2)
{
usage();
exit(1);
}
memset(&config, 0, sizeof(config));
parse_options(argc, argv); // opcoes
if ((fp = fopen(argv[argc-1], "rb")) == NULL)
EXIT_ERROR("file not found or unreadable");
pe_init(&pe, fp); // inicializa o struct pe
if (!ispe(&pe))
EXIT_ERROR("invalid PE file");
if (!pe_get_optional(&pe))
EXIT_ERROR("unable to read optional header");
if (!(ep_offset = rva2ofs(&pe, pe.entrypoint)))
EXIT_ERROR("unable to get entrypoint offset");
pesize = pe_get_size(&pe);
pe_data = (unsigned char *) xmalloc(pesize);
//if (fseek(pe.handle, ep, SEEK_SET))
//EXIT_ERROR("unable to seek to entrypoint offset");
if (!fread(pe_data, pesize, 1, pe.handle))
EXIT_ERROR("unable to read entrypoint data");
if (!loaddb(&dbfile))
fprintf(stderr, "warning: without valid database file, %s will search in generic mode only\n", PROGRAM);
// packer by signature
if (compare_signature(pe_data, ep_offset, dbfile, value));
// generic detection
else if (generic_packer(&pe, ep_offset))
snprintf(value, MAX_MSG, "generic");
else
snprintf(value, MAX_MSG, "no packer found");
free(pe_data);
output("packer", value);
if (dbfile)
fclose(dbfile);
pe_deinit(&pe);
return 0;
}
int main(int argc, char *argv[])
{
PE_FILE pe;
FILE *fp, *datafile, *outfile;
IMAGE_SECTION_HEADER section;
unsigned long data_size, hole_size = 0;
unsigned char *buff;
fp = datafile = outfile = NULL;
if (argc < 4)
{
usage();
exit(1);
}
parse_options(argc, argv); // opcoes
//if (!(outfile = fopen(argv[argc-1], "w")))
// EXIT_ERROR("unable to write outfile");
if (!(fp = fopen(argv[argc-2], "r+b")))
EXIT_ERROR("PE file not found or unreadable");
if (!(datafile = fopen(datafile_path, "rb")))
EXIT_ERROR("datafile not found or unreadable");
pe_init(&pe, fp);
if (!ispe(&pe))
EXIT_ERROR("not a valid PE file");
// switch method
if (!find_section(&pe, §ion, true))
EXIT_ERROR("no code sections found");
hole_size = get_hole(&pe, §ion);
if (!hole_size)
EXIT_ERROR("no holes found");
printf("hole size: %ld\n", hole_size);
printf("hole addr: %ld\n", ftell(pe.handle));
// <pev> </pev>
fseek(datafile, 0L, SEEK_END);
data_size = ftell(datafile);
if (data_size + 11> hole_size)
EXIT_ERROR("not enough space");
rewind(datafile);
buff = xmalloc(data_size);
fread(buff, sizeof(buff), 1, datafile);
//'fwrite(buff, sizeof(buff), 1, pe.handle);
free(buff);
fclose(fp); fclose(outfile); fclose(datafile);
return 0;
}
int main(int argc, char *argv[])
{
PE_FILE pe;
FILE *fp = NULL;
unsigned long rva = 0;
parse_options(argc, argv); // opcoes
if (argc != 3)
{
usage();
exit(1);
}
if ((fp = fopen(argv[2], "rb")) == NULL)
EXIT_ERROR("file not found or unreadable");
rva = (unsigned long) strtol(argv[1], NULL, 0);
if (!rva)
EXIT_ERROR("invalid RVA");
pe_init(&pe, fp); // inicializa o struct pe
if (!ispe(&pe))
EXIT_ERROR("not a valid PE file");
printf("%#"PRIx64"\n", rva2ofs(&pe, rva));
// libera a memoria
pe_deinit(&pe);
return 1;
}
int main(int argc, char *argv[])
{
FILE *fp;
PE_FILE pe;
unsigned char *data;
size_t pesize = 0;
if (argc < 2)
{
usage();
exit(1);
}
parse_options(argc, argv);
if ((fp = fopen(argv[argc-1], "rb")) == NULL)
EXIT_ERROR("file not found or unreadable");
pe_init(&pe, fp);
fseek(pe.handle, 0, SEEK_END);
pesize = ftell(pe.handle);
rewind(pe.handle);
data = (unsigned char *) xmalloc(pesize + 1);
fread(data, pesize, 1, pe.handle);
if (config.md5 || config.all)
{
char md5_sum[(MD5_DIGEST_LENGTH*2) + 1];
calc_md5(data, pesize, md5_sum);
output("md5", md5_sum);
}
if (config.sha1 || config.all)
{
char sha1_sum[((SHA_DIGEST_LENGTH*2)+1)];
calc_sha1(data, pesize, sha1_sum);
output("sha-1", sha1_sum);
}
if (config.sha256 || config.all)
{
char sha256_sum[((SHA256_DIGEST_LENGTH*2)+1)];
calc_sha256(data, pesize, sha256_sum);
output("sha-256", sha256_sum);
}
pe_deinit(&pe);
free(data);
return 0;
}
int main(int argc, char *argv[])
{
PE_FILE pe;
FILE *fp = NULL;
WORD dllchar = 0;
char field[MAX_MSG];
if (argc < 2)
{
usage();
exit(1);
}
parse_options(argc, argv); // opcoes
if ((fp = fopen(argv[argc-1], "rb")) == NULL)
EXIT_ERROR("file not found or unreadable");
pe_init(&pe, fp); // inicializa o struct pe
if (!is_pe(&pe))
EXIT_ERROR("not a valid PE file");
if (!pe_get_optional(&pe))
return 1;
if (pe.architecture == PE32)
dllchar = pe.optional_ptr->_32->DllCharacteristics;
else if (pe.architecture == PE64)
dllchar = pe.optional_ptr->_64->DllCharacteristics;
else
return 1;
// aslr
snprintf(field, MAX_MSG, "ASLR");
output(field, (dllchar & 0x40) ? "yes" : "no");
// dep/nx
snprintf(field, MAX_MSG, "DEP/NX");
output(field, (dllchar & 0x100) ? "yes" : "no");
// seh
snprintf(field, MAX_MSG, "SEH");
output(field, (dllchar & 0x400) ? "no" : "yes");
// stack cookies
snprintf(field, MAX_MSG, "Stack cookies (EXPERIMENTAL)");
output(field, stack_cookies(&pe) ? "yes" : "no");
// libera a memoria
pe_deinit(&pe);
return 0;
}
static int dw_iter_by_addr(struct ps_prochandle *P, const char *object_name, int which,
int mask, proc_sym_f *func, void *cd)
{
int fd = 0, ret = -1, i, index = 0;
Pe_object *pe;
proc_mod_t *mod = findmodulebyname(P, object_name);
fd = _open(mod->fullname, _O_RDONLY|_O_BINARY, 0);
if (fd == -1 )
return -1;
if ((pe = pe_init(fd)) != NULL) {
IMAGE_SYMBOL *Sym = pe_getsymarr(pe, &index);
char name[MAX_SYM_NAME];
if (Sym == NULL)
goto end;
ret = 0;
for (i = 0; i < index; i++) {
GElf_Sym symp;
char *n = NULL;
if (ISFCN(Sym[i].Type) == 0)
continue;
symp.st_name = 0;
symp.st_other = 0;
symp.st_info = GELF_ST_INFO((STB_GLOBAL), (STT_FUNC));
symp.st_shndx = 1;
symp.st_value = Sym[i].Value+mod->imgbase+pe_getsecva(pe, Sym[i].SectionNumber);
/* If size is zero libdtrace will reject the probe.Allow creation of entry probe */
symp.st_size = 1;
if (pe_getsymname(pe, &Sym[i], name, MAX_SYM_NAME) == NULL)
continue;
if (pe_getarch(pe) == PE_ARCH_I386)
func(cd, &symp, &name[1]);
else
func(cd, &symp, name);
}
}
end:
if (pe != NULL)
pe_end(pe);
if (fd != -1)
close(fd);
return ret;
}
static int is64bitmodule(PVOID base, char *s)
{
int fd = _open(s, _O_RDONLY|_O_BINARY, 0);
Pe_object *pe;
if (fd != -1 && (pe = pe_init(fd)) != NULL) {
int type = pe_getarch(pe);
pe_end(pe);
close(fd);
if ( type == PE_ARCH_AMD64)
return 1;
else
return 0;
}
}
static int dw_lookup_by_name(struct ps_prochandle *P, const char *oname, const char *sname, GElf_Sym *symp)
{
IMAGE_SYMBOL Sym;
int ret = -1, fd;
Pe_object *pe;
proc_mod_t *mod;
mod = findmodulebyname(P, oname);
if (mod == NULL)
return -1;
fd = _open(mod->fullname, _O_RDONLY|_O_BINARY, 0);
if (fd != -1 && (pe = pe_init(fd)) != NULL) {
char s[MAX_SYM_NAME];
if (pe_getarch(pe) == PE_ARCH_I386) {
s[0] = '_';
strcpy(&s[1], sname);
} else {
strcpy(s, sname);
}
if (pe_getsymbyname(pe, s, &Sym) != NULL) {
symp->st_name = 0;
symp->st_other = 0;
if (ISFCN(Sym.Type)) {
symp->st_info = GELF_ST_INFO((STB_GLOBAL), (STT_FUNC));
symp->st_shndx = 1;
} else {
symp->st_info = GELF_ST_INFO((STB_GLOBAL), (STT_NOTYPE));
symp->st_shndx = SHN_UNDEF;
}
symp->st_value = Sym.Value + mod->imgbase + pe_getsecva(pe, Sym.SectionNumber);
/* If size is zero libdtrace will reject the function. Allow creation of entry probe */
symp->st_size = 1;
ret = 0;
}
}
if (pe != NULL)
pe_end(pe);
if (fd != -1)
close(fd);
return ret;
}
void init_thread(void* param1, void* param2)
{
ahci_init();
//ahci_test();
fat_init();
pe_init();
//LoadSysModule("sys/test.sys");
//for(int i=0; i <16; i++)
process_create("sys/init.exe");
while(1)
{
mdelay(2000);
printk("1");
}
}
static int dw_lookup_by_addr(struct ps_prochandle *P, uintptr_t addr, char *buf, size_t size, GElf_Sym *symp)
{
proc_mod_t *mod = NULL;
int fd, ret = -1, index, i;
Pe_object *pe;
mod = findmodulebyaddr(P, addr);
if (mod == NULL)
return -1;
fd = _open(mod->fullname, _O_RDONLY|_O_BINARY, 0);
if (fd == -1 )
return -1;
if ((pe = pe_init(fd)) != NULL) {
IMAGE_SYMBOL *Sym = pe_getsymarr(pe, &index);
char name[MAX_SYM_NAME];
int secno, addr1, mark = -1, prev = 0, va;
if (Sym == NULL)
goto end;
if ((secno = pe_getsecnofromaddr(pe, addr - mod->imgbase))== 0)
goto end;
va = pe_getsecva(pe, secno);
addr1 = addr - (mod->imgbase + va);
if (addr1 <= 0)
goto end;
for (i = 0; i < index; i++) {
if (ISFCN(Sym[i].Type) == 0 || Sym[i].SectionNumber != secno)
continue;
if (addr1 == Sym[i].Value) {
mark = i;
break;
} else if (addr1 > Sym[i].Value) {
if (prev < Sym[i].Value) {
prev = Sym[i].Value;
mark = i;
}
}
}
if (mark >= 0) {
symp->st_name = 0;
symp->st_other = 0;
symp->st_info = GELF_ST_INFO((STB_GLOBAL), (STT_FUNC));
symp->st_shndx = 1;
symp->st_value = Sym[mark].Value + mod->imgbase
+ pe_getsecva(pe, Sym[mark].SectionNumber);
/* If size is zero libdtrace will reject the function. Allow creation of entry probe */
symp->st_size = 1;
