hasherezade/libpeconv
GitHub: hasherezade/libpeconv
一个用于在 Windows 平台上手动加载、操作和转储 PE 文件的 C++ 库
Stars: 1331 | Forks: 202
# libPeConv
[](https://ci.appveyor.com/project/hasherezade/libpeconv)
[](https://app.codacy.com/gh/hasherezade/libpeconv/dashboard?branch=master)
[](https://github.com/hasherezade/libpeconv/commits)
[](https://github.com/hasherezade/libpeconv/commits)
[](https://opensource.org/licenses/BSD-2-Clause)
[](https://github.com/hasherezade/libpeconv)
*一个用于加载和操作 PE 文件的库。*
### 目标
libPEConv 的目标是打造一把用于自定义加载 PE 文件的“瑞士军刀”。它收集了各种辅助函数,你可以快速将它们集成到你自己的加载器中。例如:重映射节(section)、应用重定位、加载导入表、解析资源。
它不仅允许加载 PE 文件,还允许自定义某些步骤,即 IAT hooking(通过提供自定义 IAT 解析器)和函数重定向。然而,它**并不**专注于 inline hooking,不应与 MS Detours 或 MinHook 等库混淆。
LibPeConv 可用于创建 PE 绑定器,因为它允许直接从资源加载 PE,并将其作为本地代码进行集成。
它同样可以帮助你从内存中转储 PE,并重建它们的 IAT。
警告:不支持使用 [MUI 的应用程序](https://github.com/hasherezade/libpeconv/issues/44)。
### 基本示例
*最简单的用例*:使用 libPeConv 手动加载并运行你选择的 EXE。
```
#include
#include
#include // include libPeConv header
int main(int argc, char *argv[])
{
if (argc < 2) {
std::cout << "Args: " << std::endl;
return 0;
}
LPCSTR pe_path = argv[1];
// manually load the PE file using libPeConv:
size_t v_size = 0;
#ifdef LOAD_FROM_PATH
//if the PE is dropped on the disk, you can load it from the file:
BYTE* my_pe = peconv::load_pe_executable(pe_path, v_size);
#else
size_t bufsize = 0;
BYTE *buffer = peconv::load_file(pe_path, bufsize);
// if the file is NOT dropped on the disk, you can load it directly from a memory buffer:
BYTE* my_pe = peconv::load_pe_executable(buffer, bufsize, v_size);
#endif
if (!my_pe) {
return -1;
}
// if the loaded PE needs to access resources, you may need to connect it to the PEB:
peconv::set_main_module_in_peb((HMODULE)my_pe);
// load delayed imports (if present):
const ULONGLONG load_base = (ULONGLONG)my_pe;
peconv::load_delayed_imports(my_pe, load_base);
// if needed, you can run TLS callbacks before the Entry Point:
peconv::run_tls_callbacks(my_pe, v_size);
//calculate the Entry Point of the manually loaded module
DWORD ep_rva = peconv::get_entry_point_rva(my_pe);
if (!ep_rva) {
return -2;
}
ULONG_PTR ep_va = ep_rva + (ULONG_PTR) my_pe;
//assuming that the payload is an EXE file (not DLL) this will be the simplest prototype of the main:
int (*new_main)() = (int(*)())ep_va;
//call the Entry Point of the manually loaded PE:
return new_main();
}
```
*另请参阅:https://github.com/hasherezade/libpeconv_tpl/blob/master/project_template/main.cpp*
### 了解更多
+ [维基](https://github.com/hasherezade/libpeconv/wiki)
+ [文档](https://hasherezade.github.io/libpeconv/)
+ [示例](https://github.com/hasherezade/libpeconv/tree/master/tests)
+ [教程](https://hshrzd.wordpress.com/tag/libpeconv/)
+ [项目模板](https://github.com/hasherezade/libpeconv_project_template)
标签:C++, DNS 反向解析, IAT挂钩, IAT重建, libpeconv, PE加载器, PE打包, PE文件, PE解析, 二进制分析, 云安全运维, 云资产清单, 内存Dump, 内存操作, 动态加载, 开源库, 恶意代码分析, 搜索引擎爬虫, 数据擦除, 端点可见性, 逆向工程, 配置文件