## -*- coding: utf-8 -*- ## ## Jonathan Salwan - 2014-05-12 - ROPgadget tool ## ## http://twitter.com/JonathanSalwan ## http://shell-storm.org/project/ROPgadget/ ## from capstone import * from ctypes import * from struct import unpack from binascii import unhexlify class PEFlags(object): IMAGE_MACHINE_INTEL_386 = 0x014c IMAGE_MACHINE_AMD_8664 = 0x8664 IMAGE_FILE_MACHINE_ARM = 0x1c0 IMAGE_FILE_MACHINE_ARMV7 = 0x1c4 IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b IMAGE_SIZEOF_SHORT_NAME = 0x8 class IMAGE_FILE_HEADER(Structure): _fields_ = [ ("Magic", c_uint), ("Machine", c_ushort), ("NumberOfSections", c_ushort), ("TimeDateStamp", c_uint), ("PointerToSymbolTable", c_uint), ("NumberOfSymbols", c_uint), ("SizeOfOptionalHeader", c_ushort), ("Characteristics", c_ushort) ] class IMAGE_OPTIONAL_HEADER(Structure): _fields_ = [ ("Magic", c_ushort), ("MajorLinkerVersion", c_ubyte), ("MinorLinkerVersion", c_ubyte), ("SizeOfCode", c_uint), ("SizeOfInitializedData", c_uint), ("SizeOfUninitializedData", c_uint), ("AddressOfEntryPoint", c_uint), ("BaseOfCode", c_uint), ("BaseOfData", c_uint), ("ImageBase", c_uint), ("SectionAlignment", c_uint), ("FileAlignment", c_uint), ("MajorOperatingSystemVersion", c_ushort), ("MinorOperatingSystemVersion", c_ushort), ("MajorImageVersion", c_ushort), ("MinorImageVersion", c_ushort), ("MajorSubsystemVersion", c_ushort), ("MinorSubsystemVersion", c_ushort), ("Win32VersionValue", c_uint), ("SizeOfImage", c_uint), ("SizeOfHeaders", c_uint), ("CheckSum", c_uint), ("Subsystem", c_ushort), ("DllCharacteristics", c_ushort), ("SizeOfStackReserve", c_uint), ("SizeOfStackCommit", c_uint), ("SizeOfHeapReserve", c_uint), ("SizeOfHeapCommit", c_uint), ("LoaderFlags", c_uint), ("NumberOfRvaAndSizes", c_uint) ] class IMAGE_OPTIONAL_HEADER64(Structure): _fields_ = [ ("Magic", c_ushort), ("MajorLinkerVersion", c_ubyte), ("MinorLinkerVersion", c_ubyte), ("SizeOfCode", c_uint), ("SizeOfInitializedData", c_uint), ("SizeOfUninitializedData", c_uint), ("AddressOfEntryPoint", c_uint), ("BaseOfCode", c_uint), ("ImageBase", c_ulonglong), ("SectionAlignment", c_uint), ("FileAlignment", c_uint), ("MajorOperatingSystemVersion", c_ushort), ("MinorOperatingSystemVersion", c_ushort), ("MajorImageVersion", c_ushort), ("MinorImageVersion", c_ushort), ("MajorSubsystemVersion", c_ushort), ("MinorSubsystemVersion", c_ushort), ("Win32VersionValue", c_uint), ("SizeOfImage", c_uint), ("SizeOfHeaders", c_uint), ("CheckSum", c_uint), ("Subsystem", c_ushort), ("DllCharacteristics", c_ushort), ("SizeOfStackReserve", c_ulonglong), ("SizeOfStackCommit", c_ulonglong), ("SizeOfHeapReserve", c_ulonglong), ("SizeOfHeapCommit", c_ulonglong), ("LoaderFlags", c_uint), ("NumberOfRvaAndSizes", c_uint) ] class IMAGE_NT_HEADERS(Structure): _fields_ = [ ("Signature", c_uint), ("FileHeader", IMAGE_FILE_HEADER), ("OptionalHeader", IMAGE_OPTIONAL_HEADER) ] class IMAGE_NT_HEADERS64(Structure): _fields_ = [ ("Signature", c_uint), ("FileHeader", IMAGE_FILE_HEADER), ("OptionalHeader", IMAGE_OPTIONAL_HEADER64) ] class IMAGE_SECTION_HEADER(Structure): _fields_ = [ ("Name", c_ubyte * PEFlags.IMAGE_SIZEOF_SHORT_NAME), ("PhysicalAddress", c_uint), ("VirtualAddress", c_uint), ("SizeOfRawData", c_uint), ("PointerToRawData", c_uint), ("PointerToRelocations", c_uint), ("PointerToLinenumbers", c_uint), ("NumberOfRelocations", c_ushort), ("NumberOfLinenumbers", c_ushort), ("Characteristics", c_uint) ] """ This class parses the PE format """ class PE(object): def __init__(self, binary): self.__binary = bytearray(binary) self.__PEOffset = 0x00000000 self.__IMAGE_FILE_HEADER = None self.__IMAGE_OPTIONAL_HEADER = None self.__sections_l = [] self.__getPEOffset() self.__parsePEHeader() self.__parseOptHeader() self.__parseSections() def __getPEOffset(self): self.__PEOffset = unpack("