Tuesday, August 28, 2007

Visualizations of the Portable Executable Format

I've always found that clear diagramming and laying out of complicated information makes it much more accessible and understandable.
When I started looking into the Portable Executable format I found it really helpful to lay out all the headers and structures I was trying to understand, to visualize how they relate to each other and the information they contain.
The resulting diagrams have been available under the corresponding section in OpenRCE for a some time already.

Now, given the feedback I received about some of those, I decided to put them up in an online store so people can get the real posters, high-resolution, updated and redesigned versions of those diagrams.

The Portable Executable Format poster has been updated to display the modified structures of the PE32+ format, while the Portable Executable Format. A File Walkthrough depicts the basic headers on top of a raw byte representation of an actual executable file.

Posted by Ero Carrera at 12:32 AM 7 comments
Labels: ,

Thursday, August 23, 2007

PyDbg hacks

Pedram just posted on his OpenRCE blog some awesome PyDBG hacks.
Posted by Ero Carrera at 6:30 PM 0 comments
Labels: , ,

Wednesday, August 22, 2007

Google Sky

Google has just released Google Earth 4.2 and it comes with an extremely cool new feature, Google Sky.
It provides layers for all kind of astronomical objects and astrophysical features like gravitational lenses. It even has the Ultra Deep Field image sets from the Hubble. This is simply gorgeous, I could play with it for hours...
Posted by Ero Carrera at 4:49 PM 0 comments
Labels: , ,

pefile 1.2.7

Just pushed out an updated version of pefile with some minor enhancements and fixes:
  • Added additional IMAGE_SUBSYSTEM_* flags
  • Added processing of the Optional Header's DllCharacteristics
  • Time/date fileds are now reported as UTC times
  • Added warning message for suspicious entry point addresses
  • Several minor parsing bugs fixed
Posted by Ero Carrera at 1:25 AM 0 comments
Labels: , ,

Tuesday, August 21, 2007

Great Python overview

Alex Martelli gave a talk in the Baypiggies meeting providing a great overview of Python. Check out the video and slides.
Posted by Ero Carrera at 8:29 PM 0 comments
Labels: ,

Friday, August 10, 2007

Black Hat Slides

Although originally Halvar Flake and I were supposed to present together in a quick turbo-talk at Black Hat in Las Vegas, he unfortunately couldn't make it to the conference for reasons that have been already discussed.

I ended up sticking mostly to the original plan for the talk and presented some Python tools to automate reverse engineering and analysis processes.

I've just put the slides up here.
Posted by Ero Carrera at 2:05 AM 1 comments
Labels: , , , , , ,

pefile 1.2.6

It's finally here! Took longer than I expected because of all the enhancements and because I decided to move pefile to Google Code.

Besides access to the source code through their subversion server, they also have a really cute wiki.

I've added documentation and examples and it should make it easier for people to contribute ideas and improvements.

I introduced some of the new features of pefile in my turbo-talk in the last Black Hat in Las Vegas.

Besides some bugfixes, pefile-1.2.6 can now parse PEiD's signatures, it will report on the entropy of each section and will display more warnings for suspicious values found when parsing PE files. Just check the example dumps of Tiny PE and 0x90.exe

Information on how to use the PEiD signature matching can be found here. I posted a while ago on what can be done with the signature parsing.
Posted by Ero Carrera at 1:04 AM 0 comments
Labels: , ,
Subscribe to: Posts (Atom)