PeFixup
PE File Blessing - To continue or not to continue
Install / Use
/learn @obscuritylabs/PeFixupREADME
PeFixup
PE File Blessing - A PE tainting tool
Install PeFixup
Required Packages
Ubuntu 18.04+
apt-get update && \
apt-get install -y --no-install-recommends \
libffi-dev \
libfuzzy-dev \
ssdeep \
exiftool
Install from source
$ git clone https://github.com/obscuritylabs/PeFixup.git
$ cd Pefixup
$ pip3 install -r requirements.txt
$ python3 pefixup.py -h
or using pipenv
$ https://github.com/obscuritylabs/PeFixup.git
$ cd Pefixup
$ pipenv install
$ pipenv shell
(PeFixup) bash-3.2$
Install from PYPI (Under Dev)
$ pip install --user pefixup
$ pefixup -h
Install from DockerHub
$ docker pull obscuritylabs/pefixup:latest
$ docker pull obscuritylabs/pefixup:0.0.1
$ docker pull obscuritylabs/pefixup:development
Features
Currently we have implemented the following tainting capabilities:
- taint compile times within
IMAGE_FILE_HEADER - taint major & minor compiler versions within
_IMAGE_OPTIONAL_HEADER - taint multiple compile times within
DIRECTORY_ENTRY_DEBUG - taint multiple pdb headers within
DIRECTORY_ENTRY_DEBUG & CV_INFO_PDB70
Currently we have implemented the following metadata capabilities:
- Hashing
- MD5
- SHA1
- SHA256
- SHA512
- imphash
- ssdeep
- Imports
- All binary imports within
DIRECTORY_ENTRY_IMPORT - All binary import function name & addr
- Import function name checks to alert on potentially dangerous imports (AV/Analysis)
- All binary imports within
- Binary metadata
- PE header data
- Binary Magic values
- EXIF data
- Runtime Checks
- pre-flight checks
- sanity checks
- post-flight checks
- burnt checks
- Burnt checks
- providers
- VirusTotal (Checks Hash ONLY)
- binary sections (dynamic sections)
- non-cooked payload
- cooked payload
- .text
- .rdata
- .data
- .pdata
- .tls
- .rsrc
- providers
Help & examples
$ python3 pefixup.py --help
-------------------------------
█▀▀█ █▀▀ █▀▀ ░▀░ █░█ █░░█ █▀▀█
█░░█ █▀▀ █▀▀ ▀█▀ ▄▀▄ █░░█ █░░█
█▀▀▀ ▀▀▀ ▀░░ ▀▀▀ ▀░▀ ░▀▀▀ █▀▀▀
-------------------------------
usage: pefixup.py [-h] [-c COMPILE_TIME] [-p PDB] [-ma MAJOR_LINKER_VERSION]
[-mi MINOR_LINKER_VERSION] [-o OUTPUT] [-json JSON] [-s]
[-vt VT_API_KEY] [-v] [-d]
INPUT LIVE
positional arguments:
INPUT input file to process
LIVE output file name
optional arguments:
-h, --help show this help message and exit
-c COMPILE_TIME, --compile-time COMPILE_TIME
Cooked payload epoc compile time to taint
-p PDB, --pdb PDB Cooked payload PDB (Ex. fun)
-ma MAJOR_LINKER_VERSION, --major-linker-version MAJOR_LINKER_VERSION
Cooked payload major linker version to taint(Ex. 10)
-mi MINOR_LINKER_VERSION, --minor-linker-version MINOR_LINKER_VERSION
Cooked payload minor linker version to taint(Ex. 10)
-o OUTPUT, --output OUTPUT
output filename (Ex. FunTimes.exe)
-json JSON, --json JSON
output json to stdout
-s, --strings Enable output file with strings (Ex. FunTimes.exe ->
FunTimes.txt)
-vt VT_API_KEY, --vt-api-key VT_API_KEY
VirusTotal API Key
-v, --verbose increase output verbosity
-d, --debug enable debug logging to .pefixup.log file, default
WARNING only
Examples
python3 pefixup.py ~/Desktop/RickJames.exe officeupdate.exe
python3 pefixup.py ~/Desktop/RickJames.exe officeupdate.exe -c 1568192888 -p funtimes -ma 10 -mi 1
python3 pefixup.py ~/Desktop/RickJames.exe officeupdate.exe -c 1568192888 -p funtimes -ma 10 -mi 1 -vt 1G23<SNIP>212FT
or we can export the VT key
export PEFIXUP_VT_KEY=1G23<SNIP>212FT && python3 pefixup.py ~/Desktop/RickJames.exe officeupdate.exe
Example Output
alexanders-MacBook-Pro-9:PeFixup alexanderrymdeko-harvey$ python3 pefixup.py ~/Desktop/RickJames.exe jj.exe -vt XXX
-------------------------------
█▀▀█ █▀▀ █▀▀ ░▀░ █░█ █░░█ █▀▀█
█░░█ █▀▀ █▀▀ ▀█▀ ▄▀▄ █░░█ █░░█
█▀▀▀ ▀▀▀ ▀░░ ▀▀▀ ▀░▀ ░▀▀▀ █▀▀▀
-------------------------------
============= ORIGINAL FILE DATA =============
|-* IF LIVE OPS SAVE THIS DATA TO OP SHARE *-|
==============================================
[*] EXE metadata:
- File Name: /Users/alexanderrymdeko-harvey/Desktop/RickJames.exe
- e_magic value: 0x5a4d
- Signature value: 0x4550
- Imphash: 8d02d075ece1e0e4d14116cb66fb54ae
- Size of executable code: 8.5KB
- Size of executable image : 300.0KB
[*] FILE_HEADER:
- Machine type value: 0x8664
- TimeDateStamp value: 'Tue Feb 26 23:03:24 2019'
[*] IMAGE_OPTIONAL_HEADER64:
- Magic value: 0x20b
- Major Linker Version: 0x0
- Minor Linker Version: 0xe
- Major OS Version: 0x6
- Minor OS Version: 0x0
-----------------------------------------------
[*] Listing DEBUG Info:
[*] Type Name: IMAGE_DEBUG_TYPE_ILTCG
- Type: 14
- TimeDateStamp value: 'Tue Feb 26 23:03:24 2019'
[*] Type Name: IMAGE_DEBUG_TYPE_ILTCG
- Type: 14
- TimeDateStamp value: 'Tue Feb 26 23:03:24 2019'
[*] Type Name: IMAGE_DEBUG_TYPE_ILTCG
- Type: 14
- TimeDateStamp value: 'Tue Feb 26 23:03:24 2019'
[*] Type Name: IMAGE_DEBUG_TYPE_ILTCG
- Type: 14
- TimeDateStamp value: 'Tue Feb 26 23:03:24 2019'
-----------------------------------------------
[*] Listing imported DLLs...
