Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for PE COFF (.exe, .dll, .scr, etc Windows binaries) format ? #442

Open
59e5aaf4 opened this issue Oct 3, 2022 · 4 comments
Open

Comments

@59e5aaf4
Copy link

59e5aaf4 commented Oct 3, 2022

What version are you using (fq -v)?

$ fq -v
0.0.9 (linux amd64)

How was fq installed?

Downloaded from https://github.com/wader/fq/releases as that old ubuntu20 doesn't have packages.

Can you reproduce the problem using the latest release or master branch?

I believe it was.

What did you do?

I did just run fq . file.exe and turns out fq doens't know about PE files ! :D

$ fq . cobalt-strike-sample.exe 
error: cobalt-strike-sample.exe: probe: failed to decode (try -d FORMAT)
$ fq . -d raw cobalt-strike-sample.exe 
       |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: cobalt-strike-sample.exe (raw)
0x00000|4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00|MZ..............|  unknown0: raw bits
*      |until 0x4e1ff.7 (end) (320000)                 |                |

What result did you expect?

I did expect some knowledge of the PE format, but I understand that parsing PE files isn't simple as there are edge cases and ahem implementation details.

But if you lads have already implemented ELF then it shouldn't be unreachable to get PE COFF implemented ?

What did you see instead?

No knowledge of the PE/COFF format.

$ fq . cobalt-strike-sample.exe 
error: cobalt-strike-sample.exe: probe: failed to decode (try -d FORMAT)
$ fq . -d raw cobalt-strike-sample.exe 
       |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: cobalt-strike-sample.exe (raw)
0x00000|4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00|MZ..............|  unknown0: raw bits
*      |until 0x4e1ff.7 (end) (320000)                 |                |

Further reading

Thanks a lot for reading, cheers !

@wader
Copy link
Owner

wader commented Oct 3, 2022

Hey, thanks for all the references. Yes PE COFF would be a great addition and should be no problem decoding-wise. And as you noted is probably not that different from ELF and Macho that fq already has some support for. It's mostly a matter of someone taking the time to do it.

Is it something you would like to help out with? At the moment the spare time I have for fq will probably be spent on some other things, so might take some time until i get to it, but who knows :). But i'm more than willing to guide and help out.

@59e5aaf4
Copy link
Author

59e5aaf4 commented Oct 3, 2022

Ah, I'd love to do so, as writing PE parsers is part of these days hackers rite of passage, but my company isn't ok with me working on FLOSS software (I swear that pypcapkit commit isn't mine), and more importantly I have malware running in my infra right now, no time to invest in anything else than decoding cobalt strike configurations :D

If I get some energy outside of my work hours for computers I might get excited and do that. But so far hachoir being unusable, and kaitaistruct not well interoperable, I usually end up using Quarkslab's excellent "lief" project which does everything I need https://lief-project.github.io/ .

Best regards,

@wader
Copy link
Owner

wader commented Oct 3, 2022

I see, no worries. Thanks again for more tools, usually many specs and tools to cross reference usually speeds up writing a decoder a lot.

Let's keep in sync in this issue and good luck with the malware!

@wader
Copy link
Owner

wader commented Oct 4, 2022

Did an initial draft that might be good starting point for someone #443

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants