Jump to content
Tuts 4 You

PortEx: Library for Static Analysis of PE Files


Struppigel

Recommended Posts

What is PortEx?PortEx is a library aimed at Java developers and reverse engineers. It enables you analyse Portable Executable files (e.g. EXE, DLL files) and has a special focus on malware analysis. In addition to just viewing a lot of file format information it provides tools that help you with reverse engineering or malware analysis.
PortEx is written in Scala and Java.PortEx is free, open source and still in heavy development. Although I made Unit Tests for the most parts of the code there might still be bugs.Features

  • Reading header information from: MSDOS Header, COFF File Header, Optional Header, Section Table
  • Reading standard section formats: Import Section, Resource Section, Export Section, Debug Section, Relocations
  • Dumping of sections, overlay, embedded ZIP, JAR or .class files
  • Scanning for file anomalies, including structural anomalies, deprecated, reserved, wrong or non-default values.
  • Visualize a PE file structure as it is on disk and visualize the local entropies of the file
  • Calculate Shannon Entropy for files and sections
  • Calculate hash values for files and sections
  • Scan for PEiD signatures or your own signature database
  • Scan for Jar to EXE wrapper (e.g. exe4j, jsmooth, jar2exe, launch4j)
  • Extract Unicode and ASCII strings contained in the file
  • Overlay detection and dumping
  • Extraction of ICO files from resource section
  • File scoring based on statistical information

Command Line ToolFor those of you who don't develop but like to use the features: There is a command line tool, which I update regularly.
Download: https://github.com/katjahahn/PortEx/raw/master/progs/PortexAnalyzer.jarUsage:

PortEx Analyzerusage: java -jar PortexAnalyzer.jar -v java -jar PortexAnalyzer.jar -h java -jar PortexAnalyzer.jar [-o <outfile>] [-p <imagefile>] [-i <folder>] <PEfile> -h,--help          show help -v,--version       show version -o,--output        write report to output file -p,--picture       write image representation of the PE to output file -i,--ico           extract all icons from the resource section

Example output of the visualization option -p:


CKTT18O.png


 
Usage Of The Library
 
Including PortEx to a Project:
 
This can be done via Maven:
 

<dependency>   <groupId>com.github.katjahahn</groupId>   <artifactId>portex_2.10</artifactId>   <version>2.0.2</version></dependency> 

 
Or SBT:
 

libraryDependencies += "com.github.katjahahn" % "portex_2.10" % "2.0.2"

Some usage examples:Printing all information of a PE file:
 

File file = new File("filepath");ReportCreator reporter = ReportCreator.newInstance(file);reporter.printReport();

Scanning for PEiD signatures:
 

SignatureScanner scanner = SignatureScanner.getInstance();boolean epOnly = true;File file = new File("pathtofile");List<String> results = scanner.scanAll(file, epOnly);for(String signature : results) {    System.out.println(signature);}

Extraction Icons as .ico file from the resource section of the PE:
 

List<GroupIconResource> grpIcoResources = IconParser.extractGroupIcons(file);int nr = 0;for(GroupIconResource grpIconResource : grpIcoResources) {    nr++;    IcoFile icoFile = grpIconResource.toIcoFile();    File dest = new File("icon" + nr + ".ico");    icoFile.saveTo(dest);    System.out.println("ico file " + dest.getName() + " written");}

For more examples visit the PortEx-Wiki: https://github.com/katjahahn/PortEx/wiki
And look into the documentation: https://katjahahn.github.io/PortEx/javadocs/LicenseApache License, Version 2.0Project PageVisit the Github Repository to stay up-to-date about changes in PortEx.
https://github.com/katjahahn/PortEx

Edited by Struppigel
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...