-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathpe_carve.py
122 lines (100 loc) · 4.01 KB
/
pe_carve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# PE File Carver
# by Brian Baskin (@bbaskin)
#
# Horrible code, I'm sure, but it works.
# I'm just a shadetree-programmer
# Don't like it? Pull it, make it better, and teach me.
#
# This program searches any large logical file for executable files, which are then
# carved out and stored onto the hard drive.
# It searches for the text 'This program' which is found in nearly all executables.
# It then attempts to read the EXE header, find the file size, and extract that number
# of bytes out to save.
# It can be easily modified, in my opinion, for your needs.
#
# Version 1.0 - 18 Dec 12
# Code I threw together because Foremost/Scalpel gave me so many false positives
# Version 1.1 - 27 Jun 16
# OMG, 3.5 years later. Now it's a "legit" application that runs somewhat better
#
# ToDo: Add RAR SFX parsing. Already got it spec'ed out. Then all other overlays
import argparse
import bitstring # Used to parse data. Download from: http://code.google.com/p/python-bitstring/
import os
import pefile # Used to parse PE header. Download from: http://code.google.com/p/pefile/
import sys
from datetime import datetime
g_log = ''
def file_exists(fname):
return os.path.exists(fname) and os.access(fname, os.R_OK)
def log(string):
# This just tees output to a file and stdout
if g_log:
try:
open(g_log, 'a').write(string + '\n')
except:
pass
def getSize_FromPE(PE_data):
# Performs basic lookup to find the end of an EXE, based upon the
# size of PE sections. Same algorithm is used to find EXE overlay
# FYI: This will miss any overlay data, such as RAR SFX archives, etc
try:
pe = pefile.PE(data=PE_data)
return pe.sections[-1].PointerToRawData + pe.sections[-1].SizeOfRawData
except:
return 0
def getArgs():
global g_log
parser = argparse.ArgumentParser()
parser.add_argument('-f', '--file', help='Raw file to carve', required=True)
parser.add_argument('-o', '--output', help='Output folder for extracted files', required=True)
parser.add_argument('--log', help='Log output file', required=False)
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
if args.file and not file_exists(args.file):
print '[!] Source file not found: {}'.format(args.file)
sys.exit(1)
if args.log:
g_log = args.log
return args
def main():
args = getArgs()
if args.output:
if not file_exists(args.output):
print('[!] Output folder does not exist: {}'.format(args.output))
quit()
output_folder = args.output
else:
output_folder = '.'
time = datetime.now().strftime('[%d %b %y @ %H:%M:%S]')
log('Scan started on %s at %s' % (args.file, time))
entries = []
fstream = bitstring.ConstBitStream(filename = args.file)
results = fstream.findall(b'0x546869732070726F6772616D') # 'This program'
log('Gathering search hits...')
for i in results:
# The result offsets are stored as binary values, so you have to divide by 8
# -78 is the negative offset to the beginning of 'MZ' from 'This program'
hit = int(i)/8-78
entries.append(hit)
log('Parsing EXEs...')
ifile = open(args.file, 'rb')
for hit in entries:
ifile.seek(hit)
PE_header = ifile.read(1024)
pesize = getSize_FromPE(PE_header)
# These sizes are arbitrary. Had numerous junk PE headers (>30GB), so did base limiting
if (10000 < pesize < 2000000) and PE_header[0:2] == 'MZ':
log('Found at: 0x%X (%d bytes)' % (hit, pesize))
ifile.seek(hit)
PE_data = ifile.read(pesize)
outfile = os.path.join(output_folder, '%s_%X.livebin' % (args.file.split('\\')[-1], hit))
open(outfile, 'wb').write(PE_data)
else:
log('Ignored PE header at 0x%X' % hit)
time = datetime.now().strftime('[%d %b %y @ %H:%M:%S]')
log('Scan ended on %s at %s' % (args.file, time))
if __name__ == '__main__':
main()