radare2 icon indicating copy to clipboard operation
radare2 copied to clipboard
verified publisher icon radareorg

PE binaries should be handled as 'fat' binaries

Open radare opened this issue 11 years ago • 8 comments

They can contain a DOS program, Windows one and .NET runtime. each code is located at different range.

r2 -A .net hello.exe  -> -a msil -b 32/64
r2 -A pe hello.exe -> -a x86/arm -b 32/64
r2 -A dos hello.exe -> -a x86 -b 16  # MZ

Default loaded subbin should be the newest (.net > win > dos) https://github.com/VirusTotal/yara/blob/master/libyara/modules/dotnet.c

radare avatar Feb 26 '14 00:02 radare

@radare isn't this already done?

XVilka avatar Oct 28 '15 13:10 XVilka

nope, this is not done yet.

radare avatar Oct 28 '15 13:10 radare

I am working on this

lionaneesh avatar Mar 13 '16 21:03 lionaneesh

👍

On 13 Mar 2016, at 22:21, Aneesh Dogra [email protected] wrote:

I am interested in working on this.

— Reply to this email directly or view it on GitHub.

radare avatar Mar 13 '16 22:03 radare

Here is a good binary example for that here: (waiting end of CTF)

Maijin avatar Nov 02 '16 21:11 Maijin

Ok here is the bin:

CHIMERA.ZIP

Maijin avatar Nov 07 '16 12:11 Maijin

@xarkes for you to think, what part can be done during GSoC, if possible, or not. Depending on how much changes are needed.

XVilka avatar Jul 04 '17 04:07 XVilka

See https://github.com/radare/radare2/pull/10835

Maijin avatar Aug 01 '18 10:08 Maijin