faerie icon indicating copy to clipboard operation
faerie copied to clipboard

Published 20 hours ago verified publisher icon m4b

Would PE-COFF be considered?

Open lygstate opened this issue 6 years ago • 12 comments

lygstate avatar Aug 25 '18 10:08 lygstate

Yes, PE-COFF support is something that people have been thinking about, as can be seen in some comments.

sunfishcode avatar Aug 25 '18 15:08 sunfishcode

@lygstate I would love to add PE-COFF! I meant to add one, but I simply don't have the bandwidth at the moment.

Note, I would prefer to do this in a principled manner, and have goblin add the scroll based writers for the various structs (this shouldn't be hard itself, just tedious).

This commit is an example of adding the TryIntoCtx for some mach structs: https://github.com/m4b/goblin/commit/0a6a54ba2392cba5feb54faf362ce978577c0236#diff-df15384869d381a0999884ce946dda88R237

So two things need to be done:

  1. Determine which structs are used in an PE object file (i'm sure we can find documentation somewhere), and implement TryIntoCtx in goblin for those structs.
  2. The fun (but harder part), add a PE object file backend, by writing out the object file in the correct order, with symbols, etc. If we've architected the abstract artifact layer properly, it shouldn't require any changes at all, but one can simply turn on PE object file backend by just adding the backend :)

So for 1., I or probably anyone in goblin repo (@philipc, @willglynn) can give guidance on proper implementations there; even just a PR adding them would get the ball rolling. Write implementations never really hurt :)

For 2., I don't know much about PE object file formats, but it shouldn't be too bad. Maybe @sunfishcode can help, or , or @tathanhdinh, who has been doing a lot of great work on PE stuff lately in goblin repo could help or add pointers, etc.

I'd also highly recommend a workflow like:

#include<stdio.h>
int main() {
  printf("Hello, world\n");
  return 0;
}

and then using clang -I/usr/include -c -target x86_64-windows-windows-msvc hello.c, and then comparing clang's output with faerie's prototype output (you'll need to add a new --pe target, etc.), by running in faerie repo with something like: cargo run -- --pe pe.o

Rustc also has a nice cross compilation situation, so a simple hello.rs with rustc --emit=obj --target x86_64-pc-windows-msvc hello.rs should also give you some good comparisons (though rustc object file will be more complicated).

m4b avatar Aug 25 '18 18:08 m4b

Anyone working on this might want to BB||S||buy the usual reversing tools.

skull-squadron avatar Feb 02 '19 07:02 skull-squadron

I am working on the goblin support for this.

philipc avatar Apr 21 '19 08:04 philipc