Support for PE COFF (.exe, .dll, .scr, etc Windows binaries) format ?Β #442
Description
What version are you using (fq -v)?
$ fq -v 0.0.9 (linux amd64)
How was fq installed?
Downloaded from https://github.com/wader/fq/releases as that old ubuntu20 doesn't have packages.
Can you reproduce the problem using the latest release or master branch?
I believe it was.
What did you do?
I did just run fq . file.exe and turns out fq doens't know about PE files ! :D
$ fq . cobalt-strike-sample.exe
error: cobalt-strike-sample.exe: probe: failed to decode (try -d FORMAT)
$ fq . -d raw cobalt-strike-sample.exe
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: cobalt-strike-sample.exe (raw)
0x00000|4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00|MZ..............| unknown0: raw bits
* |until 0x4e1ff.7 (end) (320000) | |
What result did you expect?
I did expect some knowledge of the PE format, but I understand that parsing PE files isn't simple as there are edge cases and ahem implementation details.
But if you lads have already implemented ELF then it shouldn't be unreachable to get PE COFF implemented ?
What did you see instead?
No knowledge of the PE/COFF format.
$ fq . cobalt-strike-sample.exe
error: cobalt-strike-sample.exe: probe: failed to decode (try -d FORMAT)
$ fq . -d raw cobalt-strike-sample.exe
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: cobalt-strike-sample.exe (raw)
0x00000|4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00|MZ..............| unknown0: raw bits
* |until 0x4e1ff.7 (end) (320000) | |
Further reading
- https://learn.microsoft.com/en-us/windows/win32/debug/pe-format
- https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2011/BH_US_11_VuksanPericin_PECOFF_WP.pdf
- https://en.wikipedia.org/wiki/Portable_Executable
- https://justine.lol/ape.html & https://github.com/jart/cosmopolitan
Thanks a lot for reading, cheers !