├── Makefile ├── README.md ├── disas_func.c ├── disas_func.h ├── disasx86_capstone.c ├── disasx86_capstone.h ├── disasx86_capstone_offset.c ├── disasx86_capstone_offset.h ├── general_analysis.c ├── general_analysis.h ├── hex_dump_sections.c ├── hex_dump_sections.h ├── imports.c ├── imports.h ├── main.c ├── pe_analyzer.h ├── sections.c ├── sections.h ├── strings_dump.c └── strings_dump.h /Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | CFLAGS=-I 3 | 4 | OBJS= main.c disas_func.c disasx86_capstone.c disasx86_capstone_offset.c general_analysis.c hex_dump_sections.c imports.c sections.c strings_dump.c 5 | 6 | all: 7 | $(CC) $(OBJS) -lcapstone -o mft $(CFLAGS). 8 | clean: 9 | rm -rf mft 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Malware Fragmentation Tool 2 | 3 | Malware Fragmentation Tool its a tool that simply fragment the PE file and it can disassemble the PE file, etc this tool very useful for people who do malware research or analysis for pe_files 4 | 5 | capstone disassembly engine used in this project for disassembling 6 | 7 | > Note: that this tool is not finished yet and every time it will be an update. 8 | -------------------------------------------------------------------------------- /disas_func.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | #include "disas_func.h" 26 | #include "pe_analyzer.h" 27 | 28 | 29 | void PrintToFile(char *instruction_ascii) 30 | { 31 | FILE *WrFile; 32 | WrFile = fopen("as_output.txt", "a"); 33 | if(WrFile ==NULL) { 34 | perror("cannot open file for write\n"); 35 | exit(1); 36 | } 37 | 38 | fprintf(WrFile, instruction_ascii); 39 | fprintf(WrFile, "\n"); 40 | fclose(WrFile); 41 | } 42 | 43 | 44 | void CheckFileExists() 45 | { 46 | if (fopen("as_output.txt", "r") != NULL) { 47 | printf("Removing Old File First\n"); 48 | remove("as_output.txt"); 49 | } 50 | } 51 | 52 | 53 | int RealFileOffset(unsigned char *buffer, int address) 54 | { 55 | IMAGE_DOS_HEADER *dos; 56 | IMAGE_NT_HEADERS *ntheader; 57 | IMAGE_IMPORT_DESCRIPTOR *import_desc; 58 | PIMAGE_THUNK_DATA *names; 59 | 60 | int n, section_size = 0; 61 | int data_dir; 62 | char *data_dir_desc; 63 | 64 | int import_count = 0; 65 | int offset = 0; 66 | int length = 0; 67 | 68 | dos = (IMAGE_DOS_HEADER *)buffer; 69 | 70 | unsigned char *PE_HEADER = (unsigned char *)malloc(sizeof(buffer[dos->e_lfanew]) * sizeof(unsigned char *) + 1); //allocate 71 | PE_HEADER = &buffer[dos->e_lfanew]; 72 | ntheader = (IMAGE_NT_HEADERS *)PE_HEADER; 73 | 74 | int g=0; 75 | int realoffset=0; 76 | int fileoffset = 0; 77 | // here we check if the address has imagebase included with it 78 | if(address & ntheader->op_header.ImageBase) { 79 | address = address - ntheader->op_header.ImageBase; 80 | // printf("the address withgout image base is %x\n", ntheader->op_header.ImageBase); 81 | } 82 | for(n=1;n<=ntheader->file_header.NumberOfSections;n++) { 83 | IMAGE_SECTION_HEADER *secheader = (IMAGE_SECTION_HEADER *)(PE_HEADER + sizeof(IMAGE_NT_HEADERS) + section_size); 84 | section_size += sizeof(IMAGE_SECTION_HEADER); 85 | // here we check for the address are its in a section or not 86 | if(address <= (secheader->VirtualAddress + secheader->VirtualSize) && 87 | address >= secheader->VirtualAddress) { 88 | fileoffset = (secheader->VirtualAddress - secheader->PointerToRawData); //this the pointer to row data to get the real offset 89 | // printf("\treal offset in disk is: %x for section %c%c%c%c%c%c%c%c\n", fileoffset, secheader->Name[0], secheader->Name[1], secheader->Name[2], secheader->Name[3], secheader->Name[4], secheader->Name[5], secheader->Name[6], secheader->Name[7]); 90 | offset = (address - fileoffset); 91 | // printf("the offset is %x\n", offset); 92 | } 93 | // we are comment this three line just for a while 94 | // else{ 95 | // offset = address; 96 | // } 97 | } 98 | // here we return the real offset of the address choosed 99 | return offset; 100 | } 101 | 102 | unsigned char *GetApi(int insns, unsigned char *buf) 103 | { 104 | int addr = RealFileOffset(buf, insns); 105 | 106 | unsigned char oneaddr, twoaddr; 107 | unsigned char *straddr; 108 | int realintaddr, intaddr; 109 | 110 | oneaddr = buf[addr]; 111 | twoaddr = buf[addr+1]; 112 | 113 | sprintf(straddr, "%x%x", twoaddr, oneaddr); 114 | intaddr = strtoul(straddr, NULL, 16); 115 | 116 | realintaddr = RealFileOffset(buf, intaddr); 117 | unsigned char *ApiName = &buf[realintaddr+2]; 118 | 119 | return ApiName; 120 | } -------------------------------------------------------------------------------- /disas_func.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #ifndef H_DISAS_FUNC 21 | #define H_DISAS_FUNC 22 | 23 | void PrintToFile(char *); 24 | 25 | void CheckFileExists(); 26 | 27 | int RealFileOffset(unsigned char *, int); 28 | 29 | unsigned char *GetApi(int, unsigned char *); 30 | 31 | #endif -------------------------------------------------------------------------------- /disasx86_capstone.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include "disasx86_capstone.h" 27 | #include "pe_analyzer.h" 28 | 29 | 30 | 31 | int DisassembleCap(unsigned char *buffer, char opt, unsigned char *filename, int file_len) 32 | { 33 | printf("file name is : %s\n", filename); 34 | printf("buffer is %s\n", buffer); 35 | printf("option is %c\n", opt); 36 | 37 | // here begin for getting the real entry point for every PE file 38 | IMAGE_DOS_HEADER *dos; 39 | IMAGE_NT_HEADERS *ntheader; 40 | 41 | int n, section_size = 0; 42 | int data_dir; 43 | char *data_dir_desc; 44 | int import_count = 0; 45 | int offset = 0; 46 | int length = 0; 47 | 48 | dos = (IMAGE_DOS_HEADER *)buffer; 49 | // End Dos Header 50 | // begin Pe Header 51 | unsigned char *PE_HEADER = (unsigned char *)malloc(sizeof(buffer[dos->e_lfanew]) * sizeof(unsigned char *) + 1); //allocate 52 | PE_HEADER = &buffer[dos->e_lfanew]; 53 | ntheader = (IMAGE_NT_HEADERS *)PE_HEADER; 54 | 55 | int g=0; 56 | int realoffset=0; 57 | int fileoffset = 0; 58 | for(n=1;n<=ntheader->file_header.NumberOfSections;n++) { 59 | IMAGE_SECTION_HEADER *secheader = (IMAGE_SECTION_HEADER *)(PE_HEADER + sizeof(IMAGE_NT_HEADERS) + section_size); 60 | section_size += sizeof(IMAGE_SECTION_HEADER); 61 | // here we check for the address are its in a section or not 62 | if(ntheader->op_header.AddressOfEntryPoint <= (secheader->VirtualAddress + secheader->VirtualSize) && 63 | ntheader->op_header.AddressOfEntryPoint >= secheader->VirtualAddress) { 64 | // realoffset = secheader->VirtualAddress - secheader->PointerToRawData; 65 | 66 | 67 | fileoffset = (secheader->VirtualAddress - secheader->PointerToRawData); //this the pointer to row data to get the real offset 68 | // realoffset = (ntheader->op_header.DataDirectory[data_dir].VirtualAddress - (secheader->VirtualAddress - secheader->PointerToRawData)); // and this is the real offset of the data directory 69 | printf("\treal offset in disk is: %x for section %c%c%c%c%c%c%c%c\n", fileoffset, secheader->Name[0], secheader->Name[1], secheader->Name[2], secheader->Name[3], secheader->Name[4], secheader->Name[5], secheader->Name[6], secheader->Name[7]); 70 | offset = (ntheader->op_header.AddressOfEntryPoint - fileoffset); 71 | printf("the offset is %x\n", offset); 72 | } 73 | } 74 | 75 | length = ntheader->op_header.BaseOfCode; 76 | int offset_file = 0; 77 | int buf_len = 0; 78 | unsigned char *buf = (unsigned char *)malloc(file_len - offset); 79 | for(offset_file=0 ; offset_file+offset!=file_len ; offset_file++) { 80 | buf[offset_file] = buffer[offset+offset_file]; 81 | buf_len++; 82 | } 83 | // here end of getting the entry point 84 | csh handle; 85 | cs_insn *insn; 86 | size_t count; 87 | int offsets = offset+fileoffset; 88 | printf("buffer size is %d\n", file_len); 89 | // printf("buf len is %d\n", buf_len); 90 | if(cs_open(CS_ARCH_X86, CS_MODE_32, &handle) != CS_ERR_OK) 91 | return -1; 92 | 93 | cs_option(handle, CS_OPT_SKIPDATA, CS_OPT_ON); 94 | cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON); 95 | count = cs_disasm(handle, buf, length, offset+fileoffset, 0, &insn); 96 | if(count > 0) { 97 | size_t j; 98 | int n; 99 | 100 | for(j=0;jmnemonic, i->op_str); 106 | }else if(strstr(i->mnemonic, "call") != NULL){ 107 | int instruction; 108 | unsigned char *API; 109 | cs_detail *detail = i->detail; 110 | for(n=0;nregs_read_count;n++){ 111 | cs_x86_op *op = &(detail->x86.operands[n]); 112 | switch(op->type){ 113 | case X86_OP_MEM: 114 | printf("index is %x\n", op->mem.disp); 115 | instruction = op->mem.disp; 116 | break; 117 | default: 118 | printf("index is %x\n", op->reg); 119 | instruction = op->reg; 120 | break; 121 | } 122 | //API = GetApi(instruction, buffer); 123 | // printf("Api Name is %s\n", API); 124 | 125 | 126 | } 127 | printf("---->\x1B[35m\t[ 0x%08x ] : \t\x1B[32m%s\t\t%s\n", offsets, i->mnemonic, i->op_str); 128 | // free(op_bak); 129 | }else{ 130 | // print another instructions except jmp with green 131 | printf("\x1B[35m\t[ 0x%08x ] : \t\x1B[32m%s\t\t%s\n", offsets, i->mnemonic, i->op_str); 132 | } 133 | 134 | offsets += insn[j].size; // i decide to makeit manually :D 135 | } 136 | cs_free(insn, count); 137 | }else{ 138 | printf("failed disassemble\n"); 139 | 140 | } 141 | 142 | cs_close(&handle); 143 | return 0; 144 | } 145 | -------------------------------------------------------------------------------- /disasx86_capstone.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #ifndef H_DISASX86 21 | #define H_DISASX86 22 | 23 | int DisassembleCap(unsigned char *buffer, char opt, unsigned char *filename, int file_len); 24 | #endif -------------------------------------------------------------------------------- /disasx86_capstone_offset.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #include "disasx86_capstone_offset.h" 28 | #include "pe_analyzer.h" 29 | 30 | 31 | 32 | int DisassembleCapOffset(unsigned char *buffer, char opt, unsigned char *second_option, int file_len, unsigned char *third_option) 33 | { 34 | // this option (third option) is responsible for disassemble where it find what and stop 35 | unsigned char *length = third_option; 36 | int offset = 0; 37 | int offset_file = 0; 38 | int buf_len=0; 39 | int offset_address = 0; 40 | // some unit testing ;) 41 | int offsets = strtoul(second_option, NULL, 16); 42 | offset = RealFileOffset(buffer, offsets); 43 | offset_address = offset; 44 | //printf("the real offset is %x\n", offset); 45 | printf("file len is %d\n", file_len); 46 | unsigned char *buf = (unsigned char *)malloc(file_len-offset); 47 | for(offset_file=0 ; offset_file+offset != file_len ; offset_file++) { 48 | buf[offset_file] = buffer[offset+offset_file]; 49 | buf_len++; 50 | } 51 | 52 | csh handle; 53 | 54 | cs_insn *insn; 55 | 56 | size_t count; 57 | 58 | if(cs_open(CS_ARCH_X86, CS_MODE_32, &handle) != CS_ERR_OK) 59 | return -1; 60 | 61 | cs_option(handle, CS_OPT_SKIPDATA, CS_OPT_ON); 62 | count = cs_disasm(handle, buf, buf_len, offset, 0, &insn); 63 | if(count > 0) { 64 | size_t j; 65 | 66 | for(j=0;j 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | 21 | #ifndef H_DISASX86_OFFSET 22 | #define H_DISASX86_OFFSET 23 | 24 | int DisassembleCapOffset(unsigned char *, char, unsigned char *, int, unsigned char *); 25 | 26 | #endif -------------------------------------------------------------------------------- /general_analysis.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include "general_analysis.h" 27 | #include "pe_analyzer.h" 28 | 29 | 30 | void PeAnalyzer(unsigned char *buffer, char opt) 31 | { 32 | IMAGE_DOS_HEADER *dos; 33 | IMAGE_NT_HEADERS *ntheader; 34 | IMAGE_IMPORT_DESCRIPTOR *import_desc; 35 | IMAGE_EXPORT_DIRECTORY *export_desc; 36 | 37 | int n, section_size = 0; 38 | int data_dir; 39 | char *data_dir_desc; 40 | 41 | int import_count = 0; //for count imports 42 | 43 | printf("\x1B[34m\t########Begin Analyzing########\n"); 44 | if (opt == 'a'){ // all option to dump all information 45 | // Dos Header 46 | dos = (IMAGE_DOS_HEADER *)buffer; 47 | printf("\te_lfanew: %d\n", dos->e_lfanew); 48 | // End Dos Header 49 | // begin Pe Header 50 | unsigned char *PE_HEADER = (unsigned char *)malloc(sizeof(buffer[dos->e_lfanew])); //allocate 51 | PE_HEADER = &buffer[dos->e_lfanew]; 52 | ntheader = (IMAGE_NT_HEADERS *)PE_HEADER; 53 | // now print some useful fields for reverser 54 | printf("\t\x1B[33m######Information######\n"); 55 | printf("\t\x1B[33mSignature: (hex) %02x (ascii) %s\n", ntheader->Signature, &ntheader->Signature); 56 | printf("\t\x1B[33mMachine: %04x\n", ntheader->file_header.Machine); 57 | printf("\t\x1B[33mNumber Of Setions: %d\n", ntheader->file_header.NumberOfSections); 58 | printf("\t\x1B[33mTimeDateStamp: %d\n", ntheader->file_header.TimeDateStamp); 59 | printf("\t\x1B[33mAddress Of Entry Point: %4x\n", ntheader->op_header.AddressOfEntryPoint); 60 | printf("\t\x1B[33mSize Of Image: %4x\n", ntheader->op_header.ImageBase); 61 | printf("\t\x1B[33m######End Information######\n\n"); 62 | // end it here 63 | printf("\t\x1B[32m#####Section Header#####\n"); 64 | int g=0; 65 | int realoffset[ntheader->file_header.NumberOfSections]; 66 | for(n=1;n<=ntheader->file_header.NumberOfSections;n++) { 67 | IMAGE_SECTION_HEADER *secheader = (IMAGE_SECTION_HEADER *)(PE_HEADER + sizeof(IMAGE_NT_HEADERS) + section_size); 68 | section_size += sizeof(IMAGE_SECTION_HEADER); 69 | printf("\t\x1B[32mSection Name: %c%c%c%c%c%c%c%c\n", secheader->Name[0], secheader->Name[1], secheader->Name[2], secheader->Name[3], secheader->Name[4], secheader->Name[5], secheader->Name[6], secheader->Name[7]); 70 | printf("\t\x1B[32mVirtualSize: %04x\n", secheader->VirtualSize); 71 | printf("\t\x1B[32mVirtualAddress: %04x\n", secheader->VirtualAddress); 72 | printf("\t\x1B[32mSizeOfRawData: %04x\n", secheader->SizeOfRawData); 73 | printf("\t\x1B[32mRaw Data: %04x\n", secheader->PointerToRawData); 74 | printf("\t\x1B[32mPointerToRelocations: %04x\n", secheader->PointerToRelocations); 75 | printf("\t\x1B[32mPointerToLinenumbers: %04x\n", secheader->PointerToLinenumbers); 76 | printf("\t\x1B[32mNumberOfRelocations: %02x\n", secheader->NumberOfRelocations); 77 | printf("\t\x1B[32mNumberOfLinenumbers: %02x\n", secheader->NumberOfLinenumbers); 78 | printf("\t\x1B[32mCharacteristics: %04x\n", secheader->Characteristics); 79 | printf("\t\x1B[32m-------------------------\n"); 80 | realoffset[n] = secheader->VirtualAddress - secheader->PointerToRawData; 81 | // printf("\nsubstract this from any RVA in this section : %x\n", realoffset[n]); 82 | } 83 | printf("\t\x1B[32m#####End Of Sections#####\n\n"); 84 | // End Pe Header 85 | 86 | //Begin Dumping Data Directory 87 | printf("\t########Data Directories########\n\n"); 88 | // int data_dir 89 | // char *data_dir_desc 90 | for(data_dir=0;data_dirop_header.DataDirectory[data_dir].VirtualAddress); 147 | printf("\t\x1B[33mSize: %08x\n\n", ntheader->op_header.DataDirectory[data_dir].Size); 148 | // begin def variables 149 | int koko; 150 | section_size = 0; 151 | int realaddr; 152 | int fileoffset; 153 | int funcAddr; 154 | int CountFunc = 0; 155 | char *funcAddrStr = (char *)malloc(sizeof(short)); 156 | int checkOrd=0; 157 | char *checkOrdStr = (char *)malloc(sizeof(int)); 158 | int test; 159 | // data declaration for export 160 | int export_count = 0 ; 161 | int count_num_of_func = 0; 162 | char *ExAddrStr = (char *)malloc(sizeof(int)); 163 | int ExAddr = 0; 164 | // end it here 165 | // end def variables 166 | for(koko=1;koko<=ntheader->file_header.NumberOfSections;koko++) { 167 | IMAGE_SECTION_HEADER *secheader = (IMAGE_SECTION_HEADER *)(PE_HEADER + sizeof(IMAGE_NT_HEADERS) + section_size); 168 | section_size += sizeof(IMAGE_SECTION_HEADER); 169 | if(ntheader->op_header.DataDirectory[data_dir].VirtualAddress <= (secheader->VirtualAddress + secheader->VirtualSize) 170 | && ntheader->op_header.DataDirectory[data_dir].VirtualAddress >= secheader->VirtualAddress) 171 | { 172 | fileoffset = (secheader->VirtualAddress - secheader->PointerToRawData); //this the pointer to row data to get the real offset 173 | realaddr = (ntheader->op_header.DataDirectory[data_dir].VirtualAddress - (secheader->VirtualAddress - secheader->PointerToRawData)); // and this is the real offset of the data directory 174 | printf("\tOffset: %x\n", realaddr); 175 | printf("\tthe file offset: %x\n", fileoffset); 176 | printf("\tSection: %c%c%c%c%c%c%c%c\n", secheader->Name[0], secheader->Name[1], secheader->Name[2], secheader->Name[3], secheader->Name[4], secheader->Name[5], secheader->Name[6], secheader->Name[7]); 177 | } else { 178 | continue; 179 | } 180 | } 181 | if(data_dir == 0) { 182 | if(ntheader->op_header.DataDirectory[data_dir].VirtualAddress != 0) { 183 | export_desc = (IMAGE_EXPORT_DIRECTORY *)&buffer[realaddr]; 184 | printf("\t######################################################\n"); 185 | printf("\tCharacteristics %08x\n", export_desc->Characteristics); 186 | printf("\tTimeDateStamp %08x\n", export_desc->TimeDateStamp); 187 | printf("\tMajorVersion %04x\n", export_desc->MajorVersion); 188 | printf("\tMinorVersion %04x\n", export_desc->MinorVersion); 189 | if(isprint(buffer[export_desc->Name])) 190 | printf("\tName %s\n", &buffer[export_desc->Name]); 191 | else 192 | printf("\tName %x\n", export_desc->Name); 193 | 194 | printf("\tBase %08x\n", export_desc->Base); 195 | printf("\tNumberOfFunctions %08x\n", export_desc->NumberOfFunctions); 196 | printf("\tNumberOfNames %08x\n", export_desc->NumberOfNames); 197 | printf("\tAddressOfFunctions %08x\n", export_desc->AddressOfFunctions); 198 | printf("\tAddressOfNames %08x\n", export_desc->AddressOfNames); 199 | printf("\tAddressOfNameOrdinals %08x\n", export_desc->AddressOfNameOrdinals); 200 | printf("\t######################################################\n"); 201 | 202 | printf("\t#########################\n"); 203 | printf("\t# Func RVA Name #\n"); 204 | printf("\t#########################\n"); 205 | 206 | while(1) { 207 | if(count_num_of_func == export_desc->NumberOfFunctions) 208 | break; 209 | // printf("\tfunc RVA %02x%02x\n", buffer[export_desc->AddressOfFunctions + export_count + 1], buffer[export_desc->AddressOfFunctions + export_count]); 210 | sprintf(ExAddrStr, "%02x%02x%02x%02x", buffer[export_desc->AddressOfNames - fileoffset + export_count + 3], buffer[export_desc->AddressOfNames - fileoffset + export_count + 2], buffer[export_desc->AddressOfNames - fileoffset + export_count + 1], buffer[export_desc->AddressOfNames - fileoffset + export_count]); 211 | sscanf(ExAddrStr, "%08x", &ExAddr); 212 | // printf("\n%x\n", ExAddr); 213 | // printf("\t##########Name###########\n"); 214 | printf("\t %02x%02x\t\t%s\n", buffer[export_desc->AddressOfFunctions - fileoffset + export_count + 1], buffer[export_desc->AddressOfFunctions - fileoffset + export_count], &buffer[ExAddr - fileoffset]); 215 | // printf("\t############################\n"); 216 | export_count += 4; 217 | count_num_of_func++; 218 | } 219 | printf("\t############################\n"); 220 | } else { 221 | printf("\tNo Exports\n"); 222 | } 223 | // now focus on Import Descriptor Table 224 | } else if(data_dir == 1) { // if it Import Directory 225 | while(1) { 226 | import_desc = (IMAGE_IMPORT_DESCRIPTOR *)&buffer[realaddr + import_count]; 227 | if(import_desc->Characteristics == 0) { 228 | break; 229 | } 230 | // here we check if this module's function is ordinal or not 231 | // here we comment this fuckin line its drive me crazy realyyyy :( 232 | sprintf(checkOrdStr, "%02x%02x%02x%02x", buffer[import_desc->OriginFirstThunk.Ordinal+3-fileoffset], buffer[import_desc->OriginFirstThunk.Ordinal+2-fileoffset], buffer[import_desc->OriginFirstThunk.Ordinal+1-fileoffset], buffer[import_desc->OriginFirstThunk.Ordinal-fileoffset]); 233 | sscanf(checkOrdStr, "%08x", &checkOrd); 234 | // checkOrd = strtol(checkOrdStr, NULL, 16); 235 | // end of fuckin line :S 236 | 237 | // this two line below for modue check if it is function name or ordinal 238 | printf("\t####################\n"); 239 | printf("\tImport Name Table: %08x\n", import_desc->OriginFirstThunk.Function); 240 | printf("\tTimeDateStamp: %x\n", import_desc->TimeDateStamp); 241 | printf("\tForwarderChain: %x\n", import_desc->ForwarderChain); 242 | printf("\tName: %s\n", &buffer[import_desc->Name - fileoffset]); 243 | printf("\tImport Address Table: %x\n", import_desc->FirstThunk.Function - fileoffset); 244 | printf("\t####################\n"); 245 | if(checkOrd & IMAGE_ORDINAL_FLAG32) { 246 | printf("\t##########Ordinal###########\n"); 247 | printf("\t############################\n"); 248 | printf("\t# Ordinal Number #\n"); 249 | printf("\t############################\n"); 250 | } else { 251 | printf("\t##########Function##########\n"); 