/pe-keyword-search-tool

This project is a C++ application designed to search for a specified keyword within the sections of Portable Executable (PE) files located in a given directory.

Primary LanguageC++

PE File Keyword Search Tool

AGPL License

This project is a C++ application designed to search for a specified keyword within the sections of Portable Executable (PE) files located in a given directory. The application verifies whether files are valid PE files and searches within executable sections for the keyword, providing detailed results including the section name and address if the keyword is found.

Features :

  • PE File Verification :

Checks if a file is a valid PE file by verifying its headers.

  • Executable Section Validation :

Validates executable sections within PE files to ensure accurate keyword search results.

  • Keyword Search :

Searches for a specified keyword within the executable sections of PE files.

  • Directory Scanning :

Iterates through files in a specified directory and applies the PE verification and keyword search.

Applications :

  • Application 1 : Prints the first two bytes of each file.

  • Application 2 : Searches for a specified keyword within the entire content of a single file.

  • Application 3 : Iterates through files in a specified directory and searches for a keyword in each file.

  • Application 4 : Validates each file as a PE file and searches for a keyword within executable sections.

Dependencies :

  • Standard C++ Library

  • Windows API

PE File Validation :

  • What is a PE File? A Portable Executable (PE) file is a file format used in Windows operating systems for executables, object code, and DLLs. It is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code.

Logo

  • How Do We Validate a PE File?

1- Check the DOS Header: The PE file begins with a DOS header, which includes the magic number "MZ." This header is used to ensure compatibility with DOS-based systems.

2- Verify the NT Headers: The DOS header contains a pointer to the PE header, known as the NT headers. The NT headers start with the "PE\0\0" signature.

3- Check Machine Type: The file header within the NT headers specifies the architecture type. We check if it matches known values for x86 or x64 architectures.

  • Validating Executable Sections :

Executable sections within a PE file are crucial for code execution. We validate these sections to ensure accurate keyword search results:

-Identify Executable Sections: Using the NT headers, we iterate through each section header to identify sections marked as executable (IMAGE_SCN_MEM_EXECUTE).

-Section Size and Offset: We calculate the size and offset of each executable section to ensure that our search remains within valid boundaries.

-Search within Sections: We load the section data into memory and perform our keyword search within these validated executable sections.

Running the Application :

The application runs through the command line (CMD) and requires two parameters: the directory path containing the files to search and the keyword to search for. ( You can use the executable files)

  • Example Usage:

C:>/ApplicationName.exe <directory_path>

Example Of Running Application 3 & 4 :

Logo Logo

Lessons Learned :

  • Understanding PE File Structure : Working with PE files provided insights into their structure, including DOS headers, NT headers, and section headers, which are critical for validating and analyzing executable files.

  • Error Handling : Implementing robust error handling mechanisms was crucial due to potential issues with file access, invalid headers, and unexpected file formats. This improved the reliability and stability of the application.

  • Executable Section Validation : Validating executable sections within PE files ensured accurate search results, enhancing the application's functionality for cybersecurity and forensic analysis purposes.

  • Command-Line Interface (CLI) Design : Designing applications to accept command-line arguments efficiently allowed for flexible and streamlined usage, catering to various use cases from single file analysis to directory-wide searches.

  • Industry Application: Developing this project during my internship at C-Prot, a cybersecurity company specializing in antivirus software, provided practical experience in applying C++ for analyzing and securing executable files, which aligns with the company's mission to enhance digital security.

  • Future Enhancements : Identified areas for future enhancements include implementing recursive directory scanning, optimizing search algorithms for large files, and integrating multi-threading for improved performance.

Conclusion :

This project demonstrates a practical application of C++ in the field of cybersecurity, specifically in the analysis of PE files. It provides a foundation for further enhancements, such as recursive directory scanning, multi-threaded search, and advanced keyword matching techniques.

Credits

This project is maintained by @malikmaky.

For any inquiries or feedback, please contact malikmhmd@hotmail.com