Over the years I’ve received several bugfix requests, but couldn’t oblige because of the lack of time. If you’re interested that a particular fix goes into the upcoming release, please leave a comment under this blog post or drop me an email to ntcore@gmail.com (feel free to repeat the request, as it might have been lost during the years).

Please don’t include radical changes or improvements, we’ll leave that for later maybe. If your company needs professional PE inspection (not editing), I’d advice you to check out my current commercial product at cerbero.io/profiler, which doesn’t cover ‘just’ the Portable Executable format.

UPDATE: Uploaded new version with the following improvements:

– Dropped Itanium version
– Added ENCLog and ENCMap .NET tables
– Modify resources of system files (MUI limitation)
– Fixed resource loop bug
– Fixed MDTables string overflow bug
– Fixed command line scripting bug
– Fixed ‘Select All’ bug in hex editor
– Fixed missing offset check in .NET tables
– Fixed missing reloc size check
– Fixed scripting handles bug
– Use FTs when OFTs are invalid
– Updated UPX

You can continue to leave comments or send me emails. As soon as there are enough new bug reports, I’ll upload a new version. In time, maybe, some small improvements could be included apart from bug fixes.

However, it’s always good to get bug reports. The bug itself was related to a string overflow in the resource editor. I put string safe functions quite some time ago in the old kernel of the CFF, but apparently I missed one.

So, since I had already the project open to fix this bug, I also added support for .NET unoptimized metadata streams. Which is the most important new feature in this release.

“CFF Explorer.exe” “C:\mydir\script.cff” arg1 arg2 “arg 3”

To access the arguments from the scripting part you can use the global variables argv and argc, which are the same thing as in C. Actually, argv would’ve been sufficient as it is a table and its size can be retrieved with “#”, argc is only present for coherence with the C-style.

Example:

[cc lang=”lua”]x = 0
while x < argc do MsgBox(argv[x]) x = x + 1 end[/cc] I also fixed a bug in the add section code and improved the PE rebuilding.

Task Explorer:
Fixed a minor bug on x64.
Added the Driver List tool.

[cc lang=”lua”]– this script generates a report of a PE’s .NET metadata tables.

filename = GetOpenFile(“Open…”, “All\n*.*\nexe\n*.exe\ndll\n*.dll\n”)

if filename == null then
return
end

hPE = OpenFile(filename)

if hPE == null then
return
end

if GetOffset(hPE, PE_DotNETDirectory) == null then
MsgBox(“The current is not a valid .NET assembly.”, “Error”, MB_ICONEXCLAMATION)
end

repname = GetSaveFile(“Save Report As..”, “Text File\n*.txt\n”)

if repname == null then
return
end

hReport = CreateLog(repname)

if hReport == null then
return
end

fieldsToLog = {
PE_MetaDataTable_Module,
PE_MetaDataTable_TypeRef,
PE_MetaDataTable_TypeDef,
PE_MetaDataTable_Field,
PE_MetaDataTable_Method,
PE_MetaDataTable_Param,
PE_MetaDataTable_InterfaceImpl,
PE_MetaDataTable_MemberRef,
PE_MetaDataTable_Constant,
PE_MetaDataTable_CustomAttribute,
PE_MetaDataTable_FieldMarshal,
PE_MetaDataTable_DeclSecurity,
PE_MetaDataTable_ClassLayout,
PE_MetaDataTable_FieldLayout,
PE_MetaDataTable_StandAloneSig,
PE_MetaDataTable_EventMap,
PE_MetaDataTable_Event,
PE_MetaDataTable_PropertyMap,
PE_MetaDataTable_Property,
PE_MetaDataTable_MethodSemantics,
PE_MetaDataTable_MethodImpl,
PE_MetaDataTable_ModuleRef,
PE_MetaDataTable_TypeSpec,
PE_MetaDataTable_ImplMap,
PE_MetaDataTable_FieldRVA,
PE_MetaDataTable_Assembly,
PE_MetaDataTable_AssemblyProcessor,
PE_MetaDataTable_AssemblyOS,
PE_MetaDataTable_AssemblyRef,
PE_MetaDataTable_AssemblyRefProcessor,
PE_MetaDataTable_AssemblyRefOS,
PE_MetaDataTable_File,
PE_MetaDataTable_ExportedType,
PE_MetaDataTable_ManifestResource,
PE_MetaDataTable_NestedClass,
PE_MetaDataTable_GenericParam,
PE_MetaDataTable_MethodSpec,
PE_MetaDataTable_GenericParamConstraint
}

fieldNames = {
“Module”,
“TypeRef”,
“TypeDef”,
“Field”,
“Method”,
“Param”,
“InterfaceImpl”,
“MemberRef”,
“Constant”,
“CustomAttribute”,
“FieldMarshal”,
“DeclSecurity”,
“ClassLayout”,
“FieldLayout”,
“StandAloneSig”,
“EventMap”,
“Event”,
“PropertyMap”,
“Property”,
“MethodSemantics”,
“MethodImpl”,
“ModuleRef”,
“TypeSpec”,
“ImplMap”,
“FieldRVA”,
“Assembly”,
“AssemblyProcessor”,
“AssemblyOS”,
“AssemblyRef”,
“AssemblyRefProcessor”,
“AssemblyRefOS”,
“File”,
“ExportedType”,
“ManifestResource”,
“NestedClass”,
“GenericParam”,
“MethodSpec”,
“GenericParamConstraint”
}

