search

wader / fq

jq for binary formats - tool, language and decoders for working with binary and text formats
Other
9.72k stars 227 forks source link

Support for PE COFF (.exe, .dll, .scr, etc Windows binaries) format ? #442

Open 59e5aaf4 opened 1 year ago

59e5aaf4 commented 1 year ago

What version are you using (fq -v)?

$ fq -v
0.0.9 (linux amd64)

How was fq installed?

Downloaded from https://github.com/wader/fq/releases as that old ubuntu20 doesn't have packages.

Can you reproduce the problem using the latest release or master branch?

I believe it was.

What did you do?

I did just run fq . file.exe and turns out fq doens't know about PE files ! :D

$ fq . cobalt-strike-sample.exe 
error: cobalt-strike-sample.exe: probe: failed to decode (try -d FORMAT)
$ fq . -d raw cobalt-strike-sample.exe 
       |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: cobalt-strike-sample.exe (raw)
0x00000|4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00|MZ..............|  unknown0: raw bits
*      |until 0x4e1ff.7 (end) (320000)                 |                |

What result did you expect?

I did expect some knowledge of the PE format, but I understand that parsing PE files isn't simple as there are edge cases and ahem implementation details.

But if you lads have already implemented ELF then it shouldn't be unreachable to get PE COFF implemented ?

What did you see instead?

No knowledge of the PE/COFF format.

$ fq . cobalt-strike-sample.exe 
error: cobalt-strike-sample.exe: probe: failed to decode (try -d FORMAT)
$ fq . -d raw cobalt-strike-sample.exe 
       |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: cobalt-strike-sample.exe (raw)
0x00000|4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00|MZ..............|  unknown0: raw bits
*      |until 0x4e1ff.7 (end) (320000)                 |                |

Further reading

Thanks a lot for reading, cheers !

wader commented 1 year ago

Hey, thanks for all the references. Yes PE COFF would be a great addition and should be no problem decoding-wise. And as you noted is probably not that different from ELF and Macho that fq already has some support for. It's mostly a matter of someone taking the time to do it.

Is it something you would like to help out with? At the moment the spare time I have for fq will probably be spent on some other things, so might take some time until i get to it, but who knows :). But i'm more than willing to guide and help out.

59e5aaf4 commented 1 year ago

Ah, I'd love to do so, as writing PE parsers is part of these days hackers rite of passage, but my company isn't ok with me working on FLOSS software (I swear that pypcapkit commit isn't mine), and more importantly I have malware running in my infra right now, no time to invest in anything else than decoding cobalt strike configurations :D

If I get some energy outside of my work hours for computers I might get excited and do that. But so far hachoir being unusable, and kaitaistruct not well interoperable, I usually end up using Quarkslab's excellent "lief" project which does everything I need https://lief-project.github.io/ .

Best regards,

wader commented 1 year ago

I see, no worries. Thanks again for more tools, usually many specs and tools to cross reference usually speeds up writing a decoder a lot.

Let's keep in sync in this issue and good luck with the malware!

wader commented 1 year ago

Did an initial draft that might be good starting point for someone https://github.com/wader/fq/pull/443