Readpe console application
In the post we will talk about the console utility ReadPE of its own design, which parses the executable files of the Portable Executable format .
Answering a possible question: “Why did you need your bike if you already have a dumpbin?” I will say that many well-known utilities of this class stopped me because of their inability to work with clever and manually created files. Taken files included in the well-known Corkami suite and fed into the dumpbin input that came with Visual Studio or Matt Pitrek's pedump will in most cases refuse to work with such a file. This is due to the fact that very often when writing such utilities they rely solely on the official description of this format provided by Microsoft. Despite the fact that the format itself is fairly simple, it nevertheless has a very large number of pitfalls and the best guide to this format is the code listing from the system loader in IDA Pro.
What features can my utility offer?
')
Tulsa was developed to solve my own problems. However, at the moment it is already being used not only by me, and therefore decided to share. Perhaps it will help solve problems even more system programmers. When developing, the utility was tested on the corkami kit, as well as those files that were used when testing PE Tools.
Tulsa can be taken from me in the repository of research-toolchain on bitbucket. Usage details can be read ru_ReadME .
I am always open for communication and I will be glad to consider your questions arising from the use of my utility. I will be especially grateful for reports of bugs.
Answering a possible question: “Why did you need your bike if you already have a dumpbin?” I will say that many well-known utilities of this class stopped me because of their inability to work with clever and manually created files. Taken files included in the well-known Corkami suite and fed into the dumpbin input that came with Visual Studio or Matt Pitrek's pedump will in most cases refuse to work with such a file. This is due to the fact that very often when writing such utilities they rely solely on the official description of this format provided by Microsoft. Despite the fact that the format itself is fairly simple, it nevertheless has a very large number of pitfalls and the best guide to this format is the code listing from the system loader in IDA Pro.
What features can my utility offer?
')
- Work with 32-bit and 64-bit images;
- Work with specific files, which are usually referred to as "perverse";
- The result is generated in JSON format, which simplifies scripting;
- Displays TLS-callback functions;
- Displays hook functions using the binding mechanism (old and new binding);
- Issuance of auxiliary information about entropy, forward functions, rva, file offsets, etc.
Tulsa was developed to solve my own problems. However, at the moment it is already being used not only by me, and therefore decided to share. Perhaps it will help solve problems even more system programmers. When developing, the utility was tested on the corkami kit, as well as those files that were used when testing PE Tools.
Tulsa can be taken from me in the repository of research-toolchain on bitbucket. Usage details can be read ru_ReadME .
I am always open for communication and I will be glad to consider your questions arising from the use of my utility. I will be especially grateful for reports of bugs.
Source: https://habr.com/ru/post/213567/
All Articles