LogPrint(hReport, “.NET metadata tables report for \”” .. filename .. “\”\n\n”)
loggedTables = 0
for i = 0, #fieldsToLog – 1 do
if GetOffset(hPE, fieldsToLog[i]) != null then
if loggedTables > 0 then
LogPrint(hReport, “\n\n\n”)
end
LogPrint(hReport, fieldNames[i] .. ” Table\n”)
LogPrint(hReport, “———————————————\n\n”)
LogPrintStruct(hPE, hReport, fieldsToLog[i])
loggedTables = loggedTables + 1
end
end

— Open the report?

CloseLog(hReport)

nRet = MsgBox(“Open report file?”, “.NET Tables Report”, MB_ICONQUESTION | MB_YESNO)

if nRet == IDYES then
ExecuteAppAndWait(@”C:\Windows\System32\notepad.exe”, GetShortPathName(repname))
end[/cc]

A generated report file looks like this:

[cc lang=”asm”].NET metadata tables report for “K:\Explorer Suite\Setup\Signature Explorer.exe”

Module Table
———————————————

1.
Generation: 0
Name: 1 (Signature Explorer.exe)
Mvid: 1
EncId: 0
EncBaseId: 0

TypeRef Table
———————————————

1.
ResolutionScope: 6
Name: 18 (Control)
Namespace: 20 (System.Windows.Forms)

2.
ResolutionScope: A
Name: 35 (Enum)
Namespace: 3A (System)

3.
ResolutionScope: 6
Name: 41 (Button)
Namespace: 20 (System.Windows.Forms)

4.
ResolutionScope: 6
Name: 48 (Form)
Namespace: 20 (System.Windows.Forms)

5.
ResolutionScope: A
Name: 4D (Object)
Namespace: 3A (System)

6.
ResolutionScope: A
Name: 54 (ValueType)
Namespace: 3A (System)

etc.[/cc]

I included this new feature because many developers asked me to. Reading the generated report files is much easier than manually reading the raw .NET format. The current scripting system won’t be implemented in the newer CFF Explorer, I only inserted this new feature because it will take me much more time to release the newer CFF Explorer.

Thanks to CodeRipper for signalling a corrupted .NET assembly which caused the CFF Explorer to crash when opening it. I improved the integrity checks.

Let’s consider this code snippet:

[cc lang=”cpp”]unsigned char b = 0xC3; // ret

int _tmain(int argc, _TCHAR* argv[])
{
void *addr = &b;
__asm call addr;
getchar();
return 0;
}[/cc]

This code sample will crash if the DEP is enabled. DEP is a very important security improvement against buffer overlow exploits, but it might be generate incompatibility with older applications which rely on executing code inside the data section.

The DEP can be disabled individually for an executable. The only thing which needs to be done is to unset the “NX Compatibility” flag inside “Optional Header -> Characteristics”.

Make sure to have the latest CFF Explorer release. I also updated the flags of the “Characteristics” field, because they were outdated. Among the new flags there is the ASLR flag (DLL can move), which enables the executable to be relocated at a random (256 possibilities) address if it contains a relocation table.

Both the ASLR and the DEP flag are enabled by default in Visual C++.

Another flag is the “Code Integrity” one. This flag when set checks the digital signature of the executable and runs it only if the signature is correct.

I don’t want to show too much, this is just a small preview. Yes, it’s running on Ubuntu and it runs on OSX just as well.
I don’t know if I’m going to ship a Linux and an OSX version apart from the Windows one, maybe not immediately. It also depends on the number of requests for it.

Some insights into the new kernel:

– The kernel is now stream based, this means it can read files, memory, disks etc.
– Complete multithread support.
– A CFFStream can be shared among CFFObjects even if they’re owned by a different thread.
– The same CFFObject can be shared among threads.
– Complete endianess support: every file format has a default endianess but can be loaded with a different one. For instance: it is possible to load a PE file with all fields in big endian.
– Support for all most common string encodings.
– Support for integer types of infinite size.
– Support for multiple file formats.
– Easily exposable to scripting languages.

There is more and an impressive amount of work has still to be done, although the kernel is about to be finished. I won’t tell all the new features of the GUI, because it’s way too soon.

Many thanks to Yaroslav Liulko for reporting the bug.