initial project files

saferwall · Feb 11, 2021 · 393f4bb · 393f4bb
1 parent 19a2d82
commit 393f4bb
Show file tree

Hide file tree

Showing 29 changed files with 10,789 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -0,0 +1,75 @@
+# Portable Executable Parser
+
+**peparser** is a go package for parsing the [portable executable](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format) file format. This package was designed with malware analysis in mind, and being resistent to PE malformations.
+
+## Features
+
+- Works with PE32/PE32+ file fomat.
+- Supports Intel x86/AMD64/ARM7ARM7 Thumb/ARM8-64/IA64/CHPE architectures.
+- MS DOS header.
+- Rich Header (calculate checksum).
+- NT Header (file header + optional header).
+- COFF symbol table and string table.
+- Sections headers + entropy calculation. 
+- Data directories
+    - Import Table + ImpHash calculation.
+    - Export Table
+    - Resource Table
+    - Exceptions Table
+    - Security Table + Authentihash calculation.
+    - Relocations Table
+    - Debug Table (CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS debug types).
+    - TLS Table
+    - Load Config Directory (SEH, GFID, GIAT, Guard LongJumps, CHPE, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables).
+    - Bound Import Table
+    - Delay Import Table
+    - COM Table (CLR Metadata Header, Metadata Table Streams)
+- Report several anomalies
+
+## Installing
+
+Using peparser is easy. First, use `go get` to install the latest version
+of the library. This command will install the `peparser` generator executable
+along with the library and its dependencies:
+
+    go get -u github.com/saferwall/pe
+
+Next, include `peparser` in your application:
+
+```go
+import "github.com/saferwall/pe"
+```
+
+## Using the library
+
+```go
+package main
+
+import (
+	peparser "github.com/saferwall/pe"
+)
+
+func main() {
+    pe, err := peparser.New("C:\\Binaries\\notepad.exe", nil)
+	if err != nil {
+		log.Fatalf("Error while opening file: %s, reason: %s", filename, err)
+    }
+
+    err = pe.Parse()
+    if err != nil {
+        log.Fatalf("Error while opening file: %s, reason: %s", filename, err)
+    }
+```
+
+## Todo:
+
+- imports MS-styled names demangling
+- PE: VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, object table
+
+# References
+
+- [Peering Inside the PE: A Tour of the Win32 Portable Executable File Format by Matt Pietrek](http://bytepointer.com/resources/pietrek_peering_inside_pe.htm)
+- [An In-Depth Look into the Win32 Portable Executable File Format - Part 1 by Matt Pietrek](http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part1)
+- [An In-Depth Look into the Win32 Portable Executable File Format - Part 2 by Matt Pietrek](http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part2)
+- [Portable Executable File Format](https://blog.kowalczyk.info/articles/pefileformat.html)
+- [PE Format MSDN spec](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
diff --git a/anomaly.go b/anomaly.go
@@ -0,0 +1,202 @@
+// Copyright 2021 Saferwall. All rights reserved.
+// Use of this source code is governed by Apache v2 license
+// license that can be found in the LICENSE file.
+
+package pe
+
+import (
+	"encoding/binary"
+	"time"
+)
+
+// Anomalies found in a PE
+var (
+
+	// AnoPEHeaderOverlapDOSHeader is reported when the PE headers overlaps with
+	// the DOS header.
+	AnoPEHeaderOverlapDOSHeader = "PE Header overlaps with DOS header"
+
+	// AnoPETimeStampNull is reported when the file header timestamp is 0.
+	AnoPETimeStampNull = "File Header timestamp set to 0"
+
+	// AnoPETimeStampFuture is reported when the file header timestamp is more
+	// than one day ahead of the current date timestamp.
+	AnoPETimeStampFuture = "File Header timestamp set to 0"
+
+	// NumberOfSections is reported when number of sections is larger or equal than 10.
+	AnoNumberOfSections10Plus = "Number of sections is 10+"
+
+	// AnoNumberOfSectionsNull is reported when sections count's is 0.
+	AnoNumberOfSectionsNull = "Number of sections is 0"
+
+	// AnoSizeOfOptionalHeaderNull is reported when size of optional header is 0.
+	AnoSizeOfOptionalHeaderNull = "Size of optional header is 0"
+
+	// AnoUncommonSizeOfOptionalHeader32 is reported when size of optional
+	// header for PE32 is larger than 0xE0.
