serpilliere / elfesteem Goto Github PK

View Code? Open in Web Editor NEW

35.0 35.0 16.0 935 KB

Automatically exported from code.google.com/p/elfesteem

Python 100.00%

elfesteem's People

Contributors

Stargazers

Watchers

Forkers

mrphrazer junraa ocean1 gotohack herrcore idiom sicceer commial pombredanne w4kfu a-vincent tpourcelot naveenselvan gavz trietptm-on-coding-algorithms georgepei

elfesteem's Issues

Some change of API were not needed

It is not true that __setitem__ in python 32bit is limited to [0-0x7fffffff].
The problem is because you did not use "New Style Classes".
Instead of the complicated commits of November 2nd and December 13th, you could simply have replaced class virt: by class virt(object): and everyhing would have been OK.

Bump version and push update to PyPI?

This version of elfesteem has some significant improvements over the version in PyPI. Can you bump the version number in setup.py and package this version for PyPI?

Apologies for opening this as an issue I just can't find a better way to contact you or Philippe.

Error In DirRes

e.DirRes
Traceback (most recent call last):
File "", line 1, in
File "C:\Python27\lib\elfesteem\pe.py", line 1457, in repr
dir_todo = [1] + a.resentries.l + [-1] + dir_todo
AttributeError: 'list' object has no attribute 'l'

Deadlock with bigger ELF executable

e = elf_init.ELF(open(FILENAME, 'rb').read()) results in hanging script, eating up more and more RAM. When you stop it, it tells you it was here
https://github.com/serpilliere/elfesteem/blob/master/elfesteem/strpatchwork.py#L27

With dd if=App of=App.trunc bs=1024 count=39405 I found out that the last "good" size was 40350720Bytes (count=39405) and 40351744 resulting in deadlock.

I couldnt tell what the root cause is as I'm not familiar with the codebase but it certainly has to do with memory and boundaries.

Btw. I also tried https://bitbucket.org/LouisG/elfesteem which also comes with ELF64 in general. Same results with that bigger file.

I hope you have an idea what could be the problem ?

Cannot rebuilt PE on Windows 10

Rebuilding a binary (using "str(pe)") on Windows 10 doesn't produce a valid PE file, even if no modifications have been done to the original PE (which is valid).

Steps to reproduce:

In [1]: from elfesteem import pe_init

In [2]: pe = pe_init.PE(open('C:/Windows/System32/ntdll.dll','rb').read())

In [3]: pe.SHList
Out[3]:
#  section         offset   size   addr     flags   rawsize
 0 .text          00000400 10d7a3 00001000 60000020 0010d800
 1 RT             0010dc00 0001f5 0010f000 60000020 00000200
 2 .rdata         0010de00 0442e7 00110000 40000040 00044400
 3 .data          00152200 00780c 00155000 c0000040 00004000
 4 .pdata         00156200 00da94 0015d000 40000040 0000dc00
 5 .mrdata        00163e00 0034d0 0016b000 c0000040 00003600
 6 .00cfg         00167400 000018 0016f000 40000040 00000200
 7 .rsrc          00167600 069448 00170000 40000040 00069600
 8 .reloc         001d0c00 0004b4 001da000 42000040 00000600

In [4]: f = open('test.dll', 'wb'); f.write(str(pe)); f.close()

In [5]: import ctypes

In [6]: ctypes.CDLL('test.dll')
---------------------------------------------------------------------------
WindowsError                              Traceback (most recent call last)
<ipython-input-6-f0a9a7593b4e> in <module>()
----> 1 ctypes.CDLL('test.dll')

c:\python27-x64\lib\ctypes\__init__.pyc in __init__(self, name, mode, handle, use_errno, use_last_error)
    360
    361         if handle is None:
--> 362             self._handle = _dlopen(self._name, mode)
    363         else:
    364             self._handle = handle

WindowsError: [Error 193] %1 is not a valid Win32 application

This also displays a message box with:

test.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc000007b.

