Giter Site home page Giter Site logo

exe-rs's Introduction

exe-rs

exe-rs is a Portable Executable (PE) parsing library tested on multiple kinds of malformed PE executables, including the Corkami corpus and various forms of malware! It's a library built with creation in mind as well as parsing, attempting to make tasks related to PE files as smooth and flawless as possible.

You can read the documentation here, and see various use examples in the test file. The changelog between various versions is available here.

Windows-specific features (such as loading a given PE file for execution) can be configured by enabling the win32 feature of the crate.

exe-rs's People

Contributors

frank2 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

songlinshu her0mx barzamin chronicl dfirence teach2breach unia909 dev-ardi russellbanks lexika979 lywlover

exe-rs's Issues

get_section_by_name requres a String instead of an &str 

    fn get_section_by_name(&self, name: String) -> Result<&ImageSectionHeader, Error> {
        let sections = self.get_section_table()?;
        let s = name.as_str();

        for section in sections {
            if section.name.as_str() == s {
                return Ok(section);
            }
        }

        Err(Error::SectionNotFound)
    }

Taking an &str would be nicer here and it looks like it's fine since it immediately gets converted to one.

Use cargo fmt

The style is custom which makes it difficult to work with for outsiders:

  • People don't know in what way they should style their code
  • Manual styling is needed
  • Some people (myself included) have automatic format on save and I'd have to disable it for this.

Consider using cargo fmt so that collaboration is easier. It's not going to be perfect but it's good enough.

.Net bin parsing issue

Thank you for this crate. I've been using the Goblin crate, but it lacks some features yours has, such as getting the original filename.

This is the Rust program I'm working on: https://github.com/theflakes/fmd
It's a PE cmd line forensic tool.
In the "main.rs" file is the "get_pe_file_info" fn that I'm using your crate in to parse the structure that contains the original filename and other fields.

I think there is an issue with .Net binary parsing of the vs_version. When I run this against a .Net binary that shows an original filename in the file properties windows from Windows Explorer I get an error:

thread 'main' panicked at 'called Result::unwrap()on anErr value: CorruptDataDirectory', src\main.rs:324:39

Thanks again for the crate!

Intended way to use CChar strings eg Section Name

What's the intended way to deal with these?

dbg!(section.name.iter().map(|x| x.0 as char).filter(|&x| x > '\0').collect::<String>());

I have this for debug printing but I imagine this isn't the intended way and there's something built in already.

BufferSearch search performance

I've been using your library for some PE restructuring work as well as some extraction and wanted to report this so you would know...

    let text_di_bytes = pefile.get_buffer().as_ref();
    let tr_xrefs = troc_instances
        .iter()
        .map(|x| {
            let tr_offset_va = offset_to_va(*x);
            let tr_bytes: [u8; 4] = u32::to_le_bytes(tr_offset_va);
            // let mut tr_xref = memmem::find_iter(text_di_bytes, &tr_bytes);
            let mut tr_xref = pefile.search(tr_bytes).unwrap();
            let _ = tr_xref.next().unwrap();
            let pos = tr_xref.next().unwrap();
            pos.try_into().unwrap()
        })
        .collect::<Vec<u32>>();

The runtime of this is 59 seconds with the BufferSearch and with the only change being to use the memmem::find_iter iter instead the runtime is ~200ms.

Code from example directory panics for Rufus executable on Windows

https://github.com/pbatard/rufus/releases/download/v4.4/rufus-4.4.exe

I have tried to run the example code against the rufus-4.4.exe on Windows operating system. The code panicks on the line

let icon_file = dir.to_icon_buffer(&pe).unwrap();