+	AnoUncommonSizeOfOptionalHeader32 = `Size of optional header is larger than
+	 0xE0 (PE32)`
+
+	// AnoUncommonSizeOfOptionalHeader64 is reported when size of optional
+	// header for PE32+ is larger than 0xF0.
+	AnoUncommonSizeOfOptionalHeader64 = `Size of optional header is larger than
+	 0xF0 (PE32+)`
+
+	// AnoAddressOfEntryPointNull is reported when address of entry point is 0.
+	AnoAddressOfEntryPointNull = "Address of entry point is 0."
+
+	// AnoAddressOfEPLessSizeOfHeaders is reported when address of entry point
+	// is smaller than size of headers, the file cannot run under Windows.
+	AnoAddressOfEPLessSizeOfHeaders = `Address of entry point is smaller than 
+		size of headers, the file cannot run under Windows 8`
+
+	// AnoImageBaseNull is reported when the image base is null
+	AnoImageBaseNull = "Image base is 0"
+
+	// AnoDanSMagicOffset is reported when the `DanS` magic offset is different
+	// than 0x80.
+	AnoDanSMagicOffset = "`DanS` magic offset is different than 0x80"
+
+	// ErrInvalidFileAlignment is reported when file alignment is larger than
+	//  0x200 and not a power of 2.
+	ErrInvalidFileAlignment = "FileAlignment larger than 0x200 and not a power of 2"
+
+	// ErrInvalidSectionAlignment is reported when file alignment is lesser
+	// than 0x200 and different from section alignment.
+	ErrInvalidSectionAlignment = `FileAlignment lesser than 0x200 and different 
+		from section alignment`
+
+	// AnoMajorSubsystemVersion is reported when MajorSubsystemVersion has a
+	// value different than the standard 3 --> 6.
+	AnoMajorSubsystemVersion = `MajorSubsystemVersion is outside 3<-->6 boundary`
+
+	// AnonWin32VersionValue is reported when Win32VersionValue is different than 0
+	AnonWin32VersionValue = `Win32VersionValue is a reserved field, should be
+		normally set to 0x0.`
+
+	// AnoInvalidPEChecksum is reported when the optional header checksum field
+	// is different from what it should normally be.
+	AnoInvalidPEChecksum = `Optional header checksum is invalid.`
+
+	// AnoNumberOfRvaAndSizes is reported when NumberOfRvaAndSizes is different
+	// than 16.
+	AnoNumberOfRvaAndSizes = `Optional header NumberOfRvaAndSizes != 16`
+)
+
+// GetAnomalies reportes anomalies found in a PE binary.
+// These nomalies does prevent the Windows loader from loading the files but
+// is an interesting features for malware analysis.
+func (pe *File) GetAnomalies() error {
+
+	// ******************** Anomalies in File header ************************
+	// An application for Windows NT typically has the nine predefined sections
+	// named: .text, .bss, .rdata, .data, .rsrc, .edata, .idata, .pdata, and
+	// .debug. Some applications do not need all of these sections, while
+	// others may define still more sections to suit their specific needs.
+	// NumberOfSections can be up to 96 under XP.
+	// NumberOfSections can be up to 65535 under Vista and later.
+	if pe.NtHeader.FileHeader.NumberOfSections >= 10 {
+		pe.Anomalies = append(pe.Anomalies, AnoNumberOfSections10Plus)
+	}
+
+	// File header timestamp set to 0.
+	if pe.NtHeader.FileHeader.TimeDateStamp == 0 {
+		pe.Anomalies = append(pe.Anomalies, AnoPETimeStampNull)
+	}
+
+	// File header timestamp set to the future.
+	now := time.Now()
+	future := uint32(now.Add(24 * time.Hour).Unix())
+	if pe.NtHeader.FileHeader.TimeDateStamp > future {
+		pe.Anomalies = append(pe.Anomalies, AnoPETimeStampFuture)
+	}
+
+	// NumberOfSections can be null with low alignment PEs
+	// and in this case, the values are just checked but not really used (under XP)
+	if pe.NtHeader.FileHeader.NumberOfSections == 0 {
+		pe.Anomalies = append(pe.Anomalies, AnoNumberOfSectionsNull)
+	}
+
+	// SizeOfOptionalHeader is not the size of the optional header, but the delta
+	// between the top of the Optional header and the start of the section table.
+	// Thus, it can be null (the section table will overlap the Optional Header,
+	// or can be null when no sections are present)
+	if pe.NtHeader.FileHeader.SizeOfOptionalHeader == 0 {
+		pe.Anomalies = append(pe.Anomalies, AnoSizeOfOptionalHeaderNull)
+	}
+
+	// SizeOfOptionalHeader can be bigger than the file
+	// (the section table will be in virtual space, full of zeroes), but can't be negative.
