-
Notifications
You must be signed in to change notification settings - Fork 107
bearcommander
@hasherezade edited this page Apr 16, 2018
·
10 revisions
WARNING: Commander is very basic tool, used only for the purpose of testing the library capabilities.
It's not a fully functional tool - or at least not yet!
Type [whatever] to see all commands, i.e
$ ? No such command Available commands: 17 Rv - Convert: RAW -> RVA Vr - Convert: RVA -> RAW cR - Fetch content by Raw address cV - Fetch content by Virtual address cl - Clear chosen wrapper winfo - Print chosen wrapper info einfo - Print wrapper entries fdump - Dump chosen wrapper into a file hR - Fetch content by Raw address - HEX hV - Fetch content by Virtual address - HEX info - Exe Info q - Quit rs - Resource Info rsrcs - List Resource Types rstrings - Print Strings from resources secR - Section by RAW secV - Section by RVA
Sample usage:
hshrzd@kali:~/re-bear/build$ ./commander/bearcommander Starting... Path to executable: /home/hshrzd/vm_shared/corkami_samples/exe/cfbogus.exe Type: PE Buffering... Parsing executable... $ info Bit mode: 32 Entry point: 0x1000v Raw size: 0x400 Virtual size: 0x2000 Raw align.: 0x200 Virtual align.: 0x1000 Contains: [ 0] DOS Hdr [ 1] File Hdr [ 2] Optional Hdr [ 3] Data Directory [ 4] Section Hdrs [ 5] Imports [12] LdConfig
Use winfo command to see the details of particular structure,
i.e.
$ winfo [ 0] DOS Hdr [ 1] File Hdr [ 2] Optional Hdr [ 3] Data Directory [ 4] Section Hdrs [ 5] Imports [12] LdConfig wrapperNum: 12 ------ [LdConfig] size: 0x5c fieldsCount: 25 [0250] Size : [0000005C _] [0254] TimeDateStamp : [00000000 _] [0258] MajorVersion : [0000 _] [025A] MinorVersion : [0000 _] [025C] GlobalFlagsClear : [00000000 _] [0260] GlobalFlagsSet : [00000000 _] [0264] CriticalSectionDefaultTimeout : [00000000 _] [0268] DeCommitFreeBlockThreshold : [00000000 _] [026C] DeCommitTotalFreeThreshold : [00000000 _] [0270] LockPrefixTable : [00000000 V] [0274] MaximumAllocationSize : [00000000 _] [0278] VirtualMemoryThreshold : [00000000 _] [027C] ProcessHeapFlags : [00000000 _] [0280] ProcessAffinityMask : [00000000 _] [0284] CSDVersion : [0000 _] [0286] Reserved : [0000 _] [0288] EditList : [00000000 V] [028C] SecurityCookie : [004010AC V] [0290] SEHandlerTable : [00000000 V] [0294] SEHandlerCount : [00000000 _] [0298] GuardCFCheckFunctionPtr : [004010B4 V] [029C] Reserved2 : [00000000 _] [02A0] GuardCFFunctionTable : [004010B9 V] [02A4] GuardCFFunctionCount : [00000006 _] [02A8] GuardFlags : [00000500 _]
As you see, values are displayed with some character at the end, like: V, v, r, _
i. e.
[028C] SecurityCookie : [004010AC V]
Here is the explanation:
V - Virtual Address (VA) v - Relative Virtual Address (RVA) r - Raw Offset _ - not an offset (none of the above)
Some wrappers have subentries, you can dump them using einfo
$ einfo [ 0] DOS Hdr [ 1] File Hdr [ 2] Optional Hdr [ 3] Data Directory [ 4] Section Hdrs [ 5] Imports [12] LdConfig wrapperNum: 5 ------ [Imports] size: 0x3c fieldsCount: 2 [02D5] kernel32.dll : [00001120 _] [00000000 _] [00000000 _] [00001180 _] [00001160 _] [02E9] msvcrt.dll : [00001128 _] [00000000 _] [00000000 _] [0000118D _] [00001168 _] ------ Dump subentries of Index: 1 ------ [msvcrt.dll] size: 0x14 fieldsCount: 5 [02E9] OriginalFirstThunk : [00001128 v] [02ED] TimeDateStamp : [00000000 _] [02F1] Forwarder : [00000000 _] [02F5] NameRVA : [0000118D v] [02F9] FirstThunk : [00001168 v] ------ ------ [msvcrt.dll] entriesCount: 1 Entry 0: ------ [[msvcrt.dll].printf] size: 0x4 fieldsCount: 4 [0328] Original Thunk : [0000114E v] [0368] Thunk : [0000114E v] [034E] Hint : [0000 _] ------
Preview at chosen offset:
$ hR raw: 0 Fetched: 4d 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 50 45 00 00 4c 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 20 10 b0 10 00 00 00 00 00 00 00 00 00 00 $ cR raw: 0 Fetched: MZ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00PE\x00\x00L\x10\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x20\x10\xb0\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 $
Some PE files comes with resources*, and then you can dump them like this:
*(WARNING: not all the types are supported yet)
$ rs [ 1] Cursor [ 2] Bitmap [ 3] Icon [ 4] Menu [ 5] Dialog [ 6] Strings [ 9] Accelerator [ 12] Cursors Group [ 14] Icons Group [ 16] Version [ 24] Manifest wrapper type: 16 Found in Resources: 18, wrappers: 1 ------ [Version] size: 0x5e fieldsCount: 18 [98130] Length of Structure : [0374 _] [98132] Length of Value : [0034 _] [98134] Type of Structure : [0000 _] [98136] Info : [VS_VERSION_INFO _] [98158] Signature : [FEEF04BD _] [9815C] Struct. Version : [00010000 _] [98160] File Version : [000B0032 _] [98164] File Version : [00000000 _] [98168] Product Version : [000B0032 _] [9816C] Product Version : [00000000 _] [98170] File Flags mask : [0000003F _] [98174] Flags : [00000000 _] [98178] File OS : [00040004 _] [9817C] File Type : [00000001 _] [98180] File SubType : [00000000 _] [98184] File Timestamp : [00000000 _] [98188] File Timestamp : [00000000 _] [9818C] Children : [02D4 _] ------
Strings from Resources can be listed all together like this:
$ rstrings Total: 6 [ 9798e] [26] Refresh (F5) [ 979aa] [10] Jump [ 979ca] [28] Find (Ctrl+F) [ 97a02] [22] Properties [ 97a18] [32] Delete (Ctrl+D) [ 97a3c] [28] Save (Ctrl+S) $
~ hasherezade (@hasherezade), 2014-2015 ~