252 | printf("\t######################################\n"); 253 | printf("\t# Hint\t\tFunction Name #\n"); 254 | printf("\t######################################\n"); 255 | } 256 | while(1) { 257 | if(buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc + 1] == 0x00 && buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc] == 0x00){ 258 | break; 259 | } 260 | sprintf(funcAddrStr, "%02x%02x%02x%02x", buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc + 3], buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc + 2], buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc + 1], buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc]); 261 | // funcAddr = strtol(funcAddrStr, NULL, 16); 262 | sscanf(funcAddrStr, "%08x", &funcAddr); 263 | // check if its ordinal or not 264 | if(funcAddr & IMAGE_ORDINAL_FLAG32) // its ordinal not a function 265 | printf("\t%08x\n", funcAddr); 266 | else 267 | printf("\t%02x%02x\t\t%s\n", buffer[funcAddr-fileoffset+1], buffer[funcAddr-fileoffset], &buffer[funcAddr-fileoffset+2]); 268 | // end of check here 269 | funcAddr=0; 270 | CountFunc+=4; 271 | } 272 | CountFunc=0; 273 | printf("\t############################\n"); 274 | printf("\n\n"); 275 | import_count += sizeof(IMAGE_IMPORT_DESCRIPTOR); 276 | } 277 | 278 | } 279 | // end of Import Descriptor Table 280 | } 281 | } 282 | } 283 | -------------------------------------------------------------------------------- /general_analysis.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #ifndef H_GENERAL_ANALYSIS 21 | #define H_GENERAL_ANALYSIS 22 | void PeAnalyzer(unsigned char *, char); 23 | #endif 24 | -------------------------------------------------------------------------------- /hex_dump_sections.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | #include "hex_dump_sections.h" 26 | #include "pe_analyzer.h" 27 | 28 | 29 | 30 | void DumpSecHex(unsigned char *buffer, char opt, unsigned char *sectionname) 31 | { 32 | IMAGE_DOS_HEADER *dos; 33 | IMAGE_NT_HEADERS *ntheader; 34 | 35 | int n, section_size = 0; 36 | int data_dir; 37 | char *data_dir_desc; 38 | unsigned char *section = (unsigned char *)malloc(8); 39 | int import_count = 0; //for count imports 40 | 41 | printf("\t\x1B[33m########Dumping Section As Hex########\n"); 42 | // Dos Header 43 | dos = (IMAGE_DOS_HEADER *)buffer; 44 | // End Dos Header 45 | // begin Pe Header 46 | unsigned char *PE_HEADER = (unsigned char *)malloc(sizeof(buffer[dos->e_lfanew])); //allocate 47 | PE_HEADER = &buffer[dos->e_lfanew]; 48 | ntheader = (IMAGE_NT_HEADERS *)PE_HEADER; 49 | // printf("\t#####Section Header#####\n"); 50 | int g=0; 51 | int counter = 0, counter2 = 0; 52 | int result_section; 53 | int realoffset[ntheader->file_header.NumberOfSections]; 54 | for(n=1;n<=ntheader->file_header.NumberOfSections;n++) { 55 | IMAGE_SECTION_HEADER *secheader = (IMAGE_SECTION_HEADER *)(PE_HEADER + sizeof(IMAGE_NT_HEADERS) + section_size); 56 | section_size += sizeof(IMAGE_SECTION_HEADER); 57 | sprintf(section, "%c%c%c%c%c%c%c%c", secheader->Name[0], secheader->Name[1], secheader->Name[2], secheader->Name[3], secheader->Name[4], secheader->Name[5], secheader->Name[6], secheader->Name[7]); 58 | if(strcmp(sectionname, section) == 0) { 59 | printf("\tSection Name: %c%c%c%c%c%c%c%c\n", secheader->Name[0], secheader->Name[1], secheader->Name[2], secheader->Name[3], secheader->Name[4], secheader->Name[5], secheader->Name[6], secheader->Name[7]); 60 | printf("\tVirtualSize: %04x\n", secheader->VirtualSize); 61 | printf("\tVirtualAddress: %04x\n", secheader->VirtualAddress); 62 | printf("\tSizeOfRawData: %04x\n", secheader->SizeOfRawData); 63 | printf("\tRaw Data: %04x\n", secheader->PointerToRawData); 64 | printf("\tPointerToRelocations: %04x\n", secheader->PointerToRelocations); 65 | printf("\tPointerToLinenumbers: %04x\n", secheader->PointerToLinenumbers); 66 | printf("\tNumberOfRelocations: %02x\n", secheader->NumberOfRelocations); 67 | printf("\tNumberOfLinenumbers: %02x\n", secheader->NumberOfLinenumbers); 68 | printf("\tCharacteristics: %04x\n", secheader->Characteristics); 69 | printf("\t-------------------------\n"); 70 | 71 | printf("\tPrinting Hex Dump For This Section\n"); 72 | g=0; 73 | counter = 0; 74 | counter2 = 0; 75 | for(g = secheader->PointerToRawData ; g < (secheader->PointerToRawData + secheader->SizeOfRawData) ; g++) { 76 | if(counter2 == 0) 77 | printf("0x%04x\t\t", counter2); 78 | if(counter == 8) { 79 | printf(" "); 80 | } else if(counter == 16) { 81 | printf("\n"); 82 | printf("0x%04x\t\t", counter2); 83 | counter = 0; 84 | } 85 | printf("%02x ", buffer[g]); 86 | counter++; 87 | counter2++; 88 | } 89 | printf("\n"); 90 | realoffset[n] = secheader->VirtualAddress - secheader->PointerToRawData; 91 | } else if(strcmp(sectionname, section) != 0 && n < ntheader->file_header.NumberOfSections) { 92 | continue; 93 | } 94 | } 95 | } 96 | -------------------------------------------------------------------------------- /hex_dump_sections.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #ifndef H_HEX_DUMP 21 | #define H_HEX_DUMP 22 | 23 | void DumpSecHex(unsigned char *, char, unsigned char *); 24 | 25 | #endif -------------------------------------------------------------------------------- /imports.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | #include "imports.h" 26 | #include "pe_analyzer.h" 27 | 28 | 29 | 30 | void DumpImports(unsigned char *buffer, char opt) 31 | { 32 | IMAGE_DOS_HEADER *dos; 33 | IMAGE_NT_HEADERS *ntheader; 34 | IMAGE_IMPORT_DESCRIPTOR *import_desc; 35 | 36 | int n, section_size = 0; 37 | int data_dir; 38 | char *data_dir_desc; 39 | 40 | int import_count = 0; //for count imports 41 | 42 | printf("\t\x1B[33m########Dumping Imports########\n"); 43 | // Dos Header 44 | dos = (IMAGE_DOS_HEADER *)buffer; 45 | // End Dos Header 46 | // begin Pe Header 47 | unsigned char *PE_HEADER = (unsigned char *)malloc(sizeof(buffer[dos->e_lfanew])); //allocate 48 | PE_HEADER = &buffer[dos->e_lfanew]; 49 | ntheader = (IMAGE_NT_HEADERS *)PE_HEADER; 50 | 51 | int g=0; 52 | // End Pe Header 53 | 54 | //Begin Dumping Data Directory 55 | 56 | for(data_dir=0;data_dirop_header.DataDirectory[data_dir].VirtualAddress); 113 | // printf("\tSize: %08x\n\n", ntheader->op_header.DataDirectory[data_dir].Size); 114 | // begin def variables 115 | int koko; 116 | section_size = 0; 117 | int realaddr; 118 | int fileoffset; 119 | int funcAddr; 120 | int CountFunc = 0; 121 | char *funcAddrStr = (char *)malloc(sizeof(short)); 122 | int checkOrd; 123 | char *checkOrdStr = (char *)malloc(sizeof(int)); 124 | // end def variables 125 | for(koko=1;koko<=ntheader->file_header.NumberOfSections;koko++) { 126 | IMAGE_SECTION_HEADER *secheader = (IMAGE_SECTION_HEADER *)(PE_HEADER + sizeof(IMAGE_NT_HEADERS) + section_size); 127 | section_size += sizeof(IMAGE_SECTION_HEADER); 128 | if(ntheader->op_header.DataDirectory[data_dir].VirtualAddress <= (secheader->VirtualAddress + secheader->VirtualSize) 129 | && ntheader->op_header.DataDirectory[data_dir].VirtualAddress >= secheader->VirtualAddress) 130 | { 131 | fileoffset = (secheader->VirtualAddress - secheader->PointerToRawData); //this the pointer to row data to get the real offset 132 | realaddr = (ntheader->op_header.DataDirectory[data_dir].VirtualAddress - (secheader->VirtualAddress - secheader->PointerToRawData)); // and this is the real offset of the data directory 133 | } else { 134 | continue; 135 | } 136 | } 137 | // now focus on Import Descriptor Table 138 | // if(opt == 'i'){ // if import option choosed 139 | if(data_dir == 1) { // if it Import Directory 140 | // printf("IMPORT Address: %08x\n", ntheader->op_header.DataDirectory[data_dir].VirtualAddress); 141 | while(1){ 142 | import_desc = (IMAGE_IMPORT_DESCRIPTOR *)&buffer[realaddr + import_count]; 143 | if(import_desc->Characteristics == 0) { 144 | break; 145 | } 146 | // here we check if this module's function is ordinal or not 147 | sprintf(checkOrdStr, "%02x%02x%02x%02x", buffer[import_desc->OriginFirstThunk.Ordinal+3 - fileoffset], buffer[import_desc->OriginFirstThunk.Ordinal+2 - fileoffset], buffer[import_desc->OriginFirstThunk.Ordinal+1 - fileoffset], buffer[import_desc->OriginFirstThunk.Ordinal - fileoffset]); 148 | sscanf(checkOrdStr, "%08x", &checkOrd); 149 | // this two line below for modue check if it is function name or ordinal 150 | printf("\t#########################################################\n"); 151 | printf("\t# Import Name Table: %08x\n", import_desc->OriginFirstThunk.Function); 152 | printf("\t# TimeDateStamp: %x\n", import_desc->TimeDateStamp); 153 | printf("\t# ForwarderChain: %x\n", import_desc->ForwarderChain); 154 | printf("\t# Name: %s\n", &buffer[import_desc->Name - fileoffset]); 155 | printf("\t# Import Address Table: %x\n", import_desc->FirstThunk.Function - fileoffset); 156 | printf("\t#########################################################\n"); 157 | 158 | if(checkOrd & IMAGE_ORDINAL_FLAG32) { 159 | printf("\t##########Ordinal###########\n"); 160 | printf("\t############################\n"); 161 | printf("\t# Ordinal Number #\n"); 162 | printf("\t############################\n"); 163 | } else { 164 | printf("\t##########Function##########\n"); 165 | printf("\t######################################\n"); 166 | printf("\t# Hint\t\tFunction Name #\n"); 167 | printf("\t######################################\n"); 168 | } 169 | while(1) { 170 | if(buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc + 1] == 0x00 && buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc] == 0x00) { 171 | break; 172 | } 173 | sprintf(funcAddrStr, "%02x%02x%02x%02x", buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc + 3], buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc + 2], buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc + 1], buffer[import_desc->OriginFirstThunk.Function - fileoffset + CountFunc]); 174 | sscanf(funcAddrStr, "%08x", &funcAddr); 175 | // check if its ordinal or not 176 | if(funcAddr & IMAGE_ORDINAL_FLAG32) // its ordinal not a function 177 | printf("\t%08x\n", funcAddr); 178 | else 179 | printf("\t%02x%02x\t\t%s\n", buffer[funcAddr-fileoffset+1], buffer[funcAddr-fileoffset], &buffer[funcAddr-fileoffset+2]); 180 | 181 | // printf("\t%s\n", &buffer[funcAddr-fileoffset+2]); 182 | // end of check here 183 | funcAddr=0; 184 | CountFunc+=4; 185 | } 186 | CountFunc=0; 187 | printf("\t#####################################################\n"); 188 | printf("\n\n"); 189 | import_count += sizeof(IMAGE_IMPORT_DESCRIPTOR); 190 | } 191 | } 192 | // end of Import Descriptor Table 193 | } 194 | //End Dumping Data Directory 195 | } 196 | -------------------------------------------------------------------------------- /imports.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #ifndef H_IMPORTS 21 | #define H_IMPORTS 22 | 23 | void DumpImports(unsigned char *, char); 24 | 25 | #endif -------------------------------------------------------------------------------- /main.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include "pe_analyzer.h" 26 | 27 | 28 | #define DEFAULT "no" 29 | #define DEFAULT2 1 30 | #define DEFAULT3 "no" 31 | #define REV(X) ((X << 24) | (((X>>16)<<24)>>16) | (((X<<16)>>24)<<16) | (X>>24)) 32 | 33 | void Usage(char *filename) 34 | { 35 | printf("\n\x1B[33m#############################################\n"); 36 | printf("\x1B[33m# Malware Fragmentation Tool 0.1 #\n"); 37 | printf("\x1B[33m# Author : Motaz Reda #\n"); 38 | printf("\x1B[33m# Email: motazkhodair(at)gmail(dot)com #\n"); 39 | printf("\x1B[33m#############################################\n"); 40 | printf("\x1B[33mUsage: \n"); 41 | printf("\x1B[33m\t-a for display all Information analyzed\n"); 42 | printf("\x1B[33m\t-I for display import table information\n"); 43 | printf("\x1B[33m\t-n
for display section information\n"); 44 | printf("\x1B[33m\t-N
for display hex dump for section choosed information\n"); 45 | printf("\x1B[33m\t-s Dump all sections information\n"); 46 | printf("\x1B[33m\t-S
dump Strings for choosed secion \n"); 47 | printf("\x1B[33m\t-f Disassemble Flow Oriented from default Entry Point\n"); 48 | printf("\x1B[33m\t-c Disassemble for specifiec offset\n"); 49 | exit(0); 50 | } 51 | 52 | 53 | void GetSection(unsigned char *buffer, char opt, unsigned char *sectionname) 54 | { 55 | IMAGE_DOS_HEADER *dos; 56 | IMAGE_NT_HEADERS *ntheader; 57 | 58 | int n, section_size = 0; 59 | int data_dir; 60 | char *data_dir_desc; 61 | unsigned char *section = (unsigned char *)malloc(8); 62 | int import_count = 0; //for count imports 63 | 64 | printf("\t########Begin Analyzing########\n"); 65 | // Dos Header 66 | dos = (IMAGE_DOS_HEADER *)buffer; 67 | // End Dos Header 68 | // begin Pe Header 69 | unsigned char *PE_HEADER = (unsigned char *)malloc(sizeof(buffer[dos->e_lfanew])); //allocate 70 | PE_HEADER = &buffer[dos->e_lfanew]; 71 | ntheader = (IMAGE_NT_HEADERS *)PE_HEADER; 72 | // printf("\t#####Section Header#####\n"); 73 | int g=0; 74 | int result_section; 75 | int realoffset[ntheader->file_header.NumberOfSections]; 76 | for(n=1;n<=ntheader->file_header.NumberOfSections;n++) { 77 | IMAGE_SECTION_HEADER *secheader = (IMAGE_SECTION_HEADER *)(PE_HEADER + sizeof(IMAGE_NT_HEADERS) + section_size); 78 | section_size += sizeof(IMAGE_SECTION_HEADER); 79 | sprintf(section, "%c%c%c%c%c%c%c%c", secheader->Name[0], secheader->Name[1], secheader->Name[2], secheader->Name[3], secheader->Name[4], secheader->Name[5], secheader->Name[6], secheader->Name[7]); 80 | if(strcmp(sectionname, section) == 0) { 81 | printf("\tSection Name: %c%c%c%c%c%c%c%c\n", secheader->Name[0], secheader->Name[1], secheader->Name[2], secheader->Name[3], secheader->Name[4], secheader->Name[5], secheader->Name[6], secheader->Name[7]); 82 | printf("\tVirtualSize: %04x\n", secheader->VirtualSize); 83 | printf("\tVirtualAddress: %04x\n", secheader->VirtualAddress); 84 | printf("\tSizeOfRawData: %04x\n", secheader->SizeOfRawData); 85 | printf("\tRaw Data: %04x\n", secheader->PointerToRawData); 86 | printf("\tPointerToRelocations: %04x\n", secheader->PointerToRelocations); 87 | printf("\tPointerToLinenumbers: %04x\n", secheader->PointerToLinenumbers); 88 | printf("\tNumberOfRelocations: %02x\n", secheader->NumberOfRelocations); 89 | printf("\tNumberOfLinenumbers: %02x\n", secheader->NumberOfLinenumbers); 90 | printf("\tCharacteristics: %04x\n", secheader->Characteristics); 91 | printf("\t-------------------------\n"); 92 | realoffset[n] = secheader->VirtualAddress - secheader->PointerToRawData; 93 | }else if(strcmp(sectionname, section) != 0 && n < ntheader->file_header.NumberOfSections){ 94 | continue; 95 | }else{ 96 | printf("\tSection Not Found : %s (use -s option for listing all sections)\n"); 97 | break; 98 | } 99 | 100 | // printf("\nsubstract this from any RVA in this section : %x\n", realoffset[n]); 101 | } 102 | // printf("\t#####End Of Sections#####\n\n"); 103 | // End Pe Header 104 | printf("Got section name : %s\n", sectionname); 105 | } 106 | 107 | 108 | void CheckFormat(unsigned char *buffer, char opt, unsigned char *extraopt, int extraopt2, unsigned char *extraopt3) 109 | { 110 | // here we check file format we will begin with PE and ELF 111 | void *name; 112 | if(buffer[0] == 0x7f && buffer[1] == 0x45){ 113 | printf("this file is ELF \n"); 114 | }else if(buffer[0] == 0x4d && buffer[1] == 0x5a){ 115 | printf("this file is PE file\n"); 116 | if(opt == 'a') 117 | PeAnalyzer(buffer, opt); 118 | else if(opt == 'I') 119 | DumpImports(buffer, opt); 120 | else if(opt == 's') 121 | ListSections(buffer, opt); 122 | else if(opt == 'n') 123 | GetSection(buffer, opt, extraopt); 124 | else if(opt == 'N') 125 | DumpSecHex(buffer, opt, extraopt); 126 | else if(opt == 'S') 127 | DumpStrings(buffer, opt, extraopt); 128 | else if(opt == 'f') 129 | DisassembleCap(buffer, opt, extraopt, extraopt2); 130 | else if(opt == 'c') 131 | DisassembleCapOffset(buffer, opt, extraopt, extraopt2, extraopt3); 132 | } 133 | } 134 | 135 | 136 | int main(int argc, char **argv) 137 | { 138 | if(argc < 2){ 139 | Usage(argv[0]); 140 | return(0); 141 | } 142 | // usage begin 143 | int option = 0; 144 | char optgot; 145 | // usage end 146 | int i, file_len; 147 | FILE *f; 148 | unsigned char *buffer; 149 | 150 | while ((option = getopt(argc, argv, "h:a:I:s:n:N:S:f:c:")) != -1){ 151 | switch(option){ 152 | case 'a': 153 | printf("file name inserted is %s\n", optarg); 154 | f = fopen(optarg, "rb"); 155 | // now printing file size 156 | fseek(f, 0, SEEK_END); 157 | file_len = ftell(f); 158 | fseek(f, 0, SEEK_SET); 159 | printf("file size: %d KB\n", file_len / 1024); 160 | buffer = (unsigned char *)malloc(file_len); //allocate 161 | // now time to read the contents of the file 162 | fread(buffer, file_len, 1, f); 163 | CheckFormat(buffer, 'a', DEFAULT, DEFAULT2, DEFAULT3); 164 | free(buffer); 165 | fclose(f); 166 | break; 167 | case 'I': 168 | printf("file name inserted is %s\n", optarg); 169 | f = fopen(optarg, "rb"); 170 | // now printing file size 171 | fseek(f, 0, SEEK_END); 172 | file_len = ftell(f); 173 | fseek(f, 0, SEEK_SET); 174 | printf("file size: %d bytes\n", file_len); 175 | buffer = (unsigned char *)malloc(file_len); //allocate 176 | // now time to read the contents of the file 177 | fread(buffer, file_len, 1, f); 178 | CheckFormat(buffer, 'I', DEFAULT, DEFAULT2, DEFAULT3); 179 | fclose(f); 180 | break; 181 | case 's': 182 | printf("file name inserted is %s\n", optarg); 183 | f = fopen(optarg, "rb"); 184 | // now printing file size 185 | fseek(f, 0, SEEK_END); 186 | file_len = ftell(f); 187 | fseek(f, 0, SEEK_SET); 188 | printf("file size: %d bytes\n", file_len); 189 | buffer = (unsigned char *)malloc(file_len); //allocate 190 | // now time to read the contents of the file 191 | fread(buffer, file_len, 1, f); 192 | CheckFormat(buffer, 's', DEFAULT, DEFAULT2, DEFAULT3); 193 | fclose(f); 194 | break; 195 | case 'n': 196 | if(argc < 4){ 197 | printf("option not completed -n
\n"); 198 | exit(-1); 199 | } 200 | printf("file name inserted is %s\n", argv[3]); 201 | f = fopen(argv[3], "rb"); 202 | // now printing file size 203 | fseek(f, 0, SEEK_END); 204 | file_len = ftell(f); 205 | fseek(f, 0, SEEK_SET); 206 | printf("file size: %d bytes\n", file_len); 207 | buffer = (unsigned char *)malloc(file_len); //allocate 208 | // now time to read the contents of the file 209 | fread(buffer, file_len, 1, f); 210 | // printf("you choosed option with arg %s, %s", optarg, argv[3]); 211 | CheckFormat(buffer, 'n', optarg, DEFAULT2, DEFAULT3); 212 | fclose(f); 213 | break; 214 | case 'N': 215 | if(argc < 4){ 216 | printf("option not completed -N
\n"); 217 | exit(-1); 218 | } 219 | printf("file name inserted is %s\n", argv[3]); 220 | f = fopen(argv[3], "rb"); 221 | // now printing file size 222 | fseek(f, 0, SEEK_END); 223 | file_len = ftell(f); 224 | fseek(f, 0, SEEK_SET); 225 | printf("file size: %d bytes\n", file_len); 226 | buffer = (unsigned char *)malloc(file_len); //allocate 227 | // now time to read the contents of the file 228 | fread(buffer, file_len, 1, f); 229 | // printf("you choosed option with arg %s, %s", optarg, argv[3]); 230 | CheckFormat(buffer, 'N', optarg, DEFAULT2, DEFAULT3); 231 | fclose(f); 232 | break; 233 | case 'S': 234 | if(argc < 4){ 235 | printf("option not completed -S
\n"); 236 | exit(-1); 237 | } 238 | printf("file name inserted is %s\n", argv[3]); 239 | f = fopen(argv[3], "rb"); 240 | // now printing file size 241 | fseek(f, 0, SEEK_END); 242 | file_len = ftell(f); 243 | fseek(f, 0, SEEK_SET); 244 | printf("file size: %d bytes\n", file_len); 245 | buffer = (unsigned char *)malloc(file_len); //allocate 246 | // now time to read the contents of the file 247 | fread(buffer, file_len, 1, f); 248 | // printf("you choosed option with arg %s, %s", optarg, argv[3]); 249 | CheckFormat(buffer, 'S', optarg, DEFAULT2, DEFAULT3); 250 | fclose(f); 251 | break; 252 | case 'f': 253 | f = fopen(optarg, "rb"); 254 | // // now printing file size 255 | fseek(f, 0, SEEK_END); 256 | file_len = ftell(f); 257 | fseek(f, 0, SEEK_SET); 258 | printf("file size: %d KB\n", file_len / 1024); 259 | buffer = (unsigned char *)malloc(file_len); //allocate 260 | // // now time to read the contents of the file 261 | fread(buffer, file_len, 1, f); 262 | CheckFormat(buffer, 'f', optarg, file_len, DEFAULT3); 263 | free(buffer); 264 | fclose(f); 265 | // fclose(fopdis); 266 | break; 267 | case 'c': 268 | if(argc < 4){ 269 | printf("option not completed -c \n"); 270 | exit(-1); 271 | } 272 | printf("file name inserted is %s\n", argv[4]); 273 | f = fopen(argv[4], "rb"); 274 | // now printing file size 275 | fseek(f, 0, SEEK_END); 276 | file_len = ftell(f); 277 | fseek(f, 0, SEEK_SET); 278 | printf("file size: %d bytes\n", file_len); 279 | buffer = (unsigned char *)malloc(file_len); //allocate 280 | // now time to read the contents of the file 281 | fread(buffer, file_len, 1, f); 282 | // printf("you choosed option with arg %s, %s", optarg, argv[3]); 283 | CheckFormat(buffer, 'c', optarg, file_len, argv[3]); 284 | fclose(f); 285 | break; 286 | default: 287 | Usage(argv[0]); 288 | // printf("Please Choose nicely\n"); 289 | exit(-1); 290 | } 291 | } 292 | return(0); 293 | } 294 | -------------------------------------------------------------------------------- /pe_analyzer.