kichik / pecoff4j Goto Github PK

PE/COFF 4J is a java engineering library for portable executables, the format used by Windows

Java 93.12% CSS 0.32% HTML 6.56%

pecoff4j's Introduction

PECOFF4J

PE/COFF 4J is a java engineering library for portable executables, the format used by Windows. It has the following features:

Parser for Windows executables and DLLs.
Assembler for creating and modifying executables and DLLs.
Resource directory parser - understands version info, icons.

This is a fork of http://sourceforge.net/projects/pecoff4j/

Imported from CVS on May 24th, 2014

Installation

This fork of PECOFF4J is available on Maven Central.

<dependency>
  <groupId>com.kichik.pecoff4j</groupId>
  <artifactId>pecoff4j</artifactId>
  <version>0.4.1</version>
</dependency>

See Maven Central for more installation options like Gradle, SBT, Ivy, etc.

License

Sources are licensed under Common Public License v1.0

New Features

The project was forked to implement version string parsing for a StackOverflow question.

Recently, support for modifying the resource directory has been added (e.g. adding or removing icons). See the ResourceDirectoryTest for some basic examples. Use the rebuild method to re-calculate the internal structures prior to creating the binary using the write method.

Example

import java.io.IOException;

import com.kichik.pecoff4j.PE;
import com.kichik.pecoff4j.ResourceDirectory;
import com.kichik.pecoff4j.ResourceEntry;
import com.kichik.pecoff4j.constant.ResourceType;
import com.kichik.pecoff4j.io.DataReader;
import com.kichik.pecoff4j.io.PEParser;
import com.kichik.pecoff4j.resources.StringFileInfo;
import com.kichik.pecoff4j.resources.StringPair;
import com.kichik.pecoff4j.resources.StringTable;
import com.kichik.pecoff4j.resources.VersionInfo;
import com.kichik.pecoff4j.util.ResourceHelper;

public class Main {

	public static void main(String[] args) throws IOException {
		PE pe = PEParser.parse("C:/windows/system32/notepad.exe");
		ResourceDirectory rd = pe.getImageData().getResourceTable();

		ResourceEntry[] entries = ResourceHelper.findResources(rd, ResourceType.VERSION_INFO);
		for (ResourceEntry entry : entries) {
			byte[] data = entry.getData();
			VersionInfo version = VersionInfo.read(new DataReader(data));

			StringFileInfo strings = version.getStringFileInfo();
			StringTable table = strings.getTables().get(0);
			for (List<StringPair> pair : table.getStrings()){
				System.out.println(pair.getKey() + " = " + pair.getValue());
			}
		}
	}

}

Will print:

CompanyName = Microsoft Corporation
FileDescription = Notepad
FileVersion = 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName = Notepad
LegalCopyright = © Microsoft Corporation. All rights reserved.
OriginalFilename = NOTEPAD.EXE
ProductName = Microsoft® Windows® Operating System
ProductVersion = 6.1.7600.16385

pecoff4j's People

Contributors

Stargazers

Watchers

pecoff4j's Issues

Is there a proper documentation for this library

It is very hard to understand this library if you want to do serious changes in it.

Crash report

java.lang.NegativeArraySizeException: -12
at org.boris.pecoff4j.io.PEParser.readStub(PEParser.java:158)
at org.boris.pecoff4j.io.PEParser.read(PEParser.java:77)
at org.boris.pecoff4j.io.PEParser.parse(PEParser.java:63)
at org.boris.pecoff4j.io.PEParser.parse(PEParser.java:57)
at com.kyhsgeekcode.disassembler.MainActivity.OnChoosePath(MainActivity.java:1594)
at com.kyhsgeekcode.disassembler.MainActivity.access$1000081(MainActivity.java)
at com.kyhsgeekcode.disassembler.MainActivity$100000018.onSelect(MainActivity.java:1428)
at com.codekidlabs.storagechooser.fragments.SecondaryChooserFragment$7$1.run(SecondaryChooserFragment.java:188)
at android.os.Handler.handleCallback(Handler.java:751)
at android.os.Handler.dispatchMessage(Handler.java:95)
at android.os.Looper.loop(Looper.java:154)
at android.app.ActivityThread.main(ActivityThread.java:6126)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:886)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:776)
at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:107)

Download link unavailable [Prio:Minor]

Thanks for the implementation, would be nice to be able to download the .jar straight away. The link https://drone.io/github.com/kichik/pecoff4j/files is broken.

IndexOutOfBoundsException while trying to read IAT

        importSymbols=new ArrayList<>();
	ImportDirectory idir= imd.getImportTable();
	int numofIAT=idir.size();
	for(int i=0;i<numofIAT;++i)
	{
		ImportDirectoryTable idt=idir.getNameTable(i);
		int numofEntry=idt.size();
		for(int j=0;j<numofEntry;++j)
		{
			ImportEntry ie=idt.getEntry(j);
			PLT plt=new PLT();
			plt.name=ie.getName();
			/lplt.address=ie.getOrdinal();
			plt.value=ie.getVal();
			importSymbols.add(plt);
		}
		importSymbols.add(new PLT());
	}

When I try to use this code, I get IndexOutOfBoundsException at idir.getNameTable(i). (Index 0, Size 0).

Even when I tried changing getNameTable(i) to getAddressTable(i), the same thing happens.

How can I correctly enumerate IAT using this library?

Thanks!

How to modify an .exe's icon.

I've tried a modified version of the Test code, but I couldn't get it working. Any ideas? (entry(), directory(), and createIconDirectory() are just copy/pasted from the test)

                // https://github.com/kichik/pecoff4j/blob/master/src/test/java/com/kichik/pecoff4j/ResourceDirectoryTest.java
                PE pe = PEParser.parse(executableFile);

                ResourceDirectory directory = pe.getImageData().getResourceTable();

                // add icon from ico file
                IconFile iconFile = IconFile.read(new DataReader(myBytes));
                List<ResourceEntry> iconEntries = new ArrayList<>();
                for (IconImage iconImage : iconFile.getImages()) {
                    iconEntries.add(
                        entry(
                            iconEntries.size() + 1,
                            directory(entry(2057, iconImage.toByteArray()))
                        )
                    );
                }
                directory.getEntries().add(
                    entry(
                        ResourceType.ICON,
                        directory(iconEntries.toArray(new ResourceEntry[0]))
                    )
                );

                // add icon directory
                byte[] iconDirData = createIconDirectory(iconFile.getImages()).toByteArray();
                directory.getEntries().add(
                    entry(
                        ResourceType.GROUP_ICON,
                        directory(entry(1, directory(entry(2057, iconDirData))))
                    )
                );

                pe.rebuild(PaddingType.PATTERN);
                pe.write(new DataWriter(executableFile));

Support packed executables

For packed executables we should:

Make all structures optional with isAvailable() method
Don't throw exceptions when something is out-of-bounds, but instead mark as not available
Provide an interface for unpacking known packers like UPX

a maven-central artifact would be nice

To use pecoff4j I currently have to include the JAR file in my source code repository. I'd much rather simply declare the dependency using maven, but for that the artifact would have to be available on maven-central or a similar repository. It would be great if it was possible.

Not all dlls contain resources - ResourceHelper can throw NullPointerException

------------ C:\Windows\System32\nvcompiler.dll ------------------
java.lang.NullPointerException
at org.boris.pecoff4j.util.ResourceHelper.findResources(ResourceHelper.java:42)
at org.boris.pecoff4j.util.ResourceHelper.findResources(ResourceHelper.java:31)
at org.boris.pecoff4j.util.ResourceHelper.findResources(ResourceHelper.java:20)

IndexOutOfBoundsException in PEParser

When I was trying to read FileInfo of Spotify Executable (C:\Users\Antara\AppData\Roaming\Spotify\Spotify.exe) the following exception was thrown:

java.lang.IndexOutOfBoundsException: length [64] + offset [16777044] > data.length [6260224]
at org.boris.pecoff4j.io.ByteArrayDataReader.(ByteArrayDataReader.java:33)
at org.boris.pecoff4j.io.PEParser.readSection(PEParser.java:472)
at org.boris.pecoff4j.io.PEParser.read(PEParser.java:87)
at org.boris.pecoff4j.io.PEParser.parse(PEParser.java:58)
at org.boris.pecoff4j.io.PEParser.parse(PEParser.java:54)

Other applications are not throwing this error

at org.boris.pecoff4j.io.PEParser.readAttributeCertificateTable(PEParser.java:756)

How should i deal whit this problem?
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
at org.boris.pecoff4j.io.PEParser.readAttributeCertificateTable(PEParser.java:756)
at org.boris.pecoff4j.io.PEParser.readAttributeCertificateTable(PEParser.java:746)
at org.boris.pecoff4j.io.PEParser.readImageData(PEParser.java:380)
at org.boris.pecoff4j.io.PEParser.read(PEParser.java:99)
at org.boris.pecoff4j.io.PEParser.parse(PEParser.java:63)
at org.boris.pecoff4j.io.PEParser.parse(PEParser.java:57)
at org.boris.pecoff4j.TestMSG.propertyMsg(TestMSG.java:38)
at org.boris.pecoff4j.TestMSG.main(TestMSG.java:127)

TestMSG.java:38 - > code like this :
pe = PEParser.parse(dllPath);

I catch this Exception in try{}catch(), but it does not work.

BTW :
I can catch this exception if i only analysis this particular dll file once . But i can't catch the exception when i put a series file path into a Arraylist and then use the code -"dllProperty.propertyMsg(fileList.get(i))" to analysis files.

EOFException reading VersionInfo on some dlls

I tried parsing this dll and it failed part way though with an EOFException:

C:\Program Files (x86)\Microsoft ASP.NET\ASP.NET Web Pages\v2.0\Packages\Microsoft.AspNet.Razor.2.0.30506.0\lib\net40\System.Web.Razor.dll

Exception in thread "main" java.io.EOFException: Expected to read bytes from the stream
at org.boris.pecoff4j.io.DataReader.safeRead(DataReader.java:161)
at org.boris.pecoff4j.io.DataReader.readWord(DataReader.java:48)
at org.boris.pecoff4j.io.DataReader.readUnicode(DataReader.java:146)
at org.boris.pecoff4j.io.ResourceParser.readStringPair(ResourceParser.java:193)
at org.boris.pecoff4j.io.ResourceParser.readStringTable(ResourceParser.java:181)
at org.boris.pecoff4j.io.ResourceParser.readStringFileInfo(ResourceParser.java:227)
at org.boris.pecoff4j.io.ResourceParser.readVersionInfo(ResourceParser.java:147)
at org.boris.pecoff4j.io.ResourceParser.readVersionInfo(ResourceParser.java:135)

There seems to be some sort of offset problem reading the stringTable such that it starts trying to read a StringPair and gets the length wrong, and then tries to read past the end of the table and fails.

Some file description not correctly read

I find two files whose file description are not correctly read

C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\Drivers\Brserid.sys

Click here to download them if you don't have

StringFileInfo values end in null char

The values in the StringFileInfo's StringTable end in the null char; these should be trimmed as java strings are not normally expected to end in a null char.

pe.getArchitecture returns null??

user32 (1).zip

user32.zip

ArrayIndexOutOfBoundsException during parse

---------- C:\Windows\System32\MaxxAudioRealtek64.dll --------------
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 147388
at org.boris.pecoff4j.io.ByteArrayDataReader.read(ByteArrayDataReader.java:61)
at org.boris.pecoff4j.io.PEParser.readResourceEntry(PEParser.java:716)
at org.boris.pecoff4j.io.PEParser.readResourceDirectory(PEParser.java:685)
at org.boris.pecoff4j.io.PEParser.readResourceEntry(PEParser.java:705)
at org.boris.pecoff4j.io.PEParser.readResourceDirectory(PEParser.java:685)
at org.boris.pecoff4j.io.PEParser.readResourceEntry(PEParser.java:705)
at org.boris.pecoff4j.io.PEParser.readResourceDirectory(PEParser.java:685)
at org.boris.pecoff4j.io.PEParser.readResourceDirectory(PEParser.java:675)
at org.boris.pecoff4j.io.PEParser.readImageData(PEParser.java:368)
at org.boris.pecoff4j.io.PEParser.readSection(PEParser.java:478)
at org.boris.pecoff4j.io.PEParser.read(PEParser.java:89)
at org.boris.pecoff4j.io.PEParser.parse(PEParser.java:58)