def calc_impfuzzy(self):
impstrs = []
exts = ["ocx", "sys", "dll"]
if not hasattr(self, "DIRECTORY_ENTRY_IMPORT"):
return ""
for entry in self.DIRECTORY_ENTRY_IMPORT:
libname = entry.dll.lower()
parts = libname.rsplit(".", 1)
if len(parts) > 1 and parts[1] in exts:
libname = parts[0]
for imp in entry.imports:
funcname = None
if not imp.name:
funcname = ordlookup.ordLookup(entry.dll.lower(),
imp.ordinal,
make_name=True)
if not funcname:
raise Exception("Unable to look up ordinal %s:%04x" %
(entry.dll, imp.ordinal))
else:
funcname = imp.name
if not funcname:
continue
impstrs.append("%s.%s" % (libname.lower(), funcname.lower()))
apilist = ",".join(impstrs)
return apilist, len(apilist)
def set_exports_info(self):
if hasattr(self.pe, 'DIRECTORY_ENTRY_EXPORT'):
self.info['PE']['exports'] = dict()
libname = self.pe.DIRECTORY_ENTRY_EXPORT.name
if isinstance(libname, bytes):
libname = libname.decode().lower()
else:
libname = libname.dll.lower()
self.info['PE']['exports']['Name'] = libname
self.info['PE']['exports']['Functions'] = []
for exp in self.pe.DIRECTORY_ENTRY_EXPORT.symbols:
if not exp.name:
funcname = ordlookup.ordLookup(libname,
exp.ordinal,
make_name=True)
if not funcname:
raise Exception("Unable to look up ordinal %s:%04x" %
(libname, exp.ordinal))
else:
funcname = exp.name
if not funcname:
continue
if not funcname:
continue
if isinstance(funcname, bytes):
funcname = funcname.decode()
self.info['PE']['exports']['Functions'].append({
'Name':
funcname,
'Address':
exp.address,
'Ordinal':
exp.ordinal
})
def get_imports_info(pe):
if not hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
return []
imports = []
for entry in pe.DIRECTORY_ENTRY_IMPORT:
import_info = {}
libname = entry.dll.decode().lower() if isinstance(
entry.dll, bytes) else entry.dll.lower()
import_info['Library'], import_info['Functions'] = libname, []
for imp in entry.imports:
funcname = ordlookup.ordLookup(
entry.dll.lower(), imp.ordinal,
make_name=True) if not imp.name else imp.name
if not funcname:
continue
if isinstance(funcname, bytes):
funcname = funcname.decode()
import_info['Functions'].append({
'Address':
imp.address,
'Name':
funcname,
'Ordinal':
imp.ordinal if imp.ordinal else ''
})
imports.append(import_info)
return imports
def calc_impfuzzy(self):
impstrs = []
exts = ["ocx", "sys", "dll"]
if not hasattr(self, "DIRECTORY_ENTRY_IMPORT"):
return ""
for entry in self.DIRECTORY_ENTRY_IMPORT:
libname = entry.dll.lower()
parts = libname.rsplit(".", 1)
if len(parts) > 1 and parts[1] in exts:
libname = parts[0]
for imp in entry.imports:
funcname = None
if not imp.name:
funcname = ordlookup.ordLookup(
entry.dll.lower(), imp.ordinal, make_name=True)
if not funcname:
raise Exception("Unable to look up ordinal %s:%04x" % (
entry.dll, imp.ordinal))
else:
funcname = imp.name
if not funcname:
continue
impstrs.append("%s.%s" % (libname.lower(), funcname.lower()))
apilist = ",".join(impstrs)
return apilist, len(apilist)
def calc_impfuzzy(self, sort=False, return_list=False):
impstrs = []
exts = ["ocx", "sys", "dll"]
if not hasattr(self, "DIRECTORY_ENTRY_IMPORT"):
return ""
for entry in self.DIRECTORY_ENTRY_IMPORT:
no_iat_flag = False
if isinstance(entry.dll, bytes):
libname = entry.dll.decode().lower()
else:
libname = entry.dll.lower()
parts = libname.rsplit(".", 1)
if len(parts) > 1 and parts[1] in exts:
libname = parts[0]
if not entry.imports[0].struct_iat:
no_iat_flag = True
for imp in entry.imports:
funcname = None
if imp.struct_iat or no_iat_flag:
if not imp.name:
funcname = ordlookup.ordLookup(
entry.dll.lower(), imp.ordinal, make_name=True)
if not funcname:
raise Exception("Unable to look up ordinal %s:%04x" % (
entry.dll, imp.ordinal))
else:
funcname = imp.name
if not funcname:
continue
if isinstance(funcname, bytes):
funcname = funcname.decode()
impstrs.append("%s.%s" % (libname.lower(), funcname.lower()))
if sort:
impstrs.sort()
if return_list:
return impstrs
else:
apilist = ",".join(impstrs)
return apilist
def parseImports(self):
self.imports = []
idir = self.IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]
poff = self.rvaToOffset(idir.VirtualAddress)
if poff == 0:
return
x = vstruct.getStructure("pe.IMAGE_IMPORT_DIRECTORY")
isize = len(x)
x.vsParse(self.readAtOffset(poff, isize))
while x.Name != 0:
liboff = self.rvaToOffset(x.Name)
libname = self.readAtOffset(liboff, 256).split("\x00")[0]
idx = 0
