lordwelch/lsgo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lsgo/third_party/peinfo-go/README.md
lordwelch b5d007c865 Add ability to create a git repository from a BG3 install 
Add library to parse version info from a windows PE executable
There are issues with go-git, will change to a wrapper library
2021-02-15 21:47:38 -08:00

63 lines
2.4 KiB
Markdown
Raw Blame History

# peinfo-go
This is a PE (Portable Executable) parser written in GoLang. I wanted to learn more about the PE format, specifically how the certificates were stored. What better way is there than to write some code?
_This is a work in progress and will continue to change._
This leverages the `debug/pe` package for parsing of the common headers/sections.
Current state:
- Displays some PE details
- Validates certificate, verifies certificate chain, checks against CRL
- Parses Version Info struct
- Displays imports
TODO:
- ~~Actually Parse Version Info struct (currently displayed as raw binary)~~
- Re-write function for finding Version Info (currently written so I could better understand the structure)
- ~~Custom certificate stores~~
## Example
```
[user:~/peinfo-go\ > go run cmd/main.go -certdir ~/RootCerts -versioninfo ~/Downloads/PsExec.exe
type: pe32
TimeDateStamp: 2016-06-28 18:43:09 +0000 UTC
Characteristics: [Executable 32bit]
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Cert:
subject: CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US
issuer: CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US
not before: 2015-06-04 17:42:45 +0000 UTC
not after: 2016-09-04 17:42:45 +0000 UTC
CRL: [http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl]
verified: true (chain expired: true)
Version Info:
BuildDate :
BuildVersion :
Comments :
CompanyName : Sysinternals - www.sysinternals.com
Copyright :
FileDescription : Execute processes remotely
FileVersion : 2.2
InternalName : PsExec
LegalCopyright : Copyright (C) 2001-2016 Mark Russinovich
LegalTrademarks :
OriginalFilename : psexec.c
PrivateBuild :
ProductName : Sysinternals PsExec
ProductVersion : 2.2
SpecialBuild :
langCharSet : 040904b0h$
```
## References
- https://golang.org/pkg/debug/pe/
- http://www.pelib.com/resources/luevel.txt
- https://github.com/exiftool/exiftool/blob/master/lib/Image/ExifTool/EXE.pm
- https://github.com/deptofdefense/SalSA/blob/master/pe.py
- https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#resource-directory-entries
- https://github.com/quarkslab/dreamboot/blob/31e155b06802dce94367c38ea93316f7cb86cb15/QuarksUBootkit/PeCoffLib.c
- https://docs.microsoft.com/en-us/windows/desktop/Debug/pe-format#the-attribute-certificate-table-image-only
Reference in New Issue View Git Blame Copy Permalink