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #ifndef H_PE_ANALYZER 21 | #define H_PE_ANALYZER 22 | 23 | #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ 24 | #define IMAGE_OS2_SIGNATURE 0x454E // NE 25 | #define IMAGE_OS2_SIGNATURE_LE 0x454C // LE 26 | #define IMAGE_NT_SIGNATURE 0x00004550 // PE00 27 | 28 | #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 29 | #define IMAGE_SIZEOF_SHORT_NAME 8 30 | 31 | #define IMAGE_FILE_RELOCS_STRIPPED 0x0001 32 | #define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 33 | #define IMAGE_FILE_NUMS_STRIPPED 0x0004 34 | #define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 35 | #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 36 | #define IAMGE_FILE_LARGE_ADDRESS_AWARE 0x0020 37 | #define IMAGE_FILE_BYTES_RESERVED_LO 0x0080 38 | #define IAMGE_FILE_32BIT_MACHINE 0x0100 39 | #define IMAGE_FILE_DEBUG_STRIPPED 0x0200 40 | #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 41 | #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 42 | #define IMAGE_FILE_SYSTEM 0x1000 43 | #define IMAGE_FILE_DLL 0x2000 44 | #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 45 | #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 46 | 47 | #define IMAGE_ORDINAL_FLAG32 0x80000000 48 | 49 | typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header 50 | unsigned short e_magic; // Magic number 51 | unsigned short e_cblp; // Bytes on last page of file 52 | unsigned short e_cp; // Pages in file 53 | unsigned short e_crlc; // Relocations 54 | unsigned short e_cparhdr; // Size of header in paragraphs 55 | unsigned short e_minalloc; // Minimum extra paragraphs needed 56 | unsigned short e_maxalloc; // Maximum extra paragraphs needed 57 | unsigned short e_ss; // Initial (relative) SS value 58 | unsigned short e_sp; // Initial SP value 59 | unsigned short e_csum; // Checksum 60 | unsigned short e_ip; // Initial IP value 61 | unsigned short e_cs; // Initial (relative) CS value 62 | unsigned short e_lfarlc; // File address of relocation table 63 | unsigned short e_ovno; // Overlay number 64 | unsigned short e_res01; // Reserved words 65 | unsigned short e_res02; // Reserved words 66 | unsigned short e_res03; // Reserved words 67 | unsigned short e_res04; // Reserved words 68 | unsigned short e_oemid; // OEM identifier (for e_oeminfo) 69 | unsigned short e_oeminfo; // OEM information; e_oemid specific 70 | unsigned short e_res1; // Reserved words 71 | unsigned short e_res2; // Reserved words 72 | unsigned short e_res3; // Reserved words 73 | unsigned short e_res4; // Reserved words 74 | unsigned short e_res5; // Reserved words 75 | unsigned short e_res6; // Reserved words 76 | unsigned short e_res7; // Reserved words 77 | unsigned short e_res8; // Reserved words 78 | unsigned short e_res9; // Reserved words 79 | unsigned short e_res10; // Reserved words 80 | // unsigned short e_res2; // Reserved words 81 | unsigned short e_lfanew; // File address of new exe header 82 | } IMAGE_DOS_HEADER; 83 | 84 | typedef struct _IMAGE_IMPORT_BY_NAME { 85 | unsigned short Hint; 86 | unsigned char Name[1]; 87 | } IMAGE_IMPORT_BY_NAME; 88 | 89 | typedef struct _PIMAGE_THUNK_DATA { 90 | union { 91 | unsigned char ForwarderString; 92 | unsigned int Function; 93 | unsigned int Ordinal; 94 | IMAGE_IMPORT_BY_NAME AddressOfData; 95 | }; 96 | }PIMAGE_THUNK_DATA; 97 | 98 | typedef struct _IMAGE_IMPORT_DESCRIPTOR { 99 | union { 100 | unsigned int Characteristics; 101 | PIMAGE_THUNK_DATA OriginFirstThunk; 102 | }; 103 | unsigned int TimeDateStamp; 104 | unsigned int ForwarderChain; 105 | unsigned int Name; 106 | PIMAGE_THUNK_DATA FirstThunk; 107 | } IMAGE_IMPORT_DESCRIPTOR; 108 | 109 | typedef struct _IMAGE_DATA_DIRECTORY { 110 | unsigned int VirtualAddress; 111 | unsigned int Size; 112 | } IMAGE_DATA_DIRECTORY; 113 | 114 | 115 | 116 | typedef struct _IMAGE_EXPORT_DIRECTORY{ 117 | unsigned int Characteristics; 118 | unsigned int TimeDateStamp; 119 | unsigned short MajorVersion; 120 | unsigned short MinorVersion; 121 | unsigned int Name; 122 | unsigned int Base; 123 | unsigned int NumberOfFunctions; 124 | unsigned int NumberOfNames; 125 | unsigned int AddressOfFunctions; 126 | unsigned int AddressOfNames; 127 | unsigned int AddressOfNameOrdinals; 128 | }IMAGE_EXPORT_DIRECTORY; 129 | 130 | 131 | typedef struct _IMAGE_OPTIONAL_HEADER { 132 | unsigned short Magic; 133 | unsigned char MajorLinkerVersion; 134 | unsigned char MinorLinkerVersion; 135 | unsigned int SizeOfCode; 136 | unsigned int SizeOfInitializedData; 137 | unsigned int SizeOfUninitializedData; 138 | unsigned int AddressOfEntryPoint; 139 | unsigned int BaseOfCode; 140 | unsigned int BaseOfData; 141 | unsigned int ImageBase; 142 | unsigned int SectionAlignment; 143 | unsigned int FileAlignment; 144 | unsigned short MajorOperatingSystemVersion; 145 | unsigned short MinorOperatingSystemVersion; 146 | unsigned short MajorImageVersion; 147 | unsigned short MinorImageVersion; 148 | unsigned short MajorSubsystemVersion; 149 | unsigned short MinorSubsystemVersion; 150 | unsigned int Win32VersionValue; 151 | unsigned int SizeOfImage; 152 | unsigned int SizeOfHeaders; 153 | unsigned int CheckSum; 154 | unsigned short Subsystem; 155 | unsigned short DllCharacteristics; 156 | unsigned int SizeOfStackReserve; 157 | unsigned int SizeOfStackCommit; 158 | unsigned int SizeOfHeapReserve; 159 | unsigned int SizeOfHeapCommit; 160 | unsigned int LoaderFlags; 161 | unsigned int NumberOfRvaAndSizes; 162 | IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; 163 | } IMAGE_OPTIONAL_HEADER; 164 | 165 | typedef struct _IMAGE_FILE_HEADER { 166 | unsigned short Machine; 167 | unsigned short NumberOfSections; 168 | unsigned int TimeDateStamp; 169 | unsigned int PointerToSymbolTable; 170 | unsigned int NumberOfSymbols; 171 | unsigned short SizeOfOptionalHeader; 172 | unsigned short Characteristics; 173 | } IMAGE_FILE_HEADER; 174 | 175 | typedef struct _IMAGE_NT_HEADERS { 176 | unsigned int Signature; 177 | IMAGE_FILE_HEADER file_header; 178 | IMAGE_OPTIONAL_HEADER op_header; 179 | } IMAGE_NT_HEADERS; 180 | 181 | typedef struct _IMAGE_SECTION_HEADER { 182 | unsigned char Name[IMAGE_SIZEOF_SHORT_NAME]; 183 | unsigned int VirtualSize; 184 | unsigned int VirtualAddress; 185 | unsigned int SizeOfRawData; 186 | unsigned int PointerToRawData; 187 | unsigned int PointerToRelocations; 188 | unsigned int PointerToLinenumbers; 189 | unsigned short NumberOfRelocations; 190 | unsigned short NumberOfLinenumbers; 191 | unsigned int Characteristics; 192 | } IMAGE_SECTION_HEADER; 193 | 194 | 195 | typedef struct _IMAGE_BOUND_IMPORT_DESCRIPTOR { 196 | unsigned int TimeDateStamp; 197 | unsigned short OffsetModuleName; 198 | unsigned short NumberOfModuleForwarderRefs; 199 | } IMAGE_BOUND_IMPORT_DESCRIPTOR; 200 | 201 | #endif /* H_PE_ANALYZER */ 202 | -------------------------------------------------------------------------------- /sections.