noff = self.rvaToOffset(x.OriginalFirstThunk)
aoff = self.rvaToOffset(x.FirstThunk)
while True:
ava = self.readPointerAtOffset(aoff + (self.psize * idx))
if ava == 0:
break
nva = self.readPointerAtOffset(noff + (self.psize * idx))
# FIXME high bit testing for 64 bit
if nva & 0x80000000:
name = ordlookup.ordLookup(libname, nva & 0x7FFFFFFF)
else:
nameoff = self.rvaToOffset(nva) + 2 # Skip the short "hint"
name = self.readAtOffset(nameoff, 256).split("\x00")[0]
self.imports.append((x.FirstThunk + (idx * self.psize), libname, name))
idx += 1
poff += isize
x.vsParse(self.readAtOffset(poff, len(x)))
def parseImports(self):
self.imports = []
idir = self.IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]
poff = self.rvaToOffset(idir.VirtualAddress)
if poff == 0:
return
x = vstruct.getStructure("pe.IMAGE_IMPORT_DIRECTORY")
isize = len(x)
x.vsParse(self.readAtOffset(poff, isize))
while x.Name != 0:
liboff = self.rvaToOffset(x.Name)
libname = self.readAtOffset(liboff, 256).split("\x00")[0]
idx = 0
noff = self.rvaToOffset(x.OriginalFirstThunk)
aoff = self.rvaToOffset(x.FirstThunk)
while True:
ava = self.readPointerAtOffset(aoff+(self.psize*idx))
if ava == 0:
break
nva = self.readPointerAtOffset(noff+(self.psize*idx))
#FIXME high bit testing for 64 bit
if nva & 0x80000000:
name = ordlookup.ordLookup(libname, nva & 0x7fffffff)
else:
nameoff = self.rvaToOffset(nva) + 2 # Skip the short "hint"
name = self.readAtOffset(nameoff, 256).split("\x00")[0]
self.imports.append((x.FirstThunk+(idx*self.psize),libname,name))
idx += 1
poff += isize
x.vsParse(self.readAtOffset(poff, len(x)))
def set_imports_info(self):
if hasattr(self.pe, 'DIRECTORY_ENTRY_IMPORT'):
self.info['PE']['import'] = []
for entry in self.pe.DIRECTORY_ENTRY_IMPORT:
import_info = dict()
if isinstance(entry.dll, bytes):
libname = entry.dll.decode().lower()
else:
libname = entry.dll.lower()
import_info['Library'] = libname
import_info['Functions'] = []
for imp in entry.imports:
if not imp.name:
funcname = ordlookup.ordLookup(entry.dll.lower(),
imp.ordinal,
make_name=True)
if not funcname:
raise Exception(
"Unable to look up ordinal %s:%04x" %
(entry.dll, imp.ordinal))
else:
funcname = imp.name
if not funcname:
continue
if isinstance(funcname, bytes):
funcname = funcname.decode()
if imp.import_by_ordinal:
import_info['Functions'].append({
'Address': imp.address,
'Name': funcname,
'Ordinal': imp.ordinal
})
else:
import_info['Functions'].append({
'Address': imp.address,
'Name': funcname
})
self.info['PE']['import'].append(import_info)
def populate(self):
self.getSize()
self.pe = pefile.PE(self.filename, fast_load=True)
impTable = self.pe.get_imphash()
for section in self.pe.sections:
#print section.Name,
#print section.VirtualAddress,
#print section.SizeOfRawData,
#print section.Misc_VirtualSize,
#print section.get_hash_md5()
self.sectionHashes["%s@%s" %(section.Name, section.VirtualAddress)] = section.get_hash_md5()
impstrs = []
if self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']].VirtualAddress != 0:
self.pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']])
for entry in self.pe.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
libname = entry.dll.lower()
parts = libname.rsplit('.', 1)
for imp in entry.imports:
funcname = None
if not imp.name:
funcname = ordlookup.ordLookup(entry.dll.lower(), imp.ordinal, make_name=True)
if not funcname:
raise Exception("Unable to look up ordinal %s:%04x" % (entry.dll, imp.ordinal))
else:
funcname = imp.name
if not funcname:
continue
impstrs.append('%s.%s' % (libname.lower(),funcname.lower()))
self.impHash = self.pe.get_imphash()
if self.impHash == None:
self.impHash = ""
def parseImports(self):
self.imports = []
idir = self.getDataDirectory(IMAGE_DIRECTORY_ENTRY_IMPORT)
# RP BUG FIX - invalid IAT entry will point of range of file
irva = idir.VirtualAddress
x = self.readStructAtRva(irva, 'pe.IMAGE_IMPORT_DIRECTORY', check=True)
if x == None:
return
isize = len(x)
while self.checkRva(x.Name):
# RP BUG FIX - we can't assume that we have 256 bytes to read
libname = self.readStringAtRva(x.Name, maxsize=256)
idx = 0
imp_by_name = x.OriginalFirstThunk
if imp_by_name == 0:
imp_by_name = x.FirstThunk
if not self.checkRva(imp_by_name):
break
while True:
arrayoff = self.psize * idx
if self.filesize != None and arrayoff > self.filesize:
self.imports = [] # we probably put grabage in here..
