comparando el análisis de secciones entre ELF y PE, explicando las diferencias de formato y cómo las abordaste.
At last, Phase 3 for Binalyzer is now complete! It now lists sections for both PE and ELF files. I'll keep it short and sweet this time since most of the information can be already understood from reading my previous post, so I'll keep the key takeaways of what I did here.
What did you do?
I thought you'd never ask.
Reading format
Obviously, since ELF and PE are both for fundamentally different operating systems, reading and parsing these fields for each section is different from eachother. I looked up on the documentation for PE's section format to be able to figure out how to read it and did the usual with methods like read() and unpack() to do some of the heavy lifting for me.
Make sure that you're reading every single field of the section, otherwise, you might get into trouble since the data will be displaced
Reading names
Reading the names for each section was a similar process. Since they are padded with null bytes (x\00), I had to remove them with the replace() method.
Getting flags
I couldn't have thought of the proper solution without AI for this one (and I'm genuinely ashamed of this one tbh), since each flag value is stored in a hexadecimal digit, and more importantly, some digits might be the sum of two or more flag values; so I had no idea whatsoever to solve this little puzzle myself. Turns out, using bitwise AND (&) does the trick. You just check the comparison of characteristics & flag == flag and store the flag in a flags dictionary as the key (with the description being the value, you will see and example later on)
What is the output for these PEs then?
Here you go.
cmd.exe: Header and first three sections
File path: /mnt/c/Windows/system32/cmd.exe
Filetype: PE
Magic number 0x20b
PE Header :
COFF Offset : 248
Signature : b'PE\x00\x00'
File Header :
Machine : x64
NumberOfSections : 8
TimeDateStamp : 2091-09-06 23:01:06+00:00
PointerToSymbolTable : 0
NumberOfSymbols : 0
SizeOfOptionalHeader (bytes) : 240
Characteristics :
0x2 : Executable file
0x20 : Can handle >2GB addresses
Optional Header :
Standard Fields :
Magic : PE32+
MajorLinkerVersion : 14
MinorLinkerVersion : 38
SizeOfCode : 233472
SizeOfInitializedData : 217088
SizeOfUnitizializedData : 0
AddressOfEntryPoint : 162592
BaseOfCode (address) : 4096
Sections :
[0]
Name : .text
VirtualSize : 0x37db6
VirtualAddress : 0x1000
SizeOfRawData : 0x38000
PointerToRawData : 0x1000
PointerToRelocations : 0x0
PointerToLinenumbers : 0x0
NumberOfRelocations : 0x0
NumberOfLinenumbers : 0x0
Characteristics :
0x0 : Reserved for future use
0x20 : Contains executable code
0x20000000 : Can be executed as code
0x40000000 : Can be read
[1]
Name : fothk
VirtualSize : 0x1000
VirtualAddress : 0x39000
SizeOfRawData : 0x1000
PointerToRawData : 0x39000
PointerToRelocations : 0x0
PointerToLinenumbers : 0x0
NumberOfRelocations : 0x0
NumberOfLinenumbers : 0x0
Characteristics :
0x0 : Reserved for future use
0x20 : Contains executable code
0x20000000 : Can be executed as code
0x40000000 : Can be read
[2]
Name : .rdata
VirtualSize : 0x9b38
VirtualAddress : 0x3a000
SizeOfRawData : 0xa000
PointerToRawData : 0x3a000
PointerToRelocations : 0x0
PointerToLinenumbers : 0x0
NumberOfRelocations : 0x0
NumberOfLinenumbers : 0x0
Characteristics :
0x0 : Reserved for future use
0x40 : Contains initialized data
0x40000000 : Can be read
If you want to check out more details on this update, check out the releases on my GitHub repo. I will start Phase 4 very soon. Ta ta!
Top comments (0)