ECN>> headerParser>> 返回
项目作者: fkie-cad

项目描述 :
Header information parser for PE, ELF, DEX, MachO, ZIP (JAR, DocX).
高级语言: C
项目地址: git://github.com/fkie-cad/headerParser.git
创建时间: 2020-09-29T08:35:07Z
项目社区:https://github.com/fkie-cad/headerParser
开源协议:GNU General Public License v3.0
下载



HeaderParser Logo

Header Parser

Parses header information of a binary (executable) file.
PE, ELF, DEX, MachO, ZIP (JAR, DocX) are parsed in depth.
Java.class, ART, .NET, NE, MS-DOS are recognized.

The focus was on PE and ELF.
The other types are handled less carefully but may be extended in the future.
As well as PE and ELF still have to be extended.

POSIX compliant.
Compiles and runs under

  • Linux
  • Windows (x86/x64)
  • OsX may work too
  • Android in Termux

CONTENTS

VERSION

1.15.15
Last changed: 23.09.2024

REQUIREMENTS

  • Linux
    • Gcc
  • Windows
    • msbuild

BUILD

Linux (gcc)

script

  1. $ ./linuxBuild.sh [-t app] [-m Release|Debug] [-h]

manual

  1. $ mkdir build
  2. $ gcc -o build/headerParser -Wl,-z,relro,-z,now -D_FILE_OFFSET_BITS=64 -Ofast src/headerParser.c src/pe/PEHeader.c src/pe/PEHeaderOffsets.c

Use clang instead of gcc in Termux on Android.

Windows (MsBuild)

  1. $ winBuild.bat [/exe] [/m <Release|Debug>] [/b <32|64>] [/rtl] [/pdb] [/bt <path>] [/pts <PlatformToolset>] [/h]

This will run in a normal cmd.

The correct path to your build tools may be passed with the /bt parameter or changed in the script winBuild.bat itself.

The PlatformToolset defaults to “v142”, but may be changed with the /pts option.
“v142” is used for VS 2019, “v143” would be used in VS 2022.

In a developer cmd you can also type:

  1. $devcmd> msbuild HeaderParser.vcxproj /p:Configuration=<Release|Debug> /p:Platform=<x64|x86> [/p:PlatformToolset=<v142|v143|WindowsApplicationForDrivers10.0>]

Warnings
MSBuild issues some serious warnings:

  • headerParser\src\headerDataHandler.h(54): warning C6001: Using uninitialized memory
  • headerParser\src\dex\DexHeaderParser.h(371): warning C6386: Buffer overrun

But so far I could not figure out, how to fix them, or put another way, what’s the problem.
If someone knows, feel free to drop me a line.

Runtime Errors (Windows)

If a “VCRUNTIMExxx.dll not found Error” occurs on the target system, statically including runtime libs is a solution.
This is done by using the /p:RunTimeLib=Debug|Release (msbuild) or [/rtl] (winBuild) flags.

USAGE

  1. $ ./headerParser a/file/name [options]
  2. $ ./headerParser [options] a/file/name

Options:

  • -h Print help.
  • -s:uint64_t Start offset in file. Default = 1.
  • -i:uint8_t Level of output info. 1 : minimal output (Default), 2 : extended output (basic header).
  • -f:string Force parsing a specific type, skipping magic value checks. Currently, only “pe” is supported.
  • -offs: show file offsets of the printed values (for -i 2 or XX only options).
  • PE only options:
    • -dosh: Print DOS header.
    • -coffh: Print COFF header.
    • -opth: Print Optional header.
    • -sech: Print Section headers.
    • -exp: Print the Image Export Table (IMAGE_DIRECTORY_ENTRY_EXPORT).
    • -imp: Print the Image Import Table (IMAGE_DIRECTORY_ENTRY_IMPORT) dll names and info.
    • -impx: Print the Image Import Table (IMAGE_DIRECTORY_ENTRY_IMPORT) dll names, info and imported functions.
    • -res: Print the Image Resource Table (IMAGE_DIRECTORY_ENTRY_RESOURCE).
    • -crt: Print the Image Certificate Table (IMAGE_DIRECTORY_ENTRY_CERTIFICATE).
    • -cod: Directory to save found certificates in. (Needs -crt.)
    • -rel: Print the Image Base Relocation Table (IMAGE_DIRECTORY_ENTRY_BASE_RELOC).
    • -dbg: Print the Debug Table (IMAGE_DIRECTORY_ENTRY_DEBUG).
    • -dbgx: Print the Debug Table (IMAGE_DIRECTORY_ENTRY_DEBUG) extended.
    • -tls: Print the Image TLS Table (IMAGE_DIRECTORY_ENTRY_TLS).
    • -lcfg: Print the Image Load Config Table (IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG)
    • -bimp: Print the Image Bound Import Table (IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT).
    • -dimp: Print the Image Delay Import Table (IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT) dll names and info.
    • -dimpx: Print the Image Delay Import Table (IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT) dll names, info and imported functions.
  • ELF only options:
    • -fileh: Print file header.
    • -progh: Print program headers.
    • -sech: Print section headers.
    • -sym: Print symbol table (names only).
    • -symx: Print symbol table with all info.
    • -dym: Print dynamic symbol table (names only).
    • -dymx: Print dynamic symbol table with all info.
  • DEX only options:
    • -fileh: Print file header.
    • -class: Print class defs.
    • -field: Print field ids.
    • -map: Print map.
    • -method: Print method ids.
    • -proto: Print proto ids.
    • -string: Print string ids.
    • -type: Print type ids.

