miércoles, 25 de noviembre de 2009

A dumper for PyPEELF

As +NCR has already mentioned, I am working on the PyPEELF Tasks viewer, and one feature we wanted to integrate there was a (first simple) dumper. Let me tell you some of the issues I faced during the experiment.

I am relatively new to reverse engineering topics and then, before getting hands dirty, I had been reading a little more on PE format and how executables are load into memory (I really recommend Iczelion's Tutorials). We should notice, for example, that a process mapped on memory has a different section alignment respect to the original one in the file, and that is also why virtual vs. raw section offsets and sizes differ.

Consequently, if we manage to get the base address in memory where process was loaded and its image size, we can read the process memory and write it to a file. However it would not be enough to get a functional executable, since we have seen that the mapping of the process in memory could be different from the raw data in the file (i.e. the file alignments and the fields that describe the raw sections will not be correct for the saved file). Then, we should fix those PE headers to match the alignments and sections information as dumped from memory.

How is it implemented? Well, most of the development around running processes is based on the capabilities of winappdbg, that provides us a way to get the needed process information and access to Windows API. On the other hand, to update and fix the PE headers and finally write the dump to a file, we use the pefile module.

And that is it, this was a shortened and simplified story of how PyPEELF got its process dumper.

sábado, 19 de septiembre de 2009

Adding tools...

Hi!,

This is a small post to let you know about a small tool that this afternoon was added to the PyPEELF, is a FLC (File Location Calculator), nothing special but useful some times.

You can see the current version of the code here.

If you have any suggestion, please let us now!.

See you soon!.

lunes, 14 de septiembre de 2009

Arrancamos de nuevo...

Bueno!, luego de un tiempo de no dedicarle ni un segundo al proyecto, estamos de vuelta.

En mi caso, estoy armando lo que sera el parser para .NET, estudiando el formato y corrijiendo un par de bugs en algunas otras partes del programa.

Matias por su parte esta dedicando tiempo al Task Viewer, fixeando bugs y ademas dandome una mano a mi con cosas de la GUI, python, etc.

Gunther esta escribiendo la doc y diseñando el arte del proyecto y Mauro esta haciendonos un poco de QA!.

Para los que quieran mirar un poco en que estamos trabajado pueden browsear aqui.

A partir del proximo post, comenzaremos a postear en ingles puesto que queremos llegar a la mayor cantidad de personas y pensamos que ademas de la gente de habla inglesa, habra mucha gente de hablar hispana que estara interesada!.

Hasta pronto!.

viernes, 11 de septiembre de 2009

PyPEELF

Hola!,

Hace unos dias puse una entrada en Crackinglandia sobre este proyecto que encare y al que se sumaron algunos amigos: http://crackinglandia.blogspot.com/2009/08/pypeelf-multi-platform-multi-format.html

Creo que lo mejor es armar un blog aparte para ir posteando novedades y el avance del proyecto.

Cuando tengamos mas novedades las pondremos aqui!.

Pueden visitar la web del Wiki para enterarse un poco mas sobre lo que va pasando: https://sourceforge.net/apps/trac/pypeelf/wiki/WikiStart

Hasta pronto!.