iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (0)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
[Java] PEAnalyser - get info about .exe and .dll files
  • Deque
    Posts: 78
    Hello iExploit,

    this release is an analyser for the portable executable format (PE) of Microsoft. This includes .exe and .dll files.
    It is a command line program. Usage is very simple:

    java -jar peanalyse <filename>



    And here is a sample result:

    [spoiler]

    ************** PEAnalyser 0.1 by Deque@iExploit.org **************

    analysing file: 7z.exe

    PE signature offset: 232
    PE signature correct: yes

    ----------------
    COFF header info
    ----------------

    characteristics:
    * Image only, Windows CE, and Windows NT and later.
    * Image only.
    * Application can handle > 2 GB addresses.

    machine type: x64
    number of sections: 5
    size of optional header: 240
    time date stamp: Thu Nov 18 17:08:29 CET 2010

    --------------------
    Optional header info
    --------------------

    Standard fields
    ...............

    address of entry point: 188096 (0x2dec0)
    address of base of code: 4096 (0x1000)
    magic number: 523 --> PE32+ executable
    major linker version: 8 (0x8)
    minor linker version: 0 (0x0)
    size of code: 186368 (0x2d800)
    size of initialized data: 105984 (0x19e00)
    size of unitialized data: 0 (0x0)

    Windows specific fields
    .......................

    checksum: 0 (0x0)

    dll characteristics:
    * Terminal Server aware.

    file alignment in bytes: 512 (0x200)
    image base: 4194304 (0x400000), default for Windows NT, 2000, XP, 95, 98 and Me
    loader flags (reserved, must be zero): 0 (0x0)
    major image version: 0 (0x0)
    major operating system version: 4 (0x4)
    major subsystem version: 5 (0x5)
    minor image version: 0 (0x0)
    minor operating system version: 0 (0x0)
    minor subsystem version: 2 (0x2)
    number of rva and sizes: 16 (0x10)
    section alignment in bytes: 4096 (0x1000)
    size of headers (MS DOS stub, PE header, and section headers): 1024 (0x400)
    size of heap commit: 4096 (0x1000)
    size of heap reserve: 1048576 (0x100000)
    size of image in bytes: 307200 (0x4b000)
    size of stack commit: 4096 (0x1000)
    size of stack reserve: 1048576 (0x100000)
    subsystem: The Windows character subsystem
    win32 version value (reserved, must be zero): 0 (0x0)

    Data directories
    ................

    virtual_address/size

    import table: 28(0x1c)/28
    resource table: 16(0x10)/16
    exception table: 8(0x8)/8
    IAT: 192(0xc0)/192


    -------------
    Section Table
    -------------

    entry number 1:
    ...............

    characteristics:
    * The section contains executable code.
    * The section can be executed as code.

    name: .text
    number of line numbers: 0 (0x0)
    number of relocations: 0 (0x0)
    pointer to line numbers: 0 (0x0)
    pointer to raw data: 1024 (0x400)
    pointer to relocations: 0 (0x0)
    size of raw data: 186368 (0x2d800)
    virtual address: 4096 (0x1000)
    virtual size: 185900 (0x2d62c)

    entry number 2:
    ...............

    characteristics:
    * The section contains initialized data.

    name: .rdata
    number of line numbers: 0 (0x0)
    number of relocations: 0 (0x0)
    pointer to line numbers: 0 (0x0)
    pointer to raw data: 187392 (0x2dc00)
    pointer to relocations: 0 (0x0)
    size of raw data: 74752 (0x12400)
    virtual address: 192512 (0x2f000)
    virtual size: 74282 (0x1222a)

    entry number 3:
    ...............

    characteristics:
    * The section contains initialized data.
    * The section can be written to.

    name: .data
    number of line numbers: 0 (0x0)
    number of relocations: 0 (0x0)
    pointer to line numbers: 0 (0x0)
    pointer to raw data: 262144 (0x40000)
    pointer to relocations: 0 (0x0)
    size of raw data: 2560 (0xa00)
    virtual address: 270336 (0x42000)
    virtual size: 11696 (0x2db0)

    entry number 4:
    ...............

    characteristics:
    * The section contains initialized data.

    name: .pdata
    number of line numbers: 0 (0x0)
    number of relocations: 0 (0x0)
    pointer to line numbers: 0 (0x0)
    pointer to raw data: 264704 (0x40a00)
    pointer to relocations: 0 (0x0)
    size of raw data: 18432 (0x4800)
    virtual address: 282624 (0x45000)
    virtual size: 17928 (0x4608)

    entry number 5:
    ...............

    characteristics:
    * The section contains initialized data.

    name: .rsrc
    number of line numbers: 0 (0x0)
    number of relocations: 0 (0x0)
    pointer to line numbers: 0 (0x0)
    pointer to raw data: 283136 (0x45200)
    pointer to relocations: 0 (0x0)
    size of raw data: 1024 (0x400)
    virtual address: 303104 (0x4a000)
    virtual size: 784 (0x310)

    [/spoiler]

    As you can see, you are able to view header information and section entries. I.e. you can see which architecture this executable is made for, what kind of file it is (.exe, .dll, other), when it was created and a lot more.

    Future versions may include viewing the section entries (which might be more suitable with a GUI, so you don't get a wall of text).

    As always: tell me, if you find any bugs so I can remove them.
    I searched after other PE viewer software to compare my results and make searching for bugs easier, but I only found software I have to pay for. No one should pay for this shit.

    Download:
    Source and .jar included
    http://www.mediafire.com/?ah2nttj134t4zxy

    License:
    [spoiler]
    Copyright 2012 Deque at http://www.iexploit.org All rights reserved.

    Redistribution and use in source and binary forms, with or without modification, are
    permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice, this list of
    conditions and the following disclaimer.

    2. Redistributions in binary form must reproduce the above copyright notice, this list
    of conditions and the following disclaimer in the documentation and/or other materials
    provided with the distribution.

    THIS SOFTWARE IS PROVIDED BY Deque at http://www.iexploit.org ``AS IS'' AND ANY EXPRESS OR IMPLIED
    WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
    FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Deque at https://haxme.org OR
    CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
    CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
    SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
    ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
    ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

    The views and conclusions contained in the software and documentation are those of the
    authors and should not be interpreted as representing official policies, either expressed
    or implied, of Deque at http://www.iexploit.org
    [/spoiler]

    Lines of code: 535 without empty lines and comments
    669 with empty lines and comments

    Have fun.
    Deque
  • Mr. P-teoMr. P-teo
    Posts: 269
    nice work, good Java coders aren't massively common.
    Skype: mrpt3o
    Twitter: MrPteo


    image
  • Deque
    Posts: 78
    Thanks. Not sure if they aren't common. Maybe just not in the security field.
  • sangf
    Posts: 203
    this is really cool! i was learning about the PE format/headers from some reversing articles recently, i'll give this a shot when i revisit them and see if i can get some meaningful feedback for you =p
  • Xin
    Posts: 3,251
    Nice ive been learning a bit of java recently , mainly been working on awt/swing stuff
    Xin
Add a Comment