import sys ''' Quick utility to generate ord lookups from DLL exports. ''' import PE p = PE.PE(open(sys.argv[1], 'rb')) base = int(p.IMAGE_EXPORT_DIRECTORY.Base) ords = {} for fva, ord, name in p.getExports(): ords[ord + base] = name keys = list(ords.keys()) keys.sort() for k in keys: print(''' %d:'%s',''' % (k, ords.get(k)))
t = vdb.trace bases = t.getMeta("LibraryBases") paths = t.getMeta("LibraryPaths") names = args if len(names) == 0: names = t.getNormalizedLibNames() names.sort() names = vdb.columnstr(names) for libname in names: base = bases.get(libname.strip(), -1) path = paths.get(base, "unknown") mem = PE.MemObjFile(t, base) pobj = PE.PE(mem, inmem=True) if showimps: ldeps = {} for rva, lname, fname in pobj.getImports(): ldeps[lname.lower()] = True lnames = ldeps.keys() lnames.sort() vdb.vprint('0x%.8x - %.30s %s' % (base, libname, ' '.join(lnames))) elif showvers: vdb.vprint('0x%.8x - %.30s %s' % (base, libname, path)) elif showtime: tstamp = pobj.IMAGE_NT_HEADERS.FileHeader.TimeDateStamp vdb.vprint('0x%.8x - %.30s 0x%.8x' % (base, libname, tstamp)) else: vdb.vprint('0x%.8x - %.30s %s' % (base, libname, path))
def parseFd(vw, fd, filename=None): fd.seek(0) pe = PE.PE(fd) return loadPeIntoWorkspace(vw, pe, filename=filename)
return ret if __name__ == '__main__': # Parse windows structures from dll symbols... import os import sys import platform from pprint import pprint import PE import vtrace.platforms.win32 as vt_win32 p = PE.PE(file(sys.argv[1], 'rb')) baseaddr = p.IMAGE_NT_HEADERS.OptionalHeader.ImageBase osmajor = p.IMAGE_NT_HEADERS.OptionalHeader.MajorOperatingSystemVersion osminor = p.IMAGE_NT_HEADERS.OptionalHeader.MinorOperatingSystemVersion machine = p.IMAGE_NT_HEADERS.FileHeader.Machine archname = PE.machine_names.get(machine) parser = vt_win32.Win32SymbolParser(0xffffffff, sys.argv[1], baseaddr) parser.parse() t = list(parser._sym_types.values()) e = list(parser._sym_enums.values()) builder = VStructBuilder(defs=t, enums=e) print('# Version: %d.%d' % (osmajor, osminor))
def parseFile(vw, filename): pe = PE.PE(file(filename, "rb")) return loadPeIntoWorkspace(vw, pe, filename)
def parseBytes(vw, bytes): fd = StringIO.StringIO(bytes) fd.seek(0) pe = PE.PE(fd) return loadPeIntoWorkspace(vw, pe, filename=filename)
import sys import os CURRENT_DIR = os.getcwd() PE_DIR = "\\".join(CURRENT_DIR.split("\\")[:-1]) print "[+] Current position: %s" % (CURRENT_DIR) print "[+] PE class position: %s" % (PE_DIR) print # add PE class folder sys.path.append(PE_DIR) from PE import * exe = PE_DIR + "\\vuln\\ImageLoad.dll" pe = PE(exe) print "[+] Analysis %s." % (pe.Name) print "[*] Format is %s." % (pe.Format) print "[*] Type is %s." % (pe.Type) print "[*] Arch is %s." % (pe.Arch) print "[*] Bits is %d." % (pe.Bits) print "[*] EntryPoint is 0x%08x." % (pe.EntryPoint) print "[*] Rebase is", "on." if pe.Rebase else "off." print print "[+] DataSections:" print "[*] %-8s %-10s %-10s %-10s" % ("name", "vaddr", "offset", "size") for section in pe.DataSections: print " %-8s 0x%-08x 0x%-08x 0x%-08x" % ( section["name"], section["vaddr"], section["offset"], section["size"])
def parseFile(vw, filename, baseaddr=None): pe = PE.PE(file(filename,"rb")) return loadPeIntoWorkspace(vw, pe, filename, baseaddr=baseaddr)
def hooks(vdb, line): ''' Check the executable regions of the target process for any hooks by comparing against the PE on disk. This will account for relocations and import entries. ''' t = vdb.getTrace() bases = t.getMeta("LibraryBases") paths = t.getMeta("LibraryPaths") found = False for bname in bases.keys(): base = bases.get(bname) fpath = paths.get(base) with open(fpath, 'rb') as fd: pobj = PE.PE(fpath) filebase = pobj.IMAGE_NT_HEADERS.OptionalHeader.ImageBase skips = {} # Get relocations for skipping r = list(range(t.getPointerSize())) for relrva, reltype in pobj.getRelocations(): for i in r: skips[base + relrva + i] = True # Add the import entries to skip for iva, libname, name in pobj.getImports(): for i in r: skips[base + iva + i] = True for sec in pobj.getSections(): if sec.Characteristics & PE.IMAGE_SCN_MEM_EXECUTE: size = sec.VirtualSize va = base + sec.VirtualAddress fileva = filebase + sec.VirtualAddress filebytes = pobj.readAtRva(sec.VirtualAddress, sec.VirtualSize) procbytes = t.readMemory(va, size) for off, size in bindiff(filebytes, procbytes): difva = va + off fdifva = fileva + off # Check for a relocation covering this... if skips.get(difva): continue found = True dmem = e_common.hexify(procbytes[off:off + size])[:10] dfil = e_common.hexify(filebytes[off:off + size])[:10] vdb.canvas.addVaText('0x%.8x' % difva, difva) vdb.canvas.addText(' (0x%.8x) (%d)' % (fdifva, size)) vdb.canvas.addText(' mem: %s file: %s ' % (dmem, dfil)) sym = vdb.symobj.getSymByAddr(difva, exact=False) if sym is not None: vdb.canvas.addText(' ') vdb.canvas.addVaText( '%s + %d' % (repr(sym), difva - int(sym)), difva) vdb.canvas.addText('\n') if not found: vdb.canvas.addText('No Hooks Found!\n')
def parseBytes(vw, bytes, baseaddr=None): fd = BytesIO(bytes) fd.seek(0) pe = PE.PE(fd) return loadPeIntoWorkspace(vw, pe, baseaddr=baseaddr)
from PE import * from util import * from Gadget import * exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe" module_list = getModuleList(exe_path) module_list.append(exe_path) # Get all usable gadgets. collect_gadgets = {} for module in module_list: pe = PE(module) if (not pe.ASLR) and (not pe.SafeSEH) and (not pe.Rebase): print "[+] Module %s add." % module module_gadget = Gadget(pe) classify_gadget(module_gadget.retGadgets, module_gadget.jmpGadgets, collect_gadgets) print for types in collect_gadgets.keys(): print "+" + "-"*(len(types)+2) + "+" print "| " + types + " |" print "+" + "-"*(len(types)+2) + "+" print for addr, gadget in collect_gadgets[types].items(): print "[*] 0x%08x : %s." % (addr, gadget) print