1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
|
#-----------------------------------------------------------------------------
# Copyright (c) 2013-2023, PyInstaller Development Team.
#
# Distributed under the terms of the GNU General Public License (version 2
# or later) with exception for distributing the bootloader.
#
# The full license is in the file COPYING.txt, distributed with this software.
#
# SPDX-License-Identifier: (GPL-2.0-or-later WITH Bootloader-exception)
#-----------------------------------------------------------------------------
"""
Utilities for Windows platform.
"""
from PyInstaller import compat
def get_windows_dir():
"""
Return the Windows directory, e.g., C:\\Windows.
"""
windir = compat.win32api.GetWindowsDirectory()
if not windir:
raise SystemExit("ERROR: Cannot determine Windows directory!")
return windir
def get_system_path():
"""
Return the required Windows system paths.
"""
sys_dir = compat.win32api.GetSystemDirectory()
# Ensure C:\Windows\system32 and C:\Windows directories are always present in PATH variable.
# C:\Windows\system32 is valid even for 64-bit Windows. Access do DLLs are transparently redirected to
# C:\Windows\syswow64 for 64bit applactions.
# See http://msdn.microsoft.com/en-us/library/aa384187(v=vs.85).aspx
return [sys_dir, get_windows_dir()]
def get_pe_file_machine_type(filename):
"""
Return the machine type code from the header of the given PE file.
"""
import pefile
with pefile.PE(filename, fast_load=True) as pe:
return pe.FILE_HEADER.Machine
def set_exe_build_timestamp(exe_path, timestamp):
"""
Modifies the executable's build timestamp by updating values in the corresponding PE headers.
"""
import pefile
with pefile.PE(exe_path, fast_load=True) as pe:
# Manually perform a full load. We need it to load all headers, but specifying it in the constructor triggers
# byte statistics gathering that takes forever with large files. So we try to go around that...
pe.full_load()
# Set build timestamp.
# See: https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps
timestamp = int(timestamp)
# Set timestamp field in FILE_HEADER
pe.FILE_HEADER.TimeDateStamp = timestamp
# MSVC-compiled executables contain (at least?) one DIRECTORY_ENTRY_DEBUG entry that also contains timestamp
# with same value as set in FILE_HEADER. So modify that as well, as long as it is set.
debug_entries = getattr(pe, 'DIRECTORY_ENTRY_DEBUG', [])
for debug_entry in debug_entries:
if debug_entry.struct.TimeDateStamp:
debug_entry.struct.TimeDateStamp = timestamp
# Generate updated EXE data
data = pe.write()
# Rewrite the exe
with open(exe_path, 'wb') as fp:
fp.write(data)
def update_exe_pe_checksum(exe_path):
"""
Compute the executable's PE checksum, and write it to PE headers.
This optional checksum is supposed to protect the executable against corruption but some anti-viral software have
taken to flagging anything without it set correctly as malware. See issue #5579.
"""
import pefile
# Compute checksum using our equivalent of the MapFileAndCheckSumW - for large files, it is significantly faster
# than pure-pyton pefile.PE.generate_checksum(). However, it requires the file to be on disk (i.e., cannot operate
# on a memory buffer).
try:
checksum = compute_exe_pe_checksum(exe_path)
except Exception as e:
raise RuntimeError("Failed to compute PE checksum!") from e
# Update the checksum
with pefile.PE(exe_path, fast_load=True) as pe:
pe.OPTIONAL_HEADER.CheckSum = checksum
# Generate updated EXE data
data = pe.write()
# Rewrite the exe
with open(exe_path, 'wb') as fp:
fp.write(data)
def compute_exe_pe_checksum(exe_path):
"""
This is a replacement for the MapFileAndCheckSumW function. As noted in MSDN documentation, the Microsoft's
implementation of MapFileAndCheckSumW internally calls its ASCII variant (MapFileAndCheckSumA), and therefore
cannot handle paths that contain characters that are not representable in the current code page.
See: https://docs.microsoft.com/en-us/windows/win32/api/imagehlp/nf-imagehlp-mapfileandchecksumw
This function is based on Wine's implementation of MapFileAndCheckSumW, and due to being based entirely on
the pure widechar-API functions, it is not limited by the current code page.
"""
# ctypes bindings for relevant win32 API functions
import ctypes
from ctypes import windll, wintypes
INVALID_HANDLE = wintypes.HANDLE(-1).value
GetLastError = ctypes.windll.kernel32.GetLastError
GetLastError.argtypes = ()
GetLastError.restype = wintypes.DWORD
CloseHandle = windll.kernel32.CloseHandle
CloseHandle.argtypes = (
wintypes.HANDLE, # hObject
)
CloseHandle.restype = wintypes.BOOL
CreateFileW = windll.kernel32.CreateFileW
CreateFileW.argtypes = (
wintypes.LPCWSTR, # lpFileName
wintypes.DWORD, # dwDesiredAccess
wintypes.DWORD, # dwShareMode
wintypes.LPVOID, # lpSecurityAttributes
wintypes.DWORD, # dwCreationDisposition
wintypes.DWORD, # dwFlagsAndAttributes
wintypes.HANDLE, # hTemplateFile
)
CreateFileW.restype = wintypes.HANDLE
CreateFileMappingW = windll.kernel32.CreateFileMappingW
CreateFileMappingW.argtypes = (
wintypes.HANDLE, # hFile
wintypes.LPVOID, # lpSecurityAttributes
wintypes.DWORD, # flProtect
wintypes.DWORD, # dwMaximumSizeHigh
wintypes.DWORD, # dwMaximumSizeLow
wintypes.LPCWSTR, # lpName
)
CreateFileMappingW.restype = wintypes.HANDLE
MapViewOfFile = windll.kernel32.MapViewOfFile
MapViewOfFile.argtypes = (
wintypes.HANDLE, # hFileMappingObject
wintypes.DWORD, # dwDesiredAccess
wintypes.DWORD, # dwFileOffsetHigh
wintypes.DWORD, # dwFileOffsetLow
wintypes.DWORD, # dwNumberOfBytesToMap
)
MapViewOfFile.restype = wintypes.LPVOID
UnmapViewOfFile = windll.kernel32.UnmapViewOfFile
UnmapViewOfFile.argtypes = (
wintypes.LPCVOID, # lpBaseAddress
)
UnmapViewOfFile.restype = wintypes.BOOL
GetFileSizeEx = windll.kernel32.GetFileSizeEx
GetFileSizeEx.argtypes = (
wintypes.HANDLE, # hFile
wintypes.PLARGE_INTEGER, # lpFileSize
)
CheckSumMappedFile = windll.imagehlp.CheckSumMappedFile
CheckSumMappedFile.argtypes = (
wintypes.LPVOID, # BaseAddress
wintypes.DWORD, # FileLength
wintypes.PDWORD, # HeaderSum
wintypes.PDWORD, # CheckSum
)
CheckSumMappedFile.restype = wintypes.LPVOID
# Open file
hFile = CreateFileW(
ctypes.c_wchar_p(exe_path),
0x80000000, # dwDesiredAccess = GENERIC_READ
0x00000001 | 0x00000002, # dwShareMode = FILE_SHARE_READ | FILE_SHARE_WRITE,
None, # lpSecurityAttributes = NULL
3, # dwCreationDisposition = OPEN_EXISTING
0x80, # dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL
None # hTemplateFile = NULL
)
if hFile == INVALID_HANDLE:
err = GetLastError()
raise RuntimeError(f"Failed to open file {exe_path}! Error code: {err}")
# Query file size
fileLength = wintypes.LARGE_INTEGER(0)
if GetFileSizeEx(hFile, fileLength) == 0:
err = GetLastError()
CloseHandle(hFile)
raise RuntimeError(f"Failed to query file size file! Error code: {err}")
fileLength = fileLength.value
if fileLength > (2**32 - 1):
raise RuntimeError("Executable size exceeds maximum allowed executable size on Windows (4 GiB)!")
# Map the file
hMapping = CreateFileMappingW(
hFile,
None, # lpFileMappingAttributes = NULL
0x02, # flProtect = PAGE_READONLY
0, # dwMaximumSizeHigh = 0
0, # dwMaximumSizeLow = 0
None # lpName = NULL
)
if not hMapping:
err = GetLastError()
CloseHandle(hFile)
raise RuntimeError(f"Failed to map file! Error code: {err}")
# Create map view
baseAddress = MapViewOfFile(
hMapping,
4, # dwDesiredAccess = FILE_MAP_READ
0, # dwFileOffsetHigh = 0
0, # dwFileOffsetLow = 0
0 # dwNumberOfBytesToMap = 0
)
if baseAddress == 0:
err = GetLastError()
CloseHandle(hMapping)
CloseHandle(hFile)
raise RuntimeError(f"Failed to create map view! Error code: {err}")
# Finally, compute the checksum
headerSum = wintypes.DWORD(0)
checkSum = wintypes.DWORD(0)
ret = CheckSumMappedFile(baseAddress, fileLength, ctypes.byref(headerSum), ctypes.byref(checkSum))
if ret is None:
err = GetLastError()
# Cleanup
UnmapViewOfFile(baseAddress)
CloseHandle(hMapping)
CloseHandle(hFile)
if ret is None:
raise RuntimeError(f"CheckSumMappedFile failed! Error code: {err}")
return checkSum.value
|
