Skip to content

Home

Jump to bottom
hasherezade edited this page Aug 22, 2014 · 30 revisions

bearparser

Portable Executable parsing library
WARNING: this is an early beta version, some elements are unfinished!
Please report any bugs and remarks to: hasherezade@op.pl

Requires:

How to build (example step-by-step):

mkdir re-bear
git clone https://github.com/hasherezade/bearparser.git
mkdir build
cd build
cmake -G [some generator] ../bearparser/
make

Done! You can test it running the commander:

./commander/bearcommander [optional: path to exe]

bearcommander

WARNING: Commander is very basic tool, used only for the purpose of testing the library capabilities.
It's not a fully functional tool - or at least not yet!
Sample usage:

hshrzd@kali:~/mytest/build$ ./commander/bearcommander
Starting...
Path to executable: /home/hshrzd/vm_shared/corkami_samples/exe/cfbogus.exe
Type: PE
Buffering...
Parsing executable...
$ info
Bit mode: 	32
Entry point: 	0x1000v
Raw size: 	0x400
Virtual size: 	0x2000
Raw align.: 	0x200
Virtual align.:	0x1000
Contains:
[ 0] DOS Hdr
[ 1] File Hdr
[ 2] Optional Hdr
[ 3] Data Directory
[ 4] Section Hdrs
[ 5] Imports
[12] LdConfig

Use dump command to see the details of particular structure,
i.e.

$ dump 
[ 0] DOS Hdr
[ 1] File Hdr
[ 2] Optional Hdr
[ 3] Data Directory
[ 4] Section Hdrs
[ 5] Imports
[12] LdConfig
wrapperNum: 12
------
	[LdConfig] size: 0x5c fieldsCount: 25

[0250] Size :	[0000005C _] 
[0254] TimeDateStamp :	[00000000 _] 
[0258] MajorVersion :	[0000 _] 
[025A] MinorVersion :	[0000 _] 
[025C] GlobalFlagsClear :	[00000000 _] 
[0260] GlobalFlagsSet :	[00000000 _] 
[0264] CriticalSectionDefaultTimeout :	[00000000 _] 
[0268] DeCommitFreeBlockThreshold :	[00000000 _] 
[026C] DeCommitTotalFreeThreshold :	[00000000 _] 
[0270] LockPrefixTable :	[00000000 V] 
[0274] MaximumAllocationSize :	[00000000 _] 
[0278] VirtualMemoryThreshold :	[00000000 _] 
[027C] ProcessHeapFlags :	[00000000 _] 
[0280] ProcessAffinityMask :	[00000000 _] 
[0284] CSDVersion :	[0000 _] 
[0286] Reserved :	[0000 _] 
[0288] EditList :	[00000000 V] 
[028C] SecurityCookie :	[004010AC V] 
[0290] SEHandlerTable :	[00000000 V] 
[0294] SEHandlerCount :	[00000000 _] 
[0298] GuardCFCheckFunctionPtr :	[004010B4 V] 
[029C] Reserved2 :	[00000000 _] 
[02A0] GuardCFFunctionTable :	[004010B9 V] 
[02A4] GuardCFFunctionCount :	[00000006 _] 
[02A8] GuardFlags :	[00000500 _]

~ hasherezade (@hasherezade), 2014-2015 ~

Clone this wiki locally