akde/infosec

Information security is ultimately about managing risk

Modifying PE files

PE Portable Executung or DLL Dynamic Linking Libraries can be edited to remove or add capabilities or own code.

Read and modify a PE file

The following Python3 script reads a file, prints out a header, modified it to remove ASLR and write a new file without this flag.

f = pefile.PE('filename.exe')
print(hex(f.OPTIONAL_HEADER.DllCharacteristics)) // print as hex to work with masks
f.OPTIONAL_HEADER.DllCharacteristics = f.OPTIONAL_HEADER.DllCharacteristics ^ 0x0040 // xor with 0x0040 which is the value for DYNAMIC_BASE (=> ASLR) to enable or disable it.
f.write('filename.exe.new') // write the modified file.

Ressources

Documentation of the PE format.

Leave a Reply Cancel reply

You must be logged in to post a comment.

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';