|ASCII HEX Encoded Executable|
pe-carv.py Usage: pe-carv.py [options] <carving.file> Options: -h, --help show this help message and exit -o OUTPUT, --output=OUTPUT output file name -a, --ascii_blob read as hex ascii blob -v, --verbose print MZ location -l, --overlay get overlay, default 1024 bytes -s SIZE, --size=SIZE size of overlay
Quick overview. -o, --output can used to name the output file. -a, --a can be used to convert the whole file from ascii hex to binary (if not ascii hex the byte will be ' '), -v --verbose prints the offset of the where the executable was found, -l --overlay will read 1024 bytes after what Pefile finds as the file size, -s --size is used along with overlay to define a custom size. For example, let's say we have a binary file that contains a ASCII hex executable, an embedded executable and then another ASCII hex executable. Different encodings will have to be handled separately.
pe-carv.py -o hello -v -a -l -s 10 test.bin * exe found at offset 0xb * exe found at offset 0x8ed83 dir 03/09/2013 10:52 PM <DIR> . 03/09/2013 10:52 PM <DIR> .. 03/09/2013 10:52 PM 525,834 hello-1.exe 03/09/2013 10:52 PM 525,834 hello-2.exe 03/09/2013 10:17 PM 5,483 pe-carv.py 03/09/2013 10:17 PM 2,270,982 test.bin
-o hello is the output file name. A count is added in case there are multiple file names. -v is for verbose to show where the files are located . -a is for treating the file as an ascii blob. -l is to get the overlay with a size of 10. The size is specified by the -s 10 (int) and the file name. The -a is a little slower than the other options. This is due to the file being read and converted two bytes at a time. Not the most efficient way. Now for a simple example of grabbing an embedded executable with no options.
pe-carv.py test.bin dir 03/09/2013 10:57 PM <DIR> . 03/09/2013 10:57 PM <DIR> .. 03/09/2013 10:57 PM 69,120 1.exe 03/09/2013 10:17 PM 5,483 pe-carv.py 03/09/2013 10:17 PM 2,270,982 test.bin
If there are any suggestions or feedback please shoot me an email. My email address is in the code. Please download the code from the repo.
BitBucket Repo - LINK
Thank you gN3mes1s, legola, anonymouse and others on OpenRCE.