Support for PE COFF (.exe, .dll, .scr, etc Windows binaries) format ?

[59e5aaf4]

What version are you using (fq -v)?

$ fq -v
0.0.9 (linux amd64)

How was fq installed?

Downloaded from https://github.com/wader/fq/releases as that old ubuntu20 doesn't have packages.

Can you reproduce the problem using the latest release or master branch?

I believe it was.

What did you do?

I did just run fq . file.exe and turns out fq doens't know about PE files ! :D

$ fq . cobalt-strike-sample.exe 
error: cobalt-strike-sample.exe: probe: failed to decode (try -d FORMAT)
$ fq . -d raw cobalt-strike-sample.exe 
       |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: cobalt-strike-sample.exe (raw)
0x00000|4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00|MZ..............|  unknown0: raw bits
*      |until 0x4e1ff.7 (end) (320000)                 |                |

What result did you expect?

I did expect some knowledge of the PE format, but I understand that parsing PE files isn't simple as there are edge cases and ahem implementation details.

• https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2011/BH_US_11_VuksanPericin_PECOFF_WP.pdf

But if you lads have already implemented ELF then it shouldn't be unreachable to get PE COFF implemented ?

What did you see instead?

No knowledge of the PE/COFF format.

$ fq . cobalt-strike-sample.exe 
error: cobalt-strike-sample.exe: probe: failed to decode (try -d FORMAT)
$ fq . -d raw cobalt-strike-sample.exe 
       |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: cobalt-strike-sample.exe (raw)
0x00000|4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00|MZ..............|  unknown0: raw bits
*      |until 0x4e1ff.7 (end) (320000)                 |                |

Further reading

• https://learn.microsoft.com/en-us/windows/win32/debug/pe-format
• https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2011/BH_US_11_VuksanPericin_PECOFF_WP.pdf
• https://en.wikipedia.org/wiki/Portable_Executable
• https://justine.lol/ape.html & https://github.com/jart/cosmopolitan

Thanks a lot for reading, cheers !

[wader]

Hey, thanks for all the references. Yes PE COFF would be a great addition and should be no problem decoding-wise. And as you noted is probably not that different from ELF and Macho that fq already has some support for. It's mostly a matter of someone taking the time to do it.

Is it something you would like to help out with? At the moment the spare time I have for fq will probably be spent on some other things, so might take some time until i get to it, but who knows :). But i'm more than willing to guide and help out.

[59e5aaf4]

Ah, I'd love to do so, as writing PE parsers is part of these days hackers rite of passage, but my company isn't ok with me working on FLOSS software (I swear that pypcapkit commit isn't mine), and more importantly I have malware running in my infra right now, no time to invest in anything else than decoding cobalt strike configurations :D

If I get some energy outside of my work hours for computers I might get excited and do that. But so far hachoir being unusable, and kaitaistruct not well interoperable, I usually end up using Quarkslab's excellent "lief" project which does everything I need https://lief-project.github.io/ .

Best regards,

[wader]

I see, no worries. Thanks again for more tools, usually many specs and tools to cross reference usually speeds up writing a decoder a lot.

Let's keep in sync in this issue and good luck with the malware!

[wader]

Did an initial draft that might be good starting point for someone #443