-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
75 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
|  | ||
|
|
||
| # pei - PE Injector | ||
| Command-line tool for inject code and manipulate PE32 (32-bit) and PE32+ (64-bit) executables. | ||
|
|
||
| With `pei` you can: | ||
| - Display informations about the executable like COFF header, sections and more. | ||
| - Get individual values from fields of the headers to manipulate the values by scripts. Example: | ||
| `pei get test.exe optional.entry_point '0x%x'` - Will print `0x12345` | ||
| - Manipulate memory access permissions to sections of the executable. | ||
| - Find zeroed blocks of data on the sections of the executable. | ||
| - Inject code to be executed before the OEP of the executable. | ||
|
|
||
| ## Compilation | ||
| Just run the commands below to compile the project: | ||
| ```bash | ||
| git clone https://github.com/Silva97/pei | ||
| cd pei | ||
| make | ||
| ``` | ||
|
|
||
| Done! `pei` has no dependencies other than libc. | ||
|
|
||
| # How it injects code | ||
| With `pei` you can specify the section to inject the code or leave the tool to select the | ||
| section with the biggest zeroed block of data. You can run `pei z test.exe` to gets a list of | ||
| blocks from all sections of the executable. | ||
| The entry point of the executable will be updated to point the injected code, and at end of the | ||
| code a [absolute jump] to OEP (Original Entry Point) will be added. | ||
|
|
||
| **Note**: After `pei` writes the code on the section, these as been marked with permission to | ||
| execute code and the dynamic base of the executable will be disabled. | ||
|
|
||
| # Basic Usage | ||
| ```bash | ||
| pei [options] <operation> <executable> [argument] | ||
| ``` | ||
|
|
||
| | Argument | Descrption | | ||
| | :----------: | :--------------------------------------------------------------- | | ||
| | `operation` | First letter or full name of the operation to do with executable | | ||
| | `executable` | PE32 or PE32+ executable | | ||
|
|
||
| **Note**: You can run `pei -h` to get full help about usage of the tool. | ||
|
|
||
|
|
||
|
|
||
| ### Examples | ||
| ```bash | ||
| pei s test.exe # Show general informations about the executable | ||
| pei -vs0 s test.exe s # Show first section in verbose mode | ||
| pei s test.exe d # Show all data directories | ||
| pei s test.exe gc # Show general informations and COFF header | ||
|
|
||
| pei g test.exe optional.entry_point '%x' # Entrypoint in hexadecimal | ||
| pei g test.exe optional.iat.virtual_address '%x' # Virtual address of IAT structure | ||
| pei g test.exe section.0.name '%s' # Name of the first section | ||
|
|
||
| # Inject code from `payload` raw binary file to `test.exe` entry point | ||
| pei -f payload i test.exe | ||
| ``` | ||
|
|
||
| **Tip 1**: For see the name of the fields to use with `get` operation, just use `show` operation | ||
| to see all fields of the given structure. Example: | ||
|
|
||
| ```bash | ||
| pei show test.exe o | ||
| ``` | ||
|
|
||
| After run the command above, you can see all (except data directories) fields of the optional header. | ||
|
|
||
| **Tip 2**: Remember that the data directories are in the optional header. | ||
|
|
||
|
|
||
| [absolute jump]: https://en.wikipedia.org/wiki/JMP_(x86_instruction) |