Windows Context Menu

It may be convenient to add HeaderParser to the context menu to be able to right-click a file and header parse it.
In this scenario, you may use

  1. $ addHeaderParserToShellCtxtMenu.bat /p "c:\HeaderParser.exe" [/l "Open in HeaderParser"]

EXAMPLE

  1. $ ./headerParser a/file/name [-i 1]
  3. HeaderData:
  4. coderegions:
  5.  (1) .text: ( 0x0000000000000400 - 0x000000000000fc00 )
  6.  (2) .init ...
  7.  (3) ...
  8. headertype: PE|ELF|... (32|64)
  9. bitness: 64-bit|32-bit|x-bit
  10. endian: little|big
  11. CPU_arch: Intel|Arm|...
  12. Machine: ...

There is a difference between the header bitness (displayed in brackets following the headertype) and the bitness of the executable (program code).
The header bitness is 32 or 64 bit for ELF, MACH-O and PE.
The bitness of the executable (program code) may be different though.

An extended output will be printed, by setting “-i 2”, which will cover the basic headers.

  1. $ ./headerParser a/file.exe -i 2
  3. PE Image Dos Header:
  4. ...
  5. Coff File Header:
  6. ...
  7. Optional Header::
  8. ...
  9. Section Header:
  10. 1 / x
  11. ...
  12. 2 / x
  1. $ ./headerParser an/elf/file -i 2
  3. ELF File header:
  4. ...
  5. Program Header Table:
  6. 1 / x
  7. ...
  8. 2 / x
  9. ...
  10. Section Header Table:
  11. 1 / y
  12. ...
  13. 2 / y
  14. ...

A more fine-grained and/or extended printout is available with the PE or ELF only options.

Offsets

If you think, the header starts somewhere in the file, you may pass an offset to it using the “-s” option.

Forcing

If you think it is a PE file but the MZ or PE00 magic values are broken, try the “-f pe” option.

LIBRARY USAGE

HeaderParser may also be build as a shared or static library.

Build

Linux

  1. $ ./linuxBuild.sh -t sh [-m Release|Debug] [-h]
  2. or
  3. $ ./linuxBuild.sh -t st [-m Release|Debug] [-h]

or plain:
shared 

  1. $ mkdir build
  2. $ gcc -fPIC -Wl,-z,relro,-z,now -shared -Ofast -D_FILE_OFFSET_BITS=64 -Wall -o build/libheaderparser.so src/headerParserLib.c src/pe/PEHeader.c src/pe/PEHeaderOffsets.c

static 

  1. $ mkdir build
  2. $ gcc -fPIC -Wl,-z,relro,-z,now -Ofast -D_FILE_OFFSET_BITS=64 -c -Wall -o build/headerParserLib.o src/headerParserLib.c 
  3. $ gcc -fPIC -Wl,-z,relro,-z,now -Ofast -D_FILE_OFFSET_BITS=64 -c -Wall -o build/PEHeader.o src/pe/PEHeader.c
  4. $ gcc -fPIC -Wl,-z,relro,-z,now -Ofast -D_FILE_OFFSET_BITS=64 -c -Wall -o build/PEHeaderOffsets.o src/pe/PEHeaderOffsets.c
  5. $ ar rcs build/headerParser.a build/*.o

Windows

  1. $ winBuild.bat /dll [/m Release|Debug] [/b 32|64]
  2. // or
  3. $ winBuild.bat /lib [/m Release|Debug] [/b 32|64]

Usage

Additionally to the included header files src\exp.h is needed in the same directory.
This may be removed soon.

  1. // link library when compiling
  2. // include
  3. #include "src/HeaderData.h"
  4. #include "src/headerParserLib.h"
  5. ...
  6. // use library
  7. size_t offset = 0;
  8. uint8_t force = FORCE_NONE; // or FORCE_PE
  9. HeaderData* data = getBasicHeaderParserInfo("a/file.path", offset, force);
  10. if ( data )
  11. {
  12. // do stuff handling data
  13. // ...
  14. }
  15. // clean up
  16. freeHeaderData(data);

For PE files there is an extended parser available.
This one includes the basic data info.

  1. // include
  2. #include "src/PEHeaderData.h"
  3. #include "src/headerParserLibPE.h"
  4. ...
  5. // use library
  6. size_t offset = 0;
  7. PEHeaderData* data = getPEHeaderData("a/file.path", offset);
  8. if ( data )
  9. {
  10. // do stuff handling data
  11. // ...
  12. }
  13. // clean up
  14. freePEHeaderData(data);

Python

Using the library is the preferred usage in python.
On the python side, use header_parser.py.

  1. from src import header_parser
  3. # initialization
  4. header_parser.init("src/of/libheaderparser.so")
  5. # default usage
  6. data = header_parser.get_basic_info('a/file.src')
  7. # passing a start offset
  8. data = header_parser.get_basic_info('a/file.src', 10)
  9. # passing a start offset and forcing PE parsing
  10. data = header_parser.get_basic_info('a/file.src', 10, header_parser.FORCE_PE)
  11. # convert cpu id and header type id into strings
  12. cpu = header_parser.lib_header_parser.getHeaderDataHeaderType(data['cpu'])
  13. header_type = header_parser.lib_header_parser.getHeaderDataArchitecture(data['headertype'])

Published under GNU GENERAL PUBLIC LICENSE.

Author

Co-Author, Icon Art

common_codeio.h, Icon.ico