+	// Do some check here.
+	oh32 := ImageOptionalHeader32{}
+	oh64 := ImageOptionalHeader64{}
+
+	// SizeOfOptionalHeader standard value is 0xE0 for PE32.
+	if pe.Is32 &&
+		pe.NtHeader.FileHeader.SizeOfOptionalHeader > uint16(binary.Size(oh32)) {
+		pe.Anomalies = append(pe.Anomalies, AnoUncommonSizeOfOptionalHeader32)
+	}
+
+	// SizeOfOptionalHeader standard value is 0xF0 for PE32+.
+	if pe.Is64 &&
+		pe.NtHeader.FileHeader.SizeOfOptionalHeader > uint16(binary.Size(oh64)) {
+		pe.Anomalies = append(pe.Anomalies, AnoUncommonSizeOfOptionalHeader64)
+	}
+
+	// ***************** Anomalies in Optional header *********************
+	// Under Windows 8, AddressOfEntryPoint is not allowed to be smaller than
+	// SizeOfHeaders, except if it's null.
+	switch pe.Is64 {
+	case true:
+		oh64 = pe.NtHeader.OptionalHeader.(ImageOptionalHeader64)
+	case false:
+		oh32 = pe.NtHeader.OptionalHeader.(ImageOptionalHeader32)
+	}
+
+	// Use oh for fields which are common for both structures.
+	oh := oh32
+	if oh.AddressOfEntryPoint != 0 && oh.AddressOfEntryPoint < oh.SizeOfHeaders {
+		pe.Anomalies = append(pe.Anomalies, AnoAddressOfEPLessSizeOfHeaders)
+	}
+
+	// AddressOfEntryPoint can be null in DLLs: in this case,
+	// DllMain is just not called. can be null
+	if oh.AddressOfEntryPoint == 0 {
+		pe.Anomalies = append(pe.Anomalies, AnoAddressOfEntryPointNull)
+	}
+
+	// ImageBase can be null, under XP.
+	// In this case, the binary will be relocated to 10000h
+	if (pe.Is64 && oh64.ImageBase == 0) ||
+		(pe.Is32 && oh32.ImageBase == 0) {
+		pe.Anomalies = append(pe.Anomalies, AnoImageBaseNull)
+	}
+
+	// For DLLs, MajorSubsystemVersion is ignored until Windows 8. It can have
+	// any value. Under Windows 8, it needs a standard value (3.10 < 6.30).
+	if oh.MajorSubsystemVersion < 3 || oh.MajorSubsystemVersion > 6 {
+		pe.Anomalies = append(pe.Anomalies, AnoMajorSubsystemVersion)
+	}
+
+	// Win32VersionValue officially defined as `reserved` and should be null
+	// if non null, it overrides MajorVersion/MinorVersion/BuildNumber/PlatformId
+	// OperatingSystem Versions values located in the PEB, after loading.
+	if oh.Win32VersionValue != 0 {
+		pe.Anomalies = append(pe.Anomalies, AnonWin32VersionValue)
+	}
+
+	// Checksums are required for kernel-mode drivers and some system DLLs.
+	// Otherwise, this field can be 0.
+	if pe.Checksum() != oh.CheckSum && oh.CheckSum != 0 {
+		pe.Anomalies = append(pe.Anomalies, AnoInvalidPEChecksum)
+	}
+
+	// This field contains the number of IMAGE_DATA_DIRECTORY entries.
+	//  This field has been 16 since the earliest releases of Windows NT.
+	if (pe.Is64 && oh64.NumberOfRvaAndSizes == 0xA) ||
+		(pe.Is32 && oh32.NumberOfRvaAndSizes == 0xA) {
+		pe.Anomalies = append(pe.Anomalies, AnoNumberOfRvaAndSizes)
+	}
+
+	return nil
+}
diff --git a/arch.go b/arch.go
@@ -0,0 +1,11 @@
+// Copyright 2021 Saferwall. All rights reserved.
+// Use of this source code is governed by Apache v2 license
+// license that can be found in the LICENSE file.
+
+package pe
+
+// Architecture-specific data. This data directory is not used
+// (set to all zeros) for I386, IA64, or AMD64 architecture.
+func (pe *File) parseArchitectureDirectory(rva, size uint32) error {
+	return nil
+}