if (pe_getsymname(pe, &Sym[mark], name, MAX_SYM_NAME) == NULL)
goto end;
if (pe_getarch(pe) == PE_ARCH_I386) {
strncpy(buf, &name[1], size);
} else {
strncpy(buf, name, size);
}
ret = 0;
}
}
end:
if (pe != NULL)
pe_end(pe);
if (fd != -1)
close(fd);
return ret;
}
int main(int argc, char *argv[])
{
PE_FILE pe;
FILE *fp = NULL;
DWORD ep, stub_offset;
int callbacks;
double entropy;
// unsigned int num_sections;
if (argc < 2)
{
usage();
exit(1);
}
parse_options(argc, argv); // opcoes
if ((fp = fopen(argv[argc-1], "rb")) == NULL)
EXIT_ERROR("file not found or unreadable");
pe_init(&pe, fp); // inicializa o struct pe
if (!is_pe(&pe))
EXIT_ERROR("not a valid PE file");
// File entropy
entropy = calculate_entropy_file(&pe);
if(entropy < 7.0)
snprintf(value, MAX_MSG, "normal (%f)", entropy);
else
snprintf(value, MAX_MSG, "packed (%f)", entropy);
output("file entropy", value);
memset(&value, 0, sizeof(value));
if (!pe_get_optional(&pe))
return 1;
ep = (pe.optional_ptr->_32 ? pe.optional_ptr->_32->AddressOfEntryPoint :
(pe.optional_ptr->_64 ? pe.optional_ptr->_64->AddressOfEntryPoint : 0));
// fake ep
if (ep == 0)
snprintf(value, MAX_MSG, "null");
else if (pe_check_fake_entrypoint(&pe, &ep))
if (config.verbose)
snprintf(value, MAX_MSG, "fake - va: %#x - raw: %#"PRIx64, ep, rva2ofs(&pe, ep));
else
snprintf(value, MAX_MSG, "fake");
else
if (config.verbose)
snprintf(value, MAX_MSG, "normal - va: %#x - raw: %#"PRIx64, ep, rva2ofs(&pe, ep));
else
snprintf(value, MAX_MSG, "normal");
output("entrypoint", value);
// dos stub
memset(&value, 0, sizeof(value));
if (!normal_dos_stub(&pe, &stub_offset))
{
if (config.verbose)
snprintf(value, MAX_MSG, "suspicious - raw: %#x", stub_offset);
else
snprintf(value, MAX_MSG, "suspicious");
}
else
snprintf(value, MAX_MSG, "normal");
output("DOS stub", value);
// tls callbacks
callbacks = pe_get_tls_callbacks(&pe);
if (callbacks == 0)
snprintf(value, MAX_MSG, "not found");
else if (callbacks == -1)
snprintf(value, MAX_MSG, "found - no functions");
else if (callbacks >0)
snprintf(value, MAX_MSG, "found - %d function(s)", callbacks);
output("TLS directory", value);
memset(&value, 0, sizeof(value));
// section analysis
print_strange_sections(&pe);
// no imagebase
if (!normal_imagebase(&pe))
{
if (config.verbose)
snprintf(value, MAX_MSG, "suspicious - %#"PRIx64, pe.imagebase);
else
snprintf(value, MAX_MSG, "suspicious");
}
else
{
if (config.verbose)
snprintf(value, MAX_MSG, "normal - %#"PRIx64, pe.imagebase);
else
snprintf(value, MAX_MSG, "normal");
}
output("imagebase", value);
// invalid timestamp
IMAGE_COFF_HEADER coff;
if (!pe_get_coff(&pe, &coff))
EXIT_ERROR("unable to read coff header");
print_timestamp(&coff.TimeDateStamp);
pe_deinit(&pe);
return 0;
}
/* Convert ELF object to Portable Executable (PE). */
void
create_pe(struct elfcopy *ecp, int ifd, int ofd)
{
Elf *e;
Elf_Scn *scn;
Elf_Data *d;
GElf_Ehdr eh;
GElf_Shdr sh;
PE *pe;
PE_Scn *ps;
PE_SecHdr psh;
PE_CoffHdr pch;
PE_OptHdr poh;
PE_Object po;
PE_Buffer *pb;
const char *name;
size_t indx;
int elferr;
if (ecp->otf == ETF_EFI || ecp->oem == EM_X86_64)
po = PE_O_PE32P;
else
po = PE_O_PE32;
if ((e = elf_begin(ifd, ELF_C_READ, NULL)) == NULL)
errx(EXIT_FAILURE, "elf_begin() failed: %s",
elf_errmsg(-1));
if (gelf_getehdr(e, &eh) == NULL)
errx(EXIT_FAILURE, "gelf_getehdr() failed: %s",
elf_errmsg(-1));
if (elf_getshstrndx(ecp->ein, &indx) == 0)
errx(EXIT_FAILURE, "elf_getshstrndx() failed: %s",
elf_errmsg(-1));
if ((pe = pe_init(ofd, PE_C_WRITE, po)) == NULL)
err(EXIT_FAILURE, "pe_init() failed");
/* Setup PE COFF header. */
memset(&pch, 0, sizeof(pch));
switch (ecp->oem) {
case EM_386:
pch.ch_machine = IMAGE_FILE_MACHINE_I386;
break;
case EM_X86_64:
pch.ch_machine = IMAGE_FILE_MACHINE_AMD64;
break;
default:
pch.ch_machine = IMAGE_FILE_MACHINE_UNKNOWN;
break;
}
pch.ch_timestamp = (uint32_t) time(NULL);
if (pe_update_coff_header(pe, &pch) < 0)
err(EXIT_FAILURE, "pe_update_coff_header() failed");
/* Setup PE optional header. */
memset(&poh, 0, sizeof(poh));
if (ecp->otf == ETF_EFI)
poh.oh_subsystem = IMAGE_SUBSYSTEM_EFI_APPLICATION;
poh.oh_entry = (uint32_t) eh.e_entry;
/*
* Default section alignment and file alignment. (Here the
* section alignment is set to the default page size of the
* archs supported. We should use different section alignment
* for some arch. (e.g. IA64)
*/
poh.oh_secalign = 0x1000;
poh.oh_filealign = 0x200;
/* Copy sections. */
scn = NULL;
while ((scn = elf_nextscn(e, scn)) != NULL) {
/*
* Read in ELF section.
*/
if (gelf_getshdr(scn, &sh) == NULL) {
warnx("gelf_getshdr() failed: %s", elf_errmsg(-1));
(void) elf_errno();
continue;
}
if ((name = elf_strptr(ecp->ein, indx, sh.sh_name)) ==
NULL) {
warnx("elf_strptr() failed: %s", elf_errmsg(-1));
(void) elf_errno();
continue;
}
/* Skip sections unneeded. */
if (strcmp(name, ".shstrtab") == 0 ||
strcmp(name, ".symtab") == 0 ||
strcmp(name, ".strtab") == 0)
continue;
if ((d = elf_getdata(scn, NULL)) == NULL) {
warnx("elf_getdata() failed: %s", elf_errmsg(-1));
(void) elf_errno();
continue;
}
if (strcmp(name, ".text") == 0) {
poh.oh_textbase = (uint32_t) sh.sh_addr;
poh.oh_textsize = (uint32_t) roundup(sh.sh_size,
poh.oh_filealign);
} else {
if (po == PE_O_PE32 && strcmp(name, ".data") == 0)
poh.oh_database = sh.sh_addr;
if (sh.sh_type == SHT_NOBITS)
poh.oh_bsssize += (uint32_t)
roundup(sh.sh_size, poh.oh_filealign);
else if (sh.sh_flags & SHF_ALLOC)
poh.oh_datasize += (uint32_t)
roundup(sh.sh_size, poh.oh_filealign);
}
/*
* Create PE/COFF section.
*/
if ((ps = pe_newscn(pe)) == NULL) {
warn("pe_newscn() failed");
continue;
}
/*
* Setup PE/COFF section header. The section name is not
* NUL-terminated if its length happens to be 8. Long
* section name should be truncated for PE image according
* to the PE/COFF specification.
*/
memset(&psh, 0, sizeof(psh));
strncpy(psh.sh_name, name, sizeof(psh.sh_name));
psh.sh_addr = sh.sh_addr;
psh.sh_virtsize = sh.sh_size;
if (sh.sh_type != SHT_NOBITS)
psh.sh_rawsize = roundup(sh.sh_size, poh.oh_filealign);
else
psh.sh_char |= IMAGE_SCN_CNT_UNINITIALIZED_DATA;
/*
* Translate ELF section flags to PE/COFF section flags.
*/
psh.sh_char |= IMAGE_SCN_MEM_READ;
if (sh.sh_flags & SHF_WRITE)
psh.sh_char |= IMAGE_SCN_MEM_WRITE;
if (sh.sh_flags & SHF_EXECINSTR)
psh.sh_char |= IMAGE_SCN_MEM_EXECUTE |
IMAGE_SCN_CNT_CODE;
if ((sh.sh_flags & SHF_ALLOC) && (psh.sh_char & 0xF0) == 0)
psh.sh_char |= IMAGE_SCN_CNT_INITIALIZED_DATA;
/* Mark relocation section "discardable". */
if (strcmp(name, ".reloc") == 0)
psh.sh_char |= IMAGE_SCN_MEM_DISCARDABLE;
if (pe_update_section_header(ps, &psh) < 0) {
warn("pe_update_section_header() failed");
continue;
}
/* Copy section content. */
if ((pb = pe_newbuffer(ps)) == NULL) {
warn("pe_newbuffer() failed");
continue;
}
pb->pb_align = 1;
pb->pb_off = 0;
pb->pb_size = roundup(sh.sh_size, poh.oh_filealign);
if ((pb->pb_buf = calloc(1, pb->pb_size)) == NULL) {
warn("calloc failed");
continue;
}
memcpy(pb->pb_buf, d->d_buf, sh.sh_size);
}
elferr = elf_errno();
if (elferr != 0)
warnx("elf_nextscn() failed: %s", elf_errmsg(elferr));
/* Update PE optional header. */
if (pe_update_opt_header(pe, &poh) < 0)
err(EXIT_FAILURE, "pe_update_opt_header() failed");
/* Write out PE/COFF object. */
if (pe_update(pe) < 0)
err(EXIT_FAILURE, "pe_update() failed");
pe_finish(pe);
elf_end(e);
}
int main(int argc, char *argv[])
{
PE_FILE pe;
FILE *fp = NULL;
if (argc < 2)
{
usage();
exit(1);
}
parse_options(argc, argv); // opcoes
if ((fp = fopen(argv[argc-1], "rb")) == NULL)
EXIT_ERROR("file not found or unreadable");
pe_init(&pe, fp); // inicializa o struct pe
if (!is_pe(&pe))
EXIT_ERROR("not a valid PE file");
// dos header
if (config.dos || config.all_headers || config.all)
{
IMAGE_DOS_HEADER dos;
if (pe_get_dos(&pe, &dos))
print_dos_header(&dos);
else { EXIT_ERROR("unable to read DOS header"); }
}
// coff/file header
if (config.coff || config.all_headers || config.all)
{
IMAGE_COFF_HEADER coff;
if (pe_get_coff(&pe, &coff))
print_coff_header(&coff);
else { EXIT_ERROR("unable to read COFF file header"); }
}
// optional header
if (config.opt || config.all_headers || config.all)
{
if (pe_get_optional(&pe))
print_optional_header(&pe);
else { EXIT_ERROR("unable to read Optional (Image) file header"); }
}
// directories
if (config.dirs || config.all)
{
if (pe_get_directories(&pe))
print_directories(&pe);
else { EXIT_ERROR("unable to read the Directories entry from Optional header"); }
}
// imports
if (config.imports || config.all)
{
if (pe_get_directories(&pe))
print_imports(&pe);
else { EXIT_ERROR("unable to read the Directories entry from Optional header"); }
}
// exports
if (config.exports || config.all)
{
if (pe_get_directories(&pe))
print_exports(&pe);
else
{ EXIT_ERROR("unable to read directories from optional header"); }
}
// sections
if (config.all_sections || config.all)
{
if (pe_get_sections(&pe))
print_sections(&pe);
else { EXIT_ERROR("unable to read sections"); }
}
// free
pe_deinit(&pe);
return 0;
}
