-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for PE COFF (.exe, .dll, .scr, etc Windows binaries) format ? #442
Comments
Hey, thanks for all the references. Yes PE COFF would be a great addition and should be no problem decoding-wise. And as you noted is probably not that different from ELF and Macho that fq already has some support for. It's mostly a matter of someone taking the time to do it. Is it something you would like to help out with? At the moment the spare time I have for fq will probably be spent on some other things, so might take some time until i get to it, but who knows :). But i'm more than willing to guide and help out. |
Ah, I'd love to do so, as writing PE parsers is part of these days hackers rite of passage, but my company isn't ok with me working on FLOSS software (I swear that pypcapkit commit isn't mine), and more importantly I have malware running in my infra right now, no time to invest in anything else than decoding cobalt strike configurations :D If I get some energy outside of my work hours for computers I might get excited and do that. But so far hachoir being unusable, and kaitaistruct not well interoperable, I usually end up using Quarkslab's excellent "lief" project which does everything I need https://lief-project.github.io/ . Best regards, |
I see, no worries. Thanks again for more tools, usually many specs and tools to cross reference usually speeds up writing a decoder a lot. Let's keep in sync in this issue and good luck with the malware! |
Did an initial draft that might be good starting point for someone #443 |
What version are you using (
fq -v
)?How was fq installed?
Downloaded from https://github.com/wader/fq/releases as that old ubuntu20 doesn't have packages.
Can you reproduce the problem using the latest release or master branch?
I believe it was.
What did you do?
I did just run
fq . file.exe
and turns outfq
doens't know about PE files ! :DWhat result did you expect?
I did expect some knowledge of the PE format, but I understand that parsing PE files isn't simple as there are edge cases and ahem implementation details.
But if you lads have already implemented ELF then it shouldn't be unreachable to get PE COFF implemented ?
What did you see instead?
No knowledge of the PE/COFF format.
Further reading
Thanks a lot for reading, cheers !
The text was updated successfully, but these errors were encountered: