malstruct.binaryfiles package

Submodules

malstruct.binaryfiles.dotnet module

Construct helpers for .NET

malstruct.binaryfiles.elfutils module

malstruct.binaryfiles.elfutils.ELFPointer(mem_off, subcon, elf=None)

Pointer for ELF files. This works for both memory sizes.

NOTE: This only works for x86 instructions. For other architectures, please see the “ELFPointer” within their respective submodules

Parameters:

  • mem_off – an int or a function that represents the memory offset for the equivalent physical offset.

  • subcon – the subcon to use at the offset

  • elf – Optional elftools.ELFFile file object. (if not supplied here, this must be supplied during parse()/build()

class malstruct.binaryfiles.elfutils.ELFMemoryAddress(subcon, elf: ELFFile = None)

Bases: Adapter

Adapter used to convert an int representing a physical address into an ELF memory address.

malstruct.binaryfiles.elfutils.ELFPointerARM(inst, inst_end, subcon, elf=None)

This is the ARM version of ELFPointer. This subconstruct takes two arguments which specify the parsed ARM instruction containing an immediate offset in its second operand and the end offset (physical) for said instruction.

The following ARM instructions are currently supported: - LDR

Example: for the instruction “LDR R1, =data_offset”:

>>> spec = Struct(
    'inst' / LDR_ARM,
    'inst_end' / Tell,
    'data' / ELFPointerARM(this.inst, this.inst_end, Bytes(100))
)
>>> spec = Struct(
    're' / Regex(
        '\x01\x03(?P<data_ldr_inst>.{4})(?P<end>)\x06\x07', data_ldr_inst=LDR_ARM, end=Tell),
    'data' / ELFPointerARM(this.re.data_ldr_inst, this.re.end, Bytes(100))
)
>>> spec.parse(file_data, elf=elf_object)
Parameters:

  • inst – a Container or function that represents the assembly instruction

  • inst_end – an int or a function that represents the location of the end of the instruction.

  • subcon – the subcon to use at the offset

  • elf – Optional elftools.ELFFile file object. (if not supplied here, this must be supplied during parse()/build()

malstruct.binaryfiles.elfutils.MIPSPointer(high, rel_off, subcon, elf=None)

Pointer for MIPS binaries

Convert the high value and add the relative offset to obtain the memory offset of the data. Convert the memory offset to a physical offset and obtain the targeted information using the provided subcon

Parameters:

  • high – High 16-bits

  • rel_off – Relative information offset

  • subcon – the subcon to use at the offset

  • elf – Optional elftools.ELFFile file object.

malstruct.binaryfiles.elfutils.MIPSGOTPointer(start, high, low, rel_off, subcon, elf=None)

Pointer for MIPS binaries using .got

If the MIPS binary uses an indirect lookup, the start of the function is a relative pointer to the .got segment, which contains an information list. Calculate the address of the .got segment by adding the start of the function to the high and low addresses, and then add the relative offset of the targeted entry. Parse using the subcon to obtain the targeted information address

Parameters:

  • start – Start offset for reference function

  • high – High 16-bits

  • low – Low 16-bits

  • rel_off – Relative information offset

  • subcon – the subcon to use at the offset

  • elf – Optional elftools.ELFFile file object.

malstruct.binaryfiles.machoutils module

malstruct.binaryfiles.machoutils.MachOPointer(mem_off, subcon, macho=None)

Converts a MachO.Binary virtual address to an offset

Example:

>>> spec = Struct(
    'offset' / Int64ul,
    'data' / MachOPointer(this.offset, Bytes(100))
)

>>> spec.parse(file_data, macho=macho_object)
Parameters:

  • mem_off – an int or a function that represents the memory offset for the equivalent physical offset.

  • subcon – the subcon to use at the offset

  • macho – Optional MachO file object. (if not supplied here, this must be supplied during parse()/build()

malstruct.binaryfiles.machoutils.MachOFatPointer(mem_off, subcon, macho=None)

Converts a MachO.Binary virtual address to an offset, offset by the start of the MachO binary

Parameters:

  • mem_off – an int or a function that represents the memory offset for the equivalent physical offset.

  • subcon – the subcon to use at the offset

  • macho – Optional MachO file object. (if not supplied here, this must be supplied during parse()/build()

class malstruct.binaryfiles.machoutils.MachOMemoryAddress(subcon, macho=None)

Bases: Adapter

Adapter used to convert an int representing an MachO memory address into a physical address.

class malstruct.binaryfiles.machoutils.MachOFatMemoryAddress(subcon, macho=None)

Bases: Adapter

Adapter used to convert an int representing an MachO memory address into a physical address, offset by the start of the MachO binary

malstruct.binaryfiles.peutils module

class malstruct.binaryfiles.peutils.PEPhysicalAddress(subcon, pe: PE = None)

Bases: Adapter

Adapter used to convert an int representing a PE memory address into a physical address.

The PE object can either be passed into the specific construct, or as a keyword argument in the parse()/build() functions. If passed in through parse()/build(), the same PE object will be used for all instances.

This Adapter is useful when used along-side the Pointer construct::
>>> spec = Struct(
    'offset' / PEPhysicalAddress(Int32ul),
    'data' / Pointer(this.offset, Bytes(100))
)
>>> with open(r'C:\32bit_exe', 'rb') as fo:
...     file_data = fo.read()
>>> pe = pefile.PE(data=file_data)
>>> PEPhysicalAddress(Int32ul, pe=pe).build(100)
'd\x00@\x00'
>>> PEPhysicalAddress(Int32ul, pe=pe).parse(b'd\x00@\x00')
100
>>> PEPhysicalAddress(Int32ul).build(100, pe=pe)
'd\x00@\x00'
>>> PEPhysicalAddress(Int32ul).parse(b'd\x00@\x00', pe=pe)
100
class malstruct.binaryfiles.peutils.PEMemoryAddress(subcon, pe: PE = None)

Bases: Adapter

Adapter used to convert an int representing a PE physical address into a memory address.

The PE object can either be passed into the specific construct, or as a keyword argument in the parse()/build() functions. If passed in through parse()/build(), the same PE object will be used for all instances.

This Adapter is useful when used along-side the PEPointer construct:

>>> spec = Struct(
    'relative_offset' / Int32ul,
    'instruction_end' / PEMemoryAddress(Tell),
    'data' / PEPointer(this.relative_offset + this.instruction_end, Bytes(100))
)
class malstruct.binaryfiles.peutils.PEAddressFromRVA(subcon, pe: PE = None)

Bases: Adapter

Adapter used to convert an int representing a PE relative virtual address (RVA) into a physical address.

The PE object can either be passed into the specific construct, or as a keyword argument in the parse()/build() functions. If passed in through parse()/build(), the same PE object will be used for all instances.

This Adapter is useful when used along-side the Pointer construct:

>>> spec = Struct(
    'offset' / PEAddrFromRVA(Int32ul),
    'data' / Pointer(this.offset, Bytes(100))
)
malstruct.binaryfiles.peutils.PEPointer(mem_off, subcon, pe=None)

This is an alternative to PEPhysicalAddress when you are using the address along with Pointer

Example:

# Simplifies
>>> spec = Struct(
    'offset' / PEPhysicalAddress(Int32ul),
    'data' / Pointer(this.offset, Bytes(100))
)

# to
>>> spec = Struct(
    'offset' / Int32ul,
    'data' / PEPointer(this.offset, Bytes(100))
)
>>> spec.parse(file_data, pe=pe_object)
Parameters:

  • mem_off – an int or a function that represents the memory offset for the equivalent physical offset.

  • subcon – the subcon to use at the offset

  • pe – Optional PE file object. (if not supplied here, this must be supplied during parse()/build()

malstruct.binaryfiles.peutils.PEPointer64(mem_off, inst_end, subcon, pe=None)

This is the 64-bit version of PEPointer. This subconstruct takes an extra argument which specifies the location of the end of the instruction for which the memory_offset was used. (A parameter necessary for 64-bit)

Example:

>>> spec = Struct(
    'offset' / Int32ul,
    Padding(2),
    'inst_end' / Tell,
    'data' / PEPointer64(this.offset, this.inst_end, Byte(100))
)
>>> spec = Struct(
    'instruction' / Regex(
        '\x01\x03(?P<data_ptr>.{4})\x04\x05(?P<end>)\x06\x07', data_ptr=DWORD, end=Tell),
    'data' / PEPointer64(this.instruction.data_ptr, this.instruction.end, Bytes(100))
)
>>> spec.parse(file_data, pe=pe_object)
Parameters:

  • mem_off – an int or a function that represents the memory offset for the equivalent physical offset.

  • inst_end – an int or a function that represents the location of the end of the instruction to be relative to.

  • subcon – the subcon to use at the offset

  • pe – Optional PE file object. (if not supplied here, this must be supplied during parse()/build()

malstruct.binaryfiles.peutils.PERVAPointer(rva, subcon, pe=None)

This is an alternative to PEAddrFromRVA when you are using the address along with Pointer

Example:

>>> spec = Struct(
    "rva" / Int32ul,
    "data" / PERVAPointer(this.rva, CString("utf-16")
)
Parameters:

  • rva – an int or a function that represents the relative virtual offset for the equivalent physical offset.

  • subcon – the subcon to use at the offset

  • pe – Optional PE file object. (if not supplied here, this must be supplied during parse()/build()

class malstruct.binaryfiles.peutils.PEImport(subcon, pe=None)

Bases: Adapter

Adapter used to obtain the import name at a specified address

This Adapter is useful for regex match valiation::
>>> spec = Struct(
    're' / Regex(rb"h(?P<src>.{4})ÿ(?P<inet_open>.{4})", src=Int32ul, inet_open=PEImport(Int32ul)),
    Check(this.re.inet_open == "InternetOpenA"),
    'useragent' / Pointer(this.re.src, CString())
)
malstruct.binaryfiles.peutils.PEImportPointer(mem_off, pe=None)

Obtain the name of an import address

This is an alternative to PEImportAdapter when you are using the address along with Pointer::
>>> spec = Struct(
    're' / Regex(rb'h(?P<src>.{4})ÿ(?P<inet_open>.{4})', src=Int32ul, inet_open=Int32ul),
    'internet_open_a' / PEImportPointer(this.re.inet_open),
    Check(this.re.internet_open_a == "InternetOpenA"),
    'useragent' / Pointer(this.re.src, CString())
)
This is specifically useful with 64-bit samples::
>>> spec = Struct(
    # test64.exe @ 0x140001026
    're' / Regex(
        re.compile(br'H(?P<ro>.{4})(?P<e>)H‹L$.ÿ(?P<wcro>.{4})(?P<wce>)'),
        ro=Int32ul,
        e=PEMemoryAddress(Tell),
        wcro=Int32ul,
        wce=PEMemoryAddress(Tell)
    ),
    'write_console' / PEImportPointer(this.re.wcro + this.re.wce),
    Check(this.write_console == "WriteConsoleA"),
    "message" / PEPointer(this.re.ro + this.re.e, CString())
)
Parameters:

  • mem_off – Memory address of import address

  • pe – Optional PE file object. (if not supplied here, this must be supplied during parse()/build()

Module contents