• Stars
    star
    917
  • Rank 49,814 (Top 1.0 %)
  • Language
    C++
  • License
    BSD 2-Clause "Sim...
  • Created about 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A library to load, manipulate, dump PE files. See also: https://github.com/hasherezade/libpeconv_tpl

libPeConv

Build status Codacy Badge Commit activity Last Commit

License Platform Badge

A library to load and manipulate PE files.

Objectives

The goal of libPEConv was to create a "swiss army knife" for custom loading of PE files. It gathers various helper functions that you can quickly integrate in your own loader. For example: remapping sections, applying relocations, loading imports, parsing resources.

Not only it allows for loading PE files, but also for customizing of some steps, i.e. IAT hooking (by providing custom IAT resolvers), and functions redirection. Yet, it is NOT focused on inline hooking and should not be confused with libraries such as MS Detours or MinHook.

LibPeConv can be used for creating PE binders, as it allows to load a PE directly from the resource, and integrate it as if it was a local code.

As well it can help you in dumping PEs from the memory, and rebuilding their IATs.

Basic example

The simplest usecase: use libPeConv to manually load and run an EXE of you choice.

#include <Windows.h>
#include <iostream>

#include <peconv.h> // include libPeConv header

int main(int argc, char *argv[])
{
    if (argc < 2) {
        std::cout << "Args: <path to the exe>" << std::endl;
        return 0;
    }
    LPCSTR pe_path = argv[1];

    // manually load the PE file using libPeConv:
    size_t v_size = 0;
#ifdef LOAD_FROM_PATH
    //if the PE is dropped on the disk, you can load it from the file:
    BYTE* my_pe = peconv::load_pe_executable(pe_path, v_size);
#else
    size_t bufsize = 0;
    BYTE *buffer = peconv::load_file(pe_path, bufsize);

    // if the file is NOT dropped on the disk, you can load it directly from a memory buffer:
    BYTE* my_pe = peconv::load_pe_executable(buffer, bufsize, v_size);
#endif
    if (!my_pe) {
        return -1;
    }
	
    // if the loaded PE needs to access resources, you may need to connect it to the PEB:
    peconv::set_main_module_in_peb((HMODULE)my_pe);
    
    // load delayed imports (if present):
    const ULONGLONG load_base = (ULONGLONG)my_pe;
    peconv::load_delayed_imports(my_pe, load_base);
  
    // if needed, you can run TLS callbacks before the Entry Point:
    peconv::run_tls_callbacks(my_pe, v_size);
	
    //calculate the Entry Point of the manually loaded module
    DWORD ep_rva = peconv::get_entry_point_rva(my_pe);
    if (!ep_rva) {
        return -2;
    }
    ULONG_PTR ep_va = ep_rva + (ULONG_PTR) my_pe;
    //assuming that the payload is an EXE file (not DLL) this will be the simplest prototype of the main:
    int (*new_main)() = (int(*)())ep_va;

    //call the Entry Point of the manually loaded PE:
    return new_main();
}

See also: https://github.com/hasherezade/libpeconv_tpl/blob/master/project_template/main.cpp

Read more

More Repositories

1

pe-bear

Portable Executable reversing tool with a friendly GUI
C++
1,976
star
2

pe_to_shellcode

Converts PE into a shellcode
C++
1,911
star
3

malware_training_vol1

Materials for Windows Malware Analysis training (volume 1)
Assembly
1,806
star
4

hollows_hunter

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
C
1,659
star
5

tiny_tracer

A Pin Tool for tracing API calls etc
C++
880
star
6

demos

Demos of various injection techniques found in malware
C
771
star
7

pe-bear-releases

PE-bear (builds only)
762
star
8

dll_to_exe

Converts a DLL into EXE
C++
726
star
9

exe_to_dll

Converts a EXE into DLL
C++
657
star
10

bearparser

Portable Executable parsing library (from PE-bear)
C++
608
star
11

process_ghosting

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
C
551
star
12

mal_unpack

Dynamic unpacker based on PE-sieve
C
543
star
13

process_doppelganging

My implementation of enSilo's Process Doppelganging (PE injection technique)
C
489
star
14

transacted_hollowing

Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging
C
457
star
15

malware_analysis

Various snippets created during malware analysis
Python
447
star
16

ida_ifl

IFL - Interactive Functions List (plugin for IDA Pro)
Python
392
star
17

module_overloading

A more stealthy variant of "DLL hollowing"
C
318
star
18

process_overwriting

Yet another variant of Process Hollowing
C++
313
star
19

IAT_patcher

Persistent IAT hooking application - based on bearparser
C++
236
star
20

persistence_demos

Demos of various (also non standard) persistence methods used by malware
C++
214
star
21

chimera_pe

ChimeraPE (a PE injector type - alternative to: RunPE, ReflectiveLoader, etc) - a template for manual loading of EXE, loading imports payload-side
C
208
star
22

shellconv

Small tool for disassembling shellcode (using objdump)
Python
144
star
23

masm_shc

A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints.
C++
136
star
24

antianalysis_demos

Set of antianalysis techniques found in malware
C++
119
star
25

password_scrambler

Password scrambler - a deterministic password re-generator (alternative to a password manager)
Python
118
star
26

dll_injector

A simple commandline injector using classic DLL injection
C++
114
star
27

funky_malware_formats

Parsers for custom malware formats ("Funky malware formats")
C++
94
star
28

process_chameleon

A process overwriting its own PEB to make an illusion that it has been loaded from a different path.
C
93
star
29

mal_unpack_drv

MalUnpack companion driver
C++
82
star
30

crypto_utils

Set of my small utils related to cryptography, encoding, decoding etc
Python
76
star
31

ViDi

ViDi Visual Disassembler (experimental)
C++
76
star
32

pe2pic

Small visualizator for PE files
Python
63
star
33

pin_n_sieve

An experimental dynamic malware unpacker based on Intel Pin and PE-sieve
C++
54
star
34

paramkit

A small library helping to parse commandline parameters (for C/C++)
C++
52
star
35

petya_recovery

Application for cracking Red Petya key based on genetic algorithms.
C++
50
star
36

petya_key

A decoder for Petya victim keys, using the Janus' masterkey.
C++
43
star
37

libpeconv_tpl

A ready-made template for a project based on libpeconv.
C++
40
star
38

pe_unmapper

Small tool to convert beteween the PE alignments (raw and virtual).
C++
39
star
39

flareon2019

Flare-On solutions
C
36
star
40

mal_sort

Various scripts helpful in sorting collections of malware samples.
Python
36
star
41

pesieve-go

Golang bindings for PE-sieve
Go
35
star
42

IAT_patcher_samples

Sample libraries to be used with IAT Patcher
C++
32
star
43

pe_utils

A set of small utilities, helpers for PIN tracers
C++
31
star
44

hidden_bee_tools

Parser for a custom executable format from Hidden Bee malware (first stage)
C
31
star
45

mal_unpack_py

Python wrappers for mal_unpack
Python
29
star
46

decryptors_archive

Archive of ransomware decryptors
C++
28
star
47

flareon2022

JavaScript
27
star
48

asm16_projects

My small projects writen in 16 bit asm (NOTE: those are my practice projects that I wrote when I was 15, I give no warranty for this code!)
Assembly
23
star
49

tag_converter

C++
22
star
50

petya_green

Application for random attack on Green Petya's key
C++
22
star
51

bootldr_demo

Demo bootloaders - created just for fun
Assembly
21
star
52

metasploit_modules

My metasploit modules
Ruby
19
star
53

loaderine

A demo implementation of a well-known technique used by some malware to evade userland hooking, using my library: libpeconv.
C
19
star
54

jpassword_scrambler

Small utility to generate complicated passwords - version with GUI
Java
17
star
55

bunitu_tests

Scripts for communication with Bunitu Trojan C&Cs
Python
16
star
56

7ev3n_decoders

Decoders for 7ev3n ransomware
Assembly
14
star
57

libpeconv_and_detours_tpl

A template for projects using both libPeConv and MS Detours
C++
14
star
58

sig_finder

Signature finder (from PE-bear)
C++
13
star
59

detours_cmake_tpl

A CMake template for projects using MS Detours
CMake
13
star
60

passcrambler

https://hasherezade.github.io/passcrambler/
JavaScript
11
star
61

challs

My solutions for random crackmes and other challenges
C++
11
star
62

wke_exercises

My solutions for HackSys Extreme Vulnerable Driver
C++
10
star
63

drawings

Some of my drawings
9
star
64

pe_recovery_tools

A placeholder repository
9
star
65

hasherezade.github.io

My projects' homepage
HTML
8
star
66

mastercoder2014

My solutions
C++
8
star
67

libpeconv_demo

Demo projects and utilities made with the help of libPeConv
C++
8
star
68

bearparser_tests

External tests for bearparser
Assembly
7
star
69

libpeconv_wrappers

A ready-made template for a new project based on libPeConv library
C++
7
star
70

hasherezade

6
star
71

paramkit_tpl

A template for a project using ParamKit
C++
5
star
72

pesieve_tests

External tests for PE-sieve
4
star