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | #include "sections.h" 26 | #include "pe_analyzer.h" 27 | 28 | 29 | void ListSections(unsigned char *buffer, char opt) 30 | { 31 | IMAGE_DOS_HEADER *dos; 32 | IMAGE_NT_HEADERS *ntheader; 33 | 34 | int n, section_size = 0; 35 | int data_dir; 36 | char *data_dir_desc; 37 | 38 | int import_count = 0; //for count imports 39 | 40 | printf("\t########Begin Analyzing########\n"); 41 | // Dos Header 42 | dos = (IMAGE_DOS_HEADER *)buffer; 43 | // End Dos Header 44 | // begin Pe Header 45 | unsigned char *PE_HEADER = (unsigned char *)malloc(sizeof(buffer[dos->e_lfanew])); //allocate 46 | PE_HEADER = &buffer[dos->e_lfanew]; 47 | ntheader = (IMAGE_NT_HEADERS *)PE_HEADER; 48 | printf("\t#####Section Header#####\n"); 49 | int g=0; 50 | int realoffset[ntheader->file_header.NumberOfSections]; 51 | for(n=1;n<=ntheader->file_header.NumberOfSections;n++) { 52 | IMAGE_SECTION_HEADER *secheader = (IMAGE_SECTION_HEADER *)(PE_HEADER + sizeof(IMAGE_NT_HEADERS) + section_size); 53 | section_size += sizeof(IMAGE_SECTION_HEADER); 54 | printf("\tSection Name: %c%c%c%c%c%c%c%c\n", secheader->Name[0], secheader->Name[1], secheader->Name[2], secheader->Name[3], secheader->Name[4], secheader->Name[5], secheader->Name[6], secheader->Name[7]); 55 | printf("\tVirtualSize: %04x\n", secheader->VirtualSize); 56 | printf("\tVirtualAddress: %04x\n", secheader->VirtualAddress); 57 | printf("\tSizeOfRawData: %04x\n", secheader->SizeOfRawData); 58 | printf("\tRaw Data: %04x\n", secheader->PointerToRawData); 59 | printf("\tPointerToRelocations: %04x\n", secheader->PointerToRelocations); 60 | printf("\tPointerToLinenumbers: %04x\n", secheader->PointerToLinenumbers); 61 | printf("\tNumberOfRelocations: %02x\n", secheader->NumberOfRelocations); 62 | printf("\tNumberOfLinenumbers: %02x\n", secheader->NumberOfLinenumbers); 63 | printf("\tCharacteristics: %04x\n", secheader->Characteristics); 64 | printf("\t-------------------------\n"); 65 | realoffset[n] = secheader->VirtualAddress - secheader->PointerToRawData; 66 | // printf("\nsubstract this from any RVA in this section : %x\n", realoffset[n]); 67 | } 68 | printf("\t#####End Of Sections#####\n\n"); 69 | // End Pe Header 70 | } 71 | 72 | -------------------------------------------------------------------------------- /sections.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | 21 | #ifndef H_SECTIONS 22 | #define H_SECTIONS 23 | 24 | void ListSections(unsigned char *, char); 25 | 26 | #endif -------------------------------------------------------------------------------- /strings_dump.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include "strings_dump.h" 27 | #include "pe_analyzer.h" 28 | 29 | void DumpStrings(unsigned char *buffer, char opt, unsigned char *sectionname) 30 | { 31 | IMAGE_DOS_HEADER *dos; 32 | IMAGE_NT_HEADERS *ntheader; 33 | 34 | int n, section_size = 0; 35 | int data_dir; 36 | char *data_dir_desc; 37 | unsigned char *section = (unsigned char *)malloc(8); 38 | int import_count = 0; //for count imports 39 | 40 | printf("\t########Begin Analyzing########\n"); 41 | // Dos Header 42 | dos = (IMAGE_DOS_HEADER *)buffer; 43 | // End Dos Header 44 | // begin Pe Header 45 | unsigned char *PE_HEADER = (unsigned char *)malloc(sizeof(buffer[dos->e_lfanew])); //allocate 46 | PE_HEADER = &buffer[dos->e_lfanew]; 47 | ntheader = (IMAGE_NT_HEADERS *)PE_HEADER; 48 | // printf("\t#####Section Header#####\n"); 49 | int g=0; 50 | int counter = 0; 51 | int result_section; 52 | int realoffset[ntheader->file_header.NumberOfSections]; 53 | for(n=1;n<=ntheader->file_header.NumberOfSections;n++) { 54 | IMAGE_SECTION_HEADER *secheader = (IMAGE_SECTION_HEADER *)(PE_HEADER + sizeof(IMAGE_NT_HEADERS) + section_size); 55 | section_size += sizeof(IMAGE_SECTION_HEADER); 56 | sprintf(section, "%c%c%c%c%c%c%c%c", secheader->Name[0], secheader->Name[1], secheader->Name[2], secheader->Name[3], secheader->Name[4], secheader->Name[5], secheader->Name[6], secheader->Name[7]); 57 | if(strcmp(sectionname, section) == 0) { 58 | printf("\tSection Name: %c%c%c%c%c%c%c%c\n", secheader->Name[0], secheader->Name[1], secheader->Name[2], secheader->Name[3], secheader->Name[4], secheader->Name[5], secheader->Name[6], secheader->Name[7]); 59 | printf("\tVirtualSize: %04x\n", secheader->VirtualSize); 60 | printf("\tVirtualAddress: %04x\n", secheader->VirtualAddress); 61 | printf("\tSizeOfRawData: %04x\n", secheader->SizeOfRawData); 62 | printf("\tRaw Data: %04x\n", secheader->PointerToRawData); 63 | printf("\tPointerToRelocations: %04x\n", secheader->PointerToRelocations); 64 | printf("\tPointerToLinenumbers: %04x\n", secheader->PointerToLinenumbers); 65 | printf("\tNumberOfRelocations: %02x\n", secheader->NumberOfRelocations); 66 | printf("\tNumberOfLinenumbers: %02x\n", secheader->NumberOfLinenumbers); 67 | printf("\tCharacteristics: %04x\n", secheader->Characteristics); 68 | printf("\t-------------------------\n"); 69 | 70 | printf("\tPrinting String Dump For This Section\n"); 71 | g=0; 72 | counter = 0; 73 | for(g = secheader->PointerToRawData ; g < (secheader->PointerToRawData + secheader->SizeOfRawData) ; g++) { 74 | if(counter == 64) { 75 | printf("\n"); 76 | printf("\t"); 77 | counter = 0; 78 | } 79 | if(isprint(buffer[g])) 80 | printf("%c", buffer[g]); 81 | else if(buffer[g] == '\n') 82 | printf("\n"); 83 | else 84 | printf("."); 85 | counter++; 86 | } 87 | printf("\n"); 88 | realoffset[n] = secheader->VirtualAddress - secheader->PointerToRawData; 89 | } else if(strcmp(sectionname, section) != 0 && n < ntheader->file_header.NumberOfSections) { 90 | continue; 91 | } 92 | } 93 | } 94 | -------------------------------------------------------------------------------- /strings_dump.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (C) 2014-2015 Motaz Reda 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published by 7 | * the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program; if not, write to motaz reda 17 | * motazkhodair@gmail.com 18 | * 19 | */ 20 | #ifndef H_STRING_DUMP 21 | #define H_STRING_DUMP 22 | 23 | void DumpStrings(unsigned char *, char, unsigned char *); 24 | #endif --------------------------------------------------------------------------------