miércoles, 25 de noviembre de 2009

A dumper for PyPEELF

As +NCR has already mentioned, I am working on the PyPEELF Tasks viewer, and one feature we wanted to integrate there was a (first simple) dumper. Let me tell you some of the issues I faced during the experiment.

I am relatively new to reverse engineering topics and then, before getting hands dirty, I had been reading a little more on PE format and how executables are load into memory (I really recommend Iczelion's Tutorials). We should notice, for example, that a process mapped on memory has a different section alignment respect to the original one in the file, and that is also why virtual vs. raw section offsets and sizes differ.

Consequently, if we manage to get the base address in memory where process was loaded and its image size, we can read the process memory and write it to a file. However it would not be enough to get a functional executable, since we have seen that the mapping of the process in memory could be different from the raw data in the file (i.e. the file alignments and the fields that describe the raw sections will not be correct for the saved file). Then, we should fix those PE headers to match the alignments and sections information as dumped from memory.

How is it implemented? Well, most of the development around running processes is based on the capabilities of winappdbg, that provides us a way to get the needed process information and access to Windows API. On the other hand, to update and fix the PE headers and finally write the dump to a file, we use the pefile module.

And that is it, this was a shortened and simplified story of how PyPEELF got its process dumper.