def calc_impfuzzy(self): impstrs = [] exts = ["ocx", "sys", "dll"] if not hasattr(self, "DIRECTORY_ENTRY_IMPORT"): return "" for entry in self.DIRECTORY_ENTRY_IMPORT: libname = entry.dll.lower() parts = libname.rsplit(".", 1) if len(parts) > 1 and parts[1] in exts: libname = parts[0] for imp in entry.imports: funcname = None if not imp.name: funcname = ordlookup.ordLookup(entry.dll.lower(), imp.ordinal, make_name=True) if not funcname: raise Exception("Unable to look up ordinal %s:%04x" % (entry.dll, imp.ordinal)) else: funcname = imp.name if not funcname: continue impstrs.append("%s.%s" % (libname.lower(), funcname.lower())) apilist = ",".join(impstrs) return apilist, len(apilist)
def set_exports_info(self): if hasattr(self.pe, 'DIRECTORY_ENTRY_EXPORT'): self.info['PE']['exports'] = dict() libname = self.pe.DIRECTORY_ENTRY_EXPORT.name if isinstance(libname, bytes): libname = libname.decode().lower() else: libname = libname.dll.lower() self.info['PE']['exports']['Name'] = libname self.info['PE']['exports']['Functions'] = [] for exp in self.pe.DIRECTORY_ENTRY_EXPORT.symbols: if not exp.name: funcname = ordlookup.ordLookup(libname, exp.ordinal, make_name=True) if not funcname: raise Exception("Unable to look up ordinal %s:%04x" % (libname, exp.ordinal)) else: funcname = exp.name if not funcname: continue if not funcname: continue if isinstance(funcname, bytes): funcname = funcname.decode() self.info['PE']['exports']['Functions'].append({ 'Name': funcname, 'Address': exp.address, 'Ordinal': exp.ordinal })
def get_imports_info(pe): if not hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'): return [] imports = [] for entry in pe.DIRECTORY_ENTRY_IMPORT: import_info = {} libname = entry.dll.decode().lower() if isinstance( entry.dll, bytes) else entry.dll.lower() import_info['Library'], import_info['Functions'] = libname, [] for imp in entry.imports: funcname = ordlookup.ordLookup( entry.dll.lower(), imp.ordinal, make_name=True) if not imp.name else imp.name if not funcname: continue if isinstance(funcname, bytes): funcname = funcname.decode() import_info['Functions'].append({ 'Address': imp.address, 'Name': funcname, 'Ordinal': imp.ordinal if imp.ordinal else '' }) imports.append(import_info) return imports
def calc_impfuzzy(self): impstrs = [] exts = ["ocx", "sys", "dll"] if not hasattr(self, "DIRECTORY_ENTRY_IMPORT"): return "" for entry in self.DIRECTORY_ENTRY_IMPORT: libname = entry.dll.lower() parts = libname.rsplit(".", 1) if len(parts) > 1 and parts[1] in exts: libname = parts[0] for imp in entry.imports: funcname = None if not imp.name: funcname = ordlookup.ordLookup( entry.dll.lower(), imp.ordinal, make_name=True) if not funcname: raise Exception("Unable to look up ordinal %s:%04x" % ( entry.dll, imp.ordinal)) else: funcname = imp.name if not funcname: continue impstrs.append("%s.%s" % (libname.lower(), funcname.lower())) apilist = ",".join(impstrs) return apilist, len(apilist)
def calc_impfuzzy(self, sort=False, return_list=False): impstrs = [] exts = ["ocx", "sys", "dll"] if not hasattr(self, "DIRECTORY_ENTRY_IMPORT"): return "" for entry in self.DIRECTORY_ENTRY_IMPORT: no_iat_flag = False if isinstance(entry.dll, bytes): libname = entry.dll.decode().lower() else: libname = entry.dll.lower() parts = libname.rsplit(".", 1) if len(parts) > 1 and parts[1] in exts: libname = parts[0] if not entry.imports[0].struct_iat: no_iat_flag = True for imp in entry.imports: funcname = None if imp.struct_iat or no_iat_flag: if not imp.name: funcname = ordlookup.ordLookup( entry.dll.lower(), imp.ordinal, make_name=True) if not funcname: raise Exception("Unable to look up ordinal %s:%04x" % ( entry.dll, imp.ordinal)) else: funcname = imp.name if not funcname: continue if isinstance(funcname, bytes): funcname = funcname.decode() impstrs.append("%s.%s" % (libname.lower(), funcname.lower())) if sort: impstrs.sort() if return_list: return impstrs else: apilist = ",".join(impstrs) return apilist
def parseImports(self): self.imports = [] idir = self.IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT] poff = self.rvaToOffset(idir.VirtualAddress) if poff == 0: return x = vstruct.getStructure("pe.IMAGE_IMPORT_DIRECTORY") isize = len(x) x.vsParse(self.readAtOffset(poff, isize)) while x.Name != 0: liboff = self.rvaToOffset(x.Name) libname = self.readAtOffset(liboff, 256).split("\x00")[0] idx = 0 noff = self.rvaToOffset(x.OriginalFirstThunk) aoff = self.rvaToOffset(x.FirstThunk) while True: ava = self.readPointerAtOffset(aoff + (self.psize * idx)) if ava == 0: break nva = self.readPointerAtOffset(noff + (self.psize * idx)) # FIXME high bit testing for 64 bit if nva & 0x80000000: name = ordlookup.ordLookup(libname, nva & 0x7FFFFFFF) else: nameoff = self.rvaToOffset(nva) + 2 # Skip the short "hint" name = self.readAtOffset(nameoff, 256).split("\x00")[0] self.imports.append((x.FirstThunk + (idx * self.psize), libname, name)) idx += 1 poff += isize x.vsParse(self.readAtOffset(poff, len(x)))
def parseImports(self): self.imports = [] idir = self.IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT] poff = self.rvaToOffset(idir.VirtualAddress) if poff == 0: return x = vstruct.getStructure("pe.IMAGE_IMPORT_DIRECTORY") isize = len(x) x.vsParse(self.readAtOffset(poff, isize)) while x.Name != 0: liboff = self.rvaToOffset(x.Name) libname = self.readAtOffset(liboff, 256).split("\x00")[0] idx = 0 noff = self.rvaToOffset(x.OriginalFirstThunk) aoff = self.rvaToOffset(x.FirstThunk) while True: ava = self.readPointerAtOffset(aoff+(self.psize*idx)) if ava == 0: break nva = self.readPointerAtOffset(noff+(self.psize*idx)) #FIXME high bit testing for 64 bit if nva & 0x80000000: name = ordlookup.ordLookup(libname, nva & 0x7fffffff) else: nameoff = self.rvaToOffset(nva) + 2 # Skip the short "hint" name = self.readAtOffset(nameoff, 256).split("\x00")[0] self.imports.append((x.FirstThunk+(idx*self.psize),libname,name)) idx += 1 poff += isize x.vsParse(self.readAtOffset(poff, len(x)))
def set_imports_info(self): if hasattr(self.pe, 'DIRECTORY_ENTRY_IMPORT'): self.info['PE']['import'] = [] for entry in self.pe.DIRECTORY_ENTRY_IMPORT: import_info = dict() if isinstance(entry.dll, bytes): libname = entry.dll.decode().lower() else: libname = entry.dll.lower() import_info['Library'] = libname import_info['Functions'] = [] for imp in entry.imports: if not imp.name: funcname = ordlookup.ordLookup(entry.dll.lower(), imp.ordinal, make_name=True) if not funcname: raise Exception( "Unable to look up ordinal %s:%04x" % (entry.dll, imp.ordinal)) else: funcname = imp.name if not funcname: continue if isinstance(funcname, bytes): funcname = funcname.decode() if imp.import_by_ordinal: import_info['Functions'].append({ 'Address': imp.address, 'Name': funcname, 'Ordinal': imp.ordinal }) else: import_info['Functions'].append({ 'Address': imp.address, 'Name': funcname }) self.info['PE']['import'].append(import_info)
def populate(self): self.getSize() self.pe = pefile.PE(self.filename, fast_load=True) impTable = self.pe.get_imphash() for section in self.pe.sections: #print section.Name, #print section.VirtualAddress, #print section.SizeOfRawData, #print section.Misc_VirtualSize, #print section.get_hash_md5() self.sectionHashes["%s@%s" %(section.Name, section.VirtualAddress)] = section.get_hash_md5() impstrs = [] if self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']].VirtualAddress != 0: self.pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']]) for entry in self.pe.DIRECTORY_ENTRY_IMPORT: for imp in entry.imports: libname = entry.dll.lower() parts = libname.rsplit('.', 1) for imp in entry.imports: funcname = None if not imp.name: funcname = ordlookup.ordLookup(entry.dll.lower(), imp.ordinal, make_name=True) if not funcname: raise Exception("Unable to look up ordinal %s:%04x" % (entry.dll, imp.ordinal)) else: funcname = imp.name if not funcname: continue impstrs.append('%s.%s' % (libname.lower(),funcname.lower())) self.impHash = self.pe.get_imphash() if self.impHash == None: self.impHash = ""
def parseImports(self): self.imports = [] idir = self.getDataDirectory(IMAGE_DIRECTORY_ENTRY_IMPORT) # RP BUG FIX - invalid IAT entry will point of range of file irva = idir.VirtualAddress x = self.readStructAtRva(irva, 'pe.IMAGE_IMPORT_DIRECTORY', check=True) if x == None: return isize = len(x) while self.checkRva(x.Name): # RP BUG FIX - we can't assume that we have 256 bytes to read libname = self.readStringAtRva(x.Name, maxsize=256) idx = 0 imp_by_name = x.OriginalFirstThunk if imp_by_name == 0: imp_by_name = x.FirstThunk if not self.checkRva(imp_by_name): break while True: arrayoff = self.psize * idx if self.filesize != None and arrayoff > self.filesize: self.imports = [] # we probably put grabage in here.. return ibn_rva = self.readPointerAtRva(imp_by_name+arrayoff) if ibn_rva == 0: break if ibn_rva & self.high_bit_mask: funcname = ordlookup.ordLookup(libname, ibn_rva & 0x7fffffff) else: # RP BUG FIX - we can't use this API on this call because we can have binaries that put their import table # right at the end of the file, statically saying the imported function name is 128 will cause use to potentially # over run our read and traceback... diff = self.getMaxRva() - ibn_rva - 2 ibn = vstruct.getStructure("pe.IMAGE_IMPORT_BY_NAME") ibn.vsGetField('Name').vsSetLength( min(diff, 128) ) bytes = self.readAtRva(ibn_rva, len(ibn), shortok=True) if not bytes: break try: ibn.vsParse(bytes) except: idx+=1 continue funcname = ibn.Name self.imports.append((x.FirstThunk+arrayoff,libname,funcname)) idx += 1 irva += isize # RP BUG FIX - if the import table is at the end of the file we can't count on the ending to be null if not self.checkRva(irva, size=isize): break x.vsParse(self.readAtRva(irva, isize))
def ProcessFile(filename): pe_report = {} pe = pefile.PE(filename) print pe.DOS_HEADER #pprint(pe.DOS_HEADER.__dict__) print pe.NT_HEADERS #pprint(pe.NT_HEADERS.__dict__) print pe.FILE_HEADER #pprint(pe.FILE_HEADER.__dict__) print pe.OPTIONAL_HEADER #pprint(pe.OPTIONAL_HEADER.__dict__) pprint(pe.OPTIONAL_HEADER.DATA_DIRECTORY) print '\nSections\n' for section in pe.sections: print section #pprint(section.__dict__) #for entry in pe.DIRECTORY_ENTRY_IMPORT: # print entry.struct # for imp in entry.imports: # print '\nImport Data:' # for key, val in imp.__dict__.items(): # if type(val) == int: # print "%-20s\t\t0x%x" % (key, val) # if type(val) in (str, unicode, type(None)): # print "%-20s\t\t%s" % (key, val) print '\nDIRECTORY_ENTRY_IMPORT\n' if hasattr(pe,'DIRECTORY_ENTRY_IMPORT'): for entry in pe.DIRECTORY_ENTRY_IMPORT: for imp in entry.imports: funcname = None if not imp.name: funcname = ordlookup.ordLookup(entry.dll, imp.ordinal, make_name=True) if not funcname: funcname = str(imp.ordinal) else: funcname = imp.name if not funcname: continue print funcname print '\nDIRECTORY_ENTRY_EXPORT\n' print pe.DIRECTORY_ENTRY_EXPORT.struct if hasattr(pe,'DIRECTORY_ENTRY_EXPORT'): for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: print exp.name return print '\nDIRECTORY_ENTRY_RESOURCE\n' if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'): for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries: if resource_type.id != None: print 'id: %s' % str(resource_type.id) if (hasattr(resource_type, 'directory')): for resource_id in resource_type.directory.entries: if hasattr(resource_id, 'directory'): for resources in resource_id.directory.entries: # Get all languages print str(resources.id) data = pe.get_data(resources.data.struct.OffsetToData, resources.data.struct.Size) print " ".join("{:02x}".format(ord(c)) for c in data[:5])