Writing 120.ico
thread 'main' panicked at library\core\src\panicking.rs:156:5:
unsafe precondition(s) violated: slice::from_raw_parts_mut requires the pointer to be aligned and non-null, and the total size of the slice not to exceed `isize::MAX`
stack backtrace:
   0:     0x7ff623079e6a - std::backtrace_rs::backtrace::dbghelp64::trace
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\..\..\backtrace\src\backtrace\dbghelp64.rs:99
   1:     0x7ff623079e6a - std::backtrace_rs::backtrace::trace_unsynchronized
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\..\..\backtrace\src\backtrace\mod.rs:66
   2:     0x7ff623079e6a - std::sys_common::backtrace::_print_fmt
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\sys_common\backtrace.rs:68
   3:     0x7ff623079e6a - std::sys_common::backtrace::_print::impl$0::fmt
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\sys_common\backtrace.rs:44
   4:     0x7ff623088eab - core::fmt::rt::Argument::fmt
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\core\src\fmt\rt.rs:142
   5:     0x7ff623088eab - core::fmt::write
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\core\src\fmt\mod.rs:1153
   6:     0x7ff623078201 - std::io::Write::write_fmt<std::sys::pal::windows::stdio::Stderr>
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\io\mod.rs:1843
   7:     0x7ff623079c56 - std::sys_common::backtrace::print
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\sys_common\backtrace.rs:34
   8:     0x7ff62307b79f - std::panicking::default_hook::closure$1
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\panicking.rs:272
   9:     0x7ff62307b437 - std::panicking::default_hook
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\panicking.rs:292
  10:     0x7ff62307bcdd - std::panicking::rust_panic_with_hook
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\panicking.rs:779
  11:     0x7ff62307bb5b - std::panicking::begin_panic_handler::closure$0
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\panicking.rs:649
  12:     0x7ff62307a4f9 - std::sys_common::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::closure_env$0,never$>
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\sys_common\backtrace.rs:171
  13:     0x7ff62307b856 - std::panicking::begin_panic_handler
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\panicking.rs:645
  14:     0x7ff62308e471 - core::panicking::panic_nounwind_fmt::runtime
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\core\src\panicking.rs:110
  15:     0x7ff62308e471 - core::panicking::panic_nounwind_fmt
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\core\src\panicking.rs:123
  16:     0x7ff62308e538 - core::panicking::panic_nounwind
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\core\src\panicking.rs:156
  17:     0x7ff62304c597 - core::slice::raw::from_raw_parts_mut::precondition_check
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\core\src\intrinsics.rs:2799
  18:     0x7ff623041182 - core::slice::raw::from_raw_parts_mut<exe::types::IconDirEntry>
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\core\src\slice\raw.rs:152
  19:     0x7ff62305175e - pkbuffer::buffer::Buffer::get_mut_slice_ref_unaligned<pkbuffer::vec::VecBuffer,exe::types::IconDirEntry>
                               at D:\Users\admin\.cargo\registry\src\index.crates.io-6f17d22bba15001f\pkbuffer-0.4.2\src\buffer.rs:361
  20:     0x7ff62304a83e - exe::types::IconDirMut::parse<pkbuffer::vec::VecBuffer>
                               at D:\Users\admin\.cargo\registry\src\index.crates.io-6f17d22bba15001f\exe-0.5.6\src\types.rs:1606
  21:     0x7ff623043b7c - exe::headers::GrpIconDir::to_icon_buffer<exe::pe::VecPE>
                               at D:\Users\admin\.cargo\registry\src\index.crates.io-6f17d22bba15001f\exe-0.5.6\src\headers.rs:1734
  22:     0x7ff6230419b5 - engine::main
                               at F:\3ngine\src\main.rs:64
  23:     0x7ff62304604b - core::ops::function::FnOnce::call_once<void (*)(),tuple$<> >
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\core\src\ops\function.rs:250
  24:     0x7ff62305004e - core::hint::black_box
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\core\src\hint.rs:337
  25:     0x7ff62305004e - std::sys_common::backtrace::__rust_begin_short_backtrace<void (*)(),tuple$<> >
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\std\src\sys_common\backtrace.rs:155
  26:     0x7ff62304cbe1 - std::rt::lang_start::closure$0<tuple$<> >
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\std\src\rt.rs:166
  27:     0x7ff623075552 - std::rt::lang_start_internal
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library\std\src\rt.rs:148
  28:     0x7ff62304cbba - std::rt::lang_start<tuple$<> >
                               at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6\library\std\src\rt.rs:165
  29:     0x7ff623041d09 - main
  30:     0x7ff62308caf0 - invoke_main
                               at D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
  31:     0x7ff62308caf0 - __scrt_common_main_seh
                               at D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
  32:     0x7ffcbaae257d - BaseThreadInitThunk
  33:     0x7ffcbc84aa48 - RtlUserThreadStart
thread caused non-unwinding panic. aborting.
error: process didn't exit successfully: `target\debug\engine.exe` (exit code: 0xc0000409, STATUS_STACK_BUFFER_OVERRUN)

The code which I run is available in repo:

use exe::*;

fn main() {
    let pe = VecPE::from_disk_file("rufus-4.4.exe").unwrap();
    let rsrc = ResourceDirectory::parse(&pe).unwrap();
    let icons = rsrc.icon_groups(&pe).unwrap();

    for (id, dir) in &icons {
        let filename = match id {
            ResolvedDirectoryID::ID(val) => format!("{}.ico", val),
            ResolvedDirectoryID::Name(name) => format!("{}.ico", name),
        };

        println!("Writing {}", filename);

        let icon_file = dir.to_icon_buffer(&pe).unwrap();
        icon_file.save(filename).unwrap();
    }

    println!("Icons dumped from executable");
}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.