pelite 0.10.0

Lightweight, memory-safe, zero-allocation library for reading and navigating PE binaries.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

/*!

Markov Chain generator for Binary Code.

Inspect the disassembly of the generated bytes with [ODA](https://onlinedisassembler.com/odaweb/).
*/

use std::env;
use rand::{Rng, thread_rng};

fn main() {
	let mut args = env::args_os();
	args.next();

	// Help text
	if args.len() <= 1 {
		println!("markovbin <COUNT> <FILES>...\n\nGiven a list of binary <FILES> (.exe, .dll) analyzes their code to generate a markov chain of <COUNT> bytes.");
		return;
	}

	// Get the number of bytes to generate
	let count: usize = match args.next().unwrap().into_string().unwrap().parse() {
		Ok(count) => count,
		Err(e) => {
			eprintln!("first argument should be a number (of bytes to generate): {}", e);
			return;
		}
	};

	// Markov chain data
	// Represents the number of times the byte at index J follows the byte at index I in the outer array
	// Uh, for every possible byte the inner array gives the number of times another byte followed it
	let mut markov_data = [[0u32; 256]; 256];

	// Combine the markov data from all the given input binary files
	for file in args {
		// Load the file into memory
		eprintln!("generating markov data from {:?}...", file);
		match pelite::FileMap::open(&file) {
			Ok(map) => {
				match pelite::PeFile::from_bytes(&map) {
					Ok(pe) => {
						// Analyze all executable sections
						for section in pe.section_headers() {
							if section.Characteristics & 0xE0000000 == 0x60000000 {
								// Mix the markov data from this binary
								match pe.derva_slice(section.VirtualAddress, section.VirtualSize as usize) {
									Ok(bytes) => analyze(bytes, &mut markov_data),
									Err(e) => eprintln!("cannot read code from {:?}: {}", file, e),
								}
							}
						}
					},
					Err(err) => {
						eprintln!("cannot parse file {:?}: {}", file, err);
					},
				}
			},
			Err(e) => {
				eprintln!("cannot read file {:?}: {}", file, e);
			},
		}
	}

	// With the analyzed markov data, generate some random bytes
	generate(&markov_data, count);
}

fn analyze(bytes: &[u8], buckets: &mut [[u32; 256]; 256]) {
	if bytes.len() == 0 {
		return;
	}

	let mut bucket = bytes[0] as usize;
	for &byte in &bytes[1..] {
		buckets[bucket][byte as usize] += 1;
		bucket = byte as usize;
	}
}

fn generate(buckets: &[[u32; 256]; 256], count: usize) {
	let mut rng = thread_rng();

	// Start with a random byte (not weighted :/)
	let mut byte = rng.gen();

	for _ in 0..count {
		// Select the bucket which stores the weights for the next byte
		let bucket = &buckets[byte as usize];

		// Total number of follow bytes
		let total = bucket.iter().sum();
		// Retry a random byte if there are no follow bytes for this one...
		if total == 0 {
			byte = rng.gen();
			continue;
		}

		// Print the selected byte
		print!("{:02X} ", byte);

		// Pick the next byte based on the weight for this byte
		// FIXME! Use weighted reservoir sampling instead but this is more simple...
		let mut pick = rng.gen_range(0, total);
		for i in 0..256 {
			if pick < bucket[i] {
				byte = i as u8;
				break;
			}
			pick -= bucket[i];
		}
	}

	println!();
}