3 个版本
| 0.1.2 | 2024 年 4 月 12 日 |
|---|---|
| 0.1.1 | 2023 年 12 月 29 日 |
| 0.1.0 | 2023 年 8 月 8 日 |
#926 在 解析器实现
150KB
3K SLoC
RPECLI
RPECLI 是 Rust 编写的快速跨平台工具,旨在成为 pecli 的替代品。虽然 pecli 是一款优秀的工具,但它使用 pefile,加载 PE 可执行文件时速度较慢,特别是在处理大量可执行文件时。
该项目目前依赖于为恶意软件解析而创建的 exe 库。
它还通过一个库导出解析数据,供你在自己的项目中使用。一些命令还可以将结果输出为 JSON 字符串,供你解析。
使用方法
Rust cli tool to parse PE files
This tool is still under development.
Some of the commands have a `--json` argument that outputs the result as a JSON string.
Try "rpecli COMMAND --help" to show help for a specific command.
Certain commands support multiple PE files as arguments and will compare them if you give multiple PE files.
Usage: rpecli [OPTIONS] <COMMAND>
Commands:
info Print all available information
import-export Print both import and exports
import Print imports
export Print exports
rich Rich headers
rsrc Print or dump resources
sig Print authenticode signature
disass Disassemble section
strings Print strings
test Test command for development
help Print this message or the help of the given subcommand(s)
Options:
-n, --no-hash Do not compute any hashes when reading PE file. (Enabling this option should greatly improve performance)
-h, --help Print help
-V, --version Print version
rpecli export --json sample
{
"characteristics": 0,
"major_version": 0,
"minor_version": 0,
"name": "Qt5Widgets.dll",
"base": 1,
"number_of_functions": 8990,
"number_of_names": 8990,
"address_of_functions": 3557432,
"address_of_names": 3593392,
"address_of_names_ordinals": 3629352,
"timestamp": 4294967295,
"entries": [
{
"name": "??0QAbstractButton@@IAE@AAVQAbstractButtonPrivate@@PAVQWidget@@@Z",
"ordinal": 1,
"rva": 775280,
"forwarded_name": null
},
{
"name": "??0QAbstractButton@@QAE@PAVQWidget@@@Z",
"ordinal": 2,
"rva": 775344,
"forwarded_name": null
},
{
"name": "??0QAbstractGraphicsShapeItem@@IAE@AAVQAbstractGraphicsShapeItemPrivate@@PAVQGraphicsItem@@@Z",
"ordinal": 3,
"rva": 2341920,
"forwarded_name": null
},
...
]
}
.\rpecli kernel32.dll
Metadata:
================================================================================
MD5 : e44c6872f7e2dade42e472b2c062c7b0
SHA1 : cc2fcdf6b747943c196d49f7ed55d308d7ef4d9b
SHA256 : 03bf2226a8cf553fd2a0f22a9f27c3f0f0ec3e99aa061f7219821caa4142c175
Size: 772.1 KiB (790616 bytes)
Type: X64 DLL
Compile Time: 2066-08-28 19:59:40 (Timestamp: 3050251180 (0xb5cf23ac))
Subsystem: WindowsCUI
Entrypoint: 0x15640 => .text
Code at entrypoint:
================================================================================
48895C2408 mov [rsp+8],rbx
57 push rdi
4883EC20 sub rsp,20h
8BFA mov edi,edx
488BD9 mov rbx,rcx
BA01000000 mov edx,1
3BFA cmp edi,edx
7505 jne short 000000000000001Dh
E817D80000 call 000000000000D834h
8BD7 mov edx,edi
Signature:
================================================================================
Signature 0:
Signature digest: 852fb691ec19bd403547973f1a963fc17fee2376c25a2590427de1705bc8cfec
Signer:
Issuer: C=US,STATEORPROVINCENAME=Washington,L=Redmond,O=Microsoft Corporation,CN=Microsoft Windows Production PCA 2011
Serial number: 33:00:00:04:0C:12:00:67:8B:16:B2:65:DB:00:00:00:00:04:0C
Certificate 0:
Issuer: C=US,STATEORPROVINCENAME=Washington,L=Redmond,O=Microsoft Corporation,CN=Microsoft Windows Production PCA 2011
Subject: C=US,STATEORPROVINCENAME=Washington,L=Redmond,O=Microsoft Corporation,CN=Microsoft Windows
Serial number: 33:00:00:04:0C:12:00:67:8B:16:B2:65:DB:00:00:00:00:04:0C
Certificate 1:
Issuer: C=US,STATEORPROVINCENAME=Washington,L=Redmond,O=Microsoft Corporation,CN=Microsoft Root Certificate Authority 2010
Subject: C=US,STATEORPROVINCENAME=Washington,L=Redmond,O=Microsoft Corporation,CN=Microsoft Windows Production PCA 2011
Serial number: 61:07:76:56:00:00:00:00:00:08
Rich headers:
================================================================================
Product Name Build Product ID Count Guessed Visual Studio version
Implib1400 29395 257 4 Visual Studio 2015 14.00
Implib900 30729 147 201 Visual Studio 2008 09.00
Import0 0 1 1332 Visual Studio
Utc1900_C 29395 260 10 Visual Studio 2015 14.00
Export1400 29395 256 1 Visual Studio 2015 14.00
Masm1400 29395 259 5 Visual Studio 2015 14.00
Utc1900_POGO_O_C 29395 269 207 UNKN
Cvtres1400 29395 255 1 Visual Studio 2015 14.00
Linker1400 29395 258 1 Visual Studio 2015 14.00
Sections:
================================================================================
Name VirtAddr VirtSize RawAddr RawSize Entropy md5 Characteristics
.text 0x1000 0x7de27 0x1000 0x7e000 6.39 e64217696a3b17b4d623e585246a0d66 60000020 (CNT_CODE | MEM_EXECUTE | MEM_READ)
.rdata 0x7f000 0x337b4 0x7f000 0x34000 5.62 78058c4b075118a4e2f44f428859761a 40000040 (CNT_INITIALIZED_DATA | MEM_READ)
.data 0xb3000 0x12e4 0xb3000 0x1000 1.17 55b8682f534b352b31d73ad57bbcef5d C0000040 (CNT_INITIALIZED_DATA | MEM_READ | MEM_WRITE)
.pdata 0xb5000 0x5544 0xb4000 0x6000 5.43 91c69814336303f6adff1de3999a993f 40000040 (CNT_INITIALIZED_DATA | MEM_READ)
.didat 0xbb000 0xa8 0xba000 0x1000 0.23 302f288de68cff124618438bb2d632cf C0000040 (CNT_INITIALIZED_DATA | MEM_READ | MEM_WRITE)
.rsrc 0xbc000 0x520 0xbb000 0x1000 1.32 d58796bd5bf9664ed21be9166aab39fd 40000040 (CNT_INITIALIZED_DATA | MEM_READ)
.reloc 0xbd000 0x348 0xbc000 0x1000 1.74 82affef2f6f4f8f22ad4f220b1b7a7c6 42000040 (CNT_INITIALIZED_DATA | MEM_DISCARDABLE | MEM_READ)
Imports:
================================================================================
api-ms-win-core-rtlsupport-l1-1-0.dll
RtlCompareMemory
RtlDeleteFunctionTable
[SNIP]
api-ms-win-core-appcompat-l1-1-1.dll
BaseReadAppCompatDataForProcess
BaseFreeAppCompatDataForProcess
imphash: 5529a33510d7fd9c2cfa748e0d102653
Exports:
================================================================================
"KERNEL32.dll" => 1657 exported function(s)
1 AcquireSRWLockExclusive (Forwarded export)
[SNIP]
1657 uaw_wcsrchr
exphash: 4ca79cdc84d990b7803d389563eba24a
Export timestamp: 2066-08-28 19:59:40 (Timestamp: 3050251180 (0xb5cf23ac))
Debug info:
================================================================================
Entry 1:
Type : Codeview
Timestamp : 2066-08-28 19:59:40 (Timestamp: 3050251180 (0xb5cf23ac))
CodeView (v70)
Signature : {12950B30-DA44-7427-C06E-E816EFA3EBC6}
Age : 1
PDB filename : "kernel32.pdb"
Entry 2:
Type : Pogo
Timestamp : 2066-08-28 19:59:40 (Timestamp: 3050251180 (0xb5cf23ac))
PGO:
0x001000 ".text$lp00kernel32.dll!20_pri7" (size : 0xb10)
0x001b10 ".text$lp01kernel32.dll!20_pri7" (size : 0x1f040)
[SNIP]
0x0bc000 ".rsrc$01" (size : 0xb0)
0x0bc0b0 ".rsrc$02" (size : 0x470)
Entry 3:
Type : Repro
Timestamp : 2066-08-28 19:59:40 (Timestamp: 3050251180 (0xb5cf23ac))
Entry of type Repro is not supported for display
Entry 4:
Type : ExDllCharacteristics
Timestamp : 2066-08-28 19:59:40 (Timestamp: 3050251180 (0xb5cf23ac))
Entry of type ExDllCharacteristics is not supported for display
Resources:
================================================================================
Name Offset RSRC ID Lang ID MD5
MUI 80 ID(1) ID(1033) fbaf48ec981a5eecdb57b929fdd426e8
Version 90 ID(1) ID(1033) 3a1682660ad485730c4987c23ab5fdd7
TLS callbacks:
================================================================================
No TLS callback directory
构建
cargo build --release
安装
cargo install rpecli
或本地
cargo install --path .
待办事项
- 重构某些部分
内部结构
在创建此工具时,速度和模块化是关键考虑因素。它旨在提供接口,使用户能够根据需要修改 PE 解析后端。默认后端是专门用于解析 PE 恶意软件的 exe 库。
请注意,允许后端定制的特性尚不可用。
感谢
此项目使用了以下项目的代码
依赖项
~26–36MB
~598K SLoC