return
ibn_rva = self.readPointerAtRva(imp_by_name+arrayoff)
if ibn_rva == 0:
break
if ibn_rva & self.high_bit_mask:
funcname = ordlookup.ordLookup(libname, ibn_rva & 0x7fffffff)
else:
# RP BUG FIX - we can't use this API on this call because we can have binaries that put their import table
# right at the end of the file, statically saying the imported function name is 128 will cause use to potentially
# over run our read and traceback...
diff = self.getMaxRva() - ibn_rva - 2
ibn = vstruct.getStructure("pe.IMAGE_IMPORT_BY_NAME")
ibn.vsGetField('Name').vsSetLength( min(diff, 128) )
bytes = self.readAtRva(ibn_rva, len(ibn), shortok=True)
if not bytes:
break
try:
ibn.vsParse(bytes)
except:
idx+=1
continue
funcname = ibn.Name
self.imports.append((x.FirstThunk+arrayoff,libname,funcname))
idx += 1
irva += isize
# RP BUG FIX - if the import table is at the end of the file we can't count on the ending to be null
if not self.checkRva(irva, size=isize):
break
x.vsParse(self.readAtRva(irva, isize))
def ProcessFile(filename):
pe_report = {}
pe = pefile.PE(filename)
print pe.DOS_HEADER
#pprint(pe.DOS_HEADER.__dict__)
print pe.NT_HEADERS
#pprint(pe.NT_HEADERS.__dict__)
print pe.FILE_HEADER
#pprint(pe.FILE_HEADER.__dict__)
print pe.OPTIONAL_HEADER
#pprint(pe.OPTIONAL_HEADER.__dict__)
pprint(pe.OPTIONAL_HEADER.DATA_DIRECTORY)
print '\nSections\n'
for section in pe.sections:
print section
#pprint(section.__dict__)
#for entry in pe.DIRECTORY_ENTRY_IMPORT:
# print entry.struct
# for imp in entry.imports:
# print '\nImport Data:'
# for key, val in imp.__dict__.items():
# if type(val) == int:
# print "%-20s\t\t0x%x" % (key, val)
# if type(val) in (str, unicode, type(None)):
# print "%-20s\t\t%s" % (key, val)
print '\nDIRECTORY_ENTRY_IMPORT\n'
if hasattr(pe,'DIRECTORY_ENTRY_IMPORT'):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
funcname = None
if not imp.name:
funcname = ordlookup.ordLookup(entry.dll, imp.ordinal, make_name=True)
if not funcname:
funcname = str(imp.ordinal)
else:
funcname = imp.name
if not funcname:
continue
print funcname
print '\nDIRECTORY_ENTRY_EXPORT\n'
print pe.DIRECTORY_ENTRY_EXPORT.struct
if hasattr(pe,'DIRECTORY_ENTRY_EXPORT'):
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
print exp.name
return
print '\nDIRECTORY_ENTRY_RESOURCE\n'
if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'):
for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries:
if resource_type.id != None:
print 'id: %s' % str(resource_type.id)
if (hasattr(resource_type, 'directory')):
for resource_id in resource_type.directory.entries:
if hasattr(resource_id, 'directory'):
for resources in resource_id.directory.entries:
# Get all languages
print str(resources.id)
data = pe.get_data(resources.data.struct.OffsetToData, resources.data.struct.Size)
print " ".join("{:02x}".format(ord(c)) for c in data[:5])