KERNEL32.dll
ADVAPI32.dll
MSVCP140.dll
VCRUNTIME140.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
[*] KERNEL32.dll imports:
CloseHandle at 0x140004020 <-- [OK] = Various OS interaction
GetLastError at 0x140004028 <-- [OK] = Exception handling
GetCurrentProcess at 0x140004030 <-- [WARNING] = This import can be concerning, but only with other imports of concern.
CreateRemoteThread at 0x140004038 <-- [ALERT] = This import is often flagged for remote process injection.
OpenProcess at 0x140004040 <-- [DANGER] = Import offten flagged for dynamic function location
VirtualAllocEx at 0x140004048 <-- [DANGER] = Import is often flagged for shellcode injection.
WriteProcessMemory at 0x140004050 <-- [DANGER] = Import offten flagged for dynamic function location
GetModuleHandleW at 0x140004058 <-- [DANGER] = Import offten flagged for dynamic function location
GetProcAddress at 0x140004060 <-- [DANGER] = Import is often flagged for shellcode injection.
CreateProcessW at 0x140004068 <-- [ALERT] = This import is often flagged for remote process injection.
GetSystemTimeAsFileTime at 0x140004070 <-- [OK] = Various OS interaction
GetCurrentThreadId at 0x140004078 <-- [WARNING] = This import can be concerning, but only with other imports of concern.
GetCurrentProcessId at 0x140004080 <-- [WARNING] = This import can be concerning, but only with other imports of concern.
QueryPerformanceCounter at 0x140004088 <-- [DANGER] = Import offten flagged for sandbox / analysis evasion
IsDebuggerPresent at 0x140004090 <-- [ALERT] = Import offten flagged for sandbox / analysis evasion
CreateEventW at 0x140004098 <-- [OK] = Various OS interaction
DeleteCriticalSection at 0x1400040a0 <-- [OK] = Various OS interaction
IsProcessorFeaturePresent at 0x1400040a8 <-- [WARNING] = This import can be concerning, but only with other imports of concern.
TerminateProcess at 0x1400040b0 <-- [OK] = Various OS interaction
SetUnhandledExceptionFilter at 0x1400040b8 <-- [OK] = Exception handling
UnhandledExceptionFilter at 0x1400040c0 <-- [OK] = Exception handling
RtlVirtualUnwind at 0x1400040c8 <-- [OK] = Exception handling
RtlLookupFunctionEntry at 0x1400040d0 <-- [OK] = Exception handling
RtlCaptureContext at 0x1400040d8 <-- [OK] = Exception handling
InitializeSListHead at 0x1400040e0 <-- [OK] = Compiler optimization
[*] ADVAPI32.dll imports:
AdjustTokenPrivileges at 0x140004000 <-- [DANGER] = Import used for token manipulation
OpenProcessToken at 0x140004008 <-- [WARNING] = Import used for token manipulation
LookupPrivilegeValueW at 0x140004010 <-- [WARNING] = Import used for token manipulation
[*] MSVCP140.dll imports:
?_Xbad_alloc@std@@YAXXZ at 0x1400040f0 <-- [UNKNOWN] = Please submit PR
?_Xlength_error@std@@YAXPEBD@Z at 0x1400040f8 <-- [UNKNOWN] = Please submit PR
?_Xout_of_range@std@@YAXPEBD@Z at 0x140004100 <-- [UNKNOWN] = Please submit PR
[*] VCRUNTIME140.dll imports:
memcpy at 0x140004110 <-- [OK] = Various OS interaction
__std_terminate at 0x140004118 <-- [OK] = Various OS interaction
memmove at 0x140004120 <-- [OK] = Various OS interaction
__std_exception
Related Skills
node-connect
349.2kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
109.5kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
349.2kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
349.2kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
