Binalyzer: Phase 3 is now complete!

Source: Dev.to

Overview

Comparando el análisis de secciones entre ELF y PE, explicando las diferencias de formato y cómo las abordaste.

At last, Phase 3 for Binalyzer is now complete! It now lists sections for both PE and ELF files. Below are the key takeaways of what was done.

Parsing PE Sections

ELF and PE are fundamentally different formats, so reading and parsing their section fields requires distinct approaches.

1. PE Documentation – Consulted the official PE specification to understand the section layout.
2. Reading Data – Used read() and struct.unpack() to extract fields from the binary stream.
3. Field Coverage – Ensured every field of each section is read; missing fields can cause data misalignment.

Reading Section Names

Section names are padded with null bytes (\x00). The padding was removed using Python’s replace() method:

clean_name = raw_name.replace(b'\x00', b'')

Handling Flags

Each flag value is stored as a hexadecimal digit, and some values are combinations of multiple flags. The solution uses bitwise AND (&) to test for individual flags:

if characteristics & flag == flag:
    flags_dict[flag] = description

This populates a dictionary where the key is the flag and the value is its description.

Sample Output

File path: /mnt/c/Windows/system32/cmd.exe
Filetype: PE
Magic number 0x20b
PE Header :
    COFF Offset : 248
    Signature : b'PE\x00\x00'
    File Header :
        Machine : x64
        NumberOfSections : 8
        TimeDateStamp : 2091-09-06 23:01:06+00:00
        PointerToSymbolTable : 0
        NumberOfSymbols : 0
        SizeOfOptionalHeader (bytes) : 240
        Characteristics :
            0x2 : Executable file
            0x20 : Can handle >2GB addresses
    Optional Header :
        Standard Fields :
            Magic : PE32+
            MajorLinkerVersion : 14
            MinorLinkerVersion : 38
            SizeOfCode : 233472
            SizeOfInitializedData : 217088
            SizeOfUnitizializedData : 0
            AddressOfEntryPoint : 162592
            BaseOfCode (address) : 4096
Sections :
    [0]
    Name : .text
    VirtualSize : 0x37db6
    VirtualAddress : 0x1000
    SizeOfRawData : 0x38000
    PointerToRawData : 0x1000
    PointerToRelocations : 0x0
    PointerToLinenumbers : 0x0
    NumberOfRelocations : 0x0
    NumberOfLinenumbers : 0x0
    Characteristics :
        0x0 : Reserved for future use
        0x20 : Contains executable code
        0x20000000 : Can be executed as code
        0x40000000 : Can be read

    [1]
    Name : fothk
    VirtualSize : 0x1000
    VirtualAddress : 0x39000
    SizeOfRawData : 0x1000
    PointerToRawData : 0x39000
    PointerToRelocations : 0x0
    PointerToLinenumbers : 0x0
    NumberOfRelocations : 0x0
    NumberOfLinenumbers : 0x0
    Characteristics :
        0x0 : Reserved for future use
        0x20 : Contains executable code
        0x20000000 : Can be executed as code
        0x40000000 : Can be read

    [2]
    Name : .rdata
    VirtualSize : 0x9b38
    VirtualAddress : 0x3a000
    SizeOfRawData : 0xa000
    PointerToRawData : 0x3a000
    PointerToRelocations : 0x0
    PointerToLinenumbers : 0x0
    NumberOfRelocations : 0x0
    NumberOfLinenumbers : 0x0
    Characteristics :
        0x0 : Reserved for future use
        0x40 : Contains initialized data
        0x40000000 : Can be read

Next Steps

For more details on this update, check out the releases on the GitHub repository. Phase 4 will start soon. Ta‑ta!