To be sure that the problem was not with Python/Ctypes, we can also try to load the dll using rundll32:

C:\> rundll32.exe C:\Windows\System32\ntdll.dll,atoi
# Works fine, no error displayed

C:\> rundll32.exe test.dll,atoi
# Message box: "There was a problem starting test.dll. test.dll is not a valid Win32 application"

Version info:

Windows 10 x64 Version 1703 (OS Build 15063.674)
Python 2.7.13 (v2.7.13:a06454b1afa1, Dec 17 2016, 20:53:40) [MSC v.1500 64 bit (AMD64)] on win32
elfesteem (installed from git, branch master, last commit #32aeb419)

Minidump & amd64 context

The CPU context of an amd64 minidump sounds to be off; here's the context from windbg:

0:000> r
rax=deadbeefbaadc0de rbx=0000003bc15fdb60 rcx=0000020fe9626000
rdx=0000003bc15fdb60 rsi=0000020fe9cdb098 rdi=0000003bc15fdcf0
rip=00007ff7004900cc rsp=0000003bc15fd778 rbp=0000020fe9626000
 r8=0000003bc15fdcf0  r9=0000020fe9cdb098 r10=0000020fe9d4c948
r11=0000000000000013 r12=0000020fe9626068 r13=00007ff7010724d8
r14=deadbeefbaadc0de r15=0000020fe9626000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204

Here's the one recovered via elfesteem:

=============================CPU==============================
rax=0000000000000000 rbx=deadbeefbaadc0de rcx=0000000000000000
rdx=0000000000000000 rsi=0000003bc15fdb60 rdi=0000003bc15fd778
rip=00007ff7010724d8 rsp=0000020fe9626000 rbp=0000003bc15fdb60
 r8=0000020fe9626000  r9=0000020fe9cdb098 r10=0000003bc15fdcf0
r11=0000003bc15fdcf0 r12=0000020fe9cdb098 r13=0000020fe9d4c948
r14=0000000000000013 r15=0000020fe9626068
=============================EOF==============================

MemoryError

By trying to open a ELF file on Windows python x86-64, I got a MemoryError at this line : https://github.com/serpilliere/elfesteem/blob/master/elfesteem/strpatchwork.py#L25

>C:\Python27x64\python.exe
...
>>> from elfesteem import *
>>> elf_init.ELF(open("test-i386", "rb").read())
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "C:\Python27x64\lib\site-packages\elfesteem\elf_init.py", line 756, in __init__
    self.parse_content()
File "C:\Python27x64\lib\site-packages\elfesteem\elf_init.py", line 771, in parse_content
    self.sh = SHList(self, self.sex, self.size)
File "C:\Python27x64\lib\site-packages\elfesteem\elf_init.py", line 473, in __init__
    s.parse_content(sex, size)
File "C:\Python27x64\lib\site-packages\elfesteem\elf_init.py", line 309, in parse_content
    c = c[12 + namesz + descsz:]
File "C:\Python27x64\lib\site-packages\elfesteem\strpatchwork.py", line 25, in __getitem__
    s.extend(array("B", self.paddingbyte * (end - l)))
MemoryError

It seems that on linux sys.maxsize == sys.maxint :

linux-machine$ python
...
>>> import sys
>>> sys.maxsize
9223372036854775807
>>> sys.maxint
9223372036854775807

But not on Windows:

windows-machine>C:\Python27x64\python.exe
...
>>> import sys
>>> sys.maxint
2147483647
>>> sys.maxsize
9223372036854775807L

Also maxint has been removed in python3 see https://docs.python.org/3.1/whatsnew/3.0.html#integers.

pe_init produces bad resource directories

I tried with two exes. One complexer one with icons, dialog etc and one that only has version info. Both produce a bad exe when read in and written out.

from elfesteem import *

FILENAME = "symget.exe"
e = pe_init.PE(open(FILENAME, 'rb').read())
open(FILENAME + "_copy", "wb").write(str(e))

symget.exe is from Microsoft and public available.

serpilliere / elfesteem Goto Github PK

elfesteem's People

Contributors

Stargazers

Watchers

Forkers

elfesteem's Issues

Some change of API were not needed

Bump version and push update to PyPI?

Error In DirRes

Deadlock with bigger ELF executable

Cannot rebuilt PE on Windows 10

Minidump & amd64 context

MemoryError

pe_init produces bad resource directories

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent