11 Mar 2015

Miserable state of open source code

Yesterday I wanted to make a small API hook detector in C#. It has to parse PE file, find exported functions, read bytes from the beginning of function and then compare them with the bytes in process memory. Sounds simple, right?

Well, good luck finding a PE parser that actually works!

Looking for PE parser

Most of PE parsers stop at parsing DOS header, NT headers and section headers. But I needed something that would also parse export table for me. After a couple of Google searches I ended up with PEReader by DKorablin. From the first look it's decent and even has a demo application. What else could you want?

Hmmm, how about working correctly on really simple files? wink

Sorry, nope.

Results from PEReader and CFF
It sure finds exported functions but it mismatches function names & RVAs. So, if you wanted to examine, say, CreateFileW, you will end up examining DeleteFileA. Or some other random API. Great job!

But it's opensource. Just fix it and submit a patch!

Umm, no. I was looking for a PE parser that I can take, load it in VS and use it. I don't want to spend days hunting down bugs and fixing them - this stops me from doing what I really want to do.

So, dear opensourcer, if you are publishing your code, make sure it actually works. If it doesn't work, please don't publish it at all - it's not helping anyone. Don't waste other people's time..

P.S. I ended up with using DNLib and writing my own PE export parsing. At least, I know it works properly..

6 thoughts on “Miserable state of open source code

    • Sure, after it's done. ;)

      If you're looking for generic hook detector, HookShark is my current favorite. Too bad it's not being updated anymore, and the source was never published.

    • Thank you Kurapica, it looks great! I generally try to use the same libraries for all my tools and until now I had never seen B@S framework. You should try to get it on the Google search results for "PE Parser C#", "PE Reader C#", or even "IMAGE_DIRECTORY_ENTRY_EXPORT C#" ;)

      Right now it can be downloaded from http://board.b-at-s.info/index.php?showtopic=9695 Maybe upload it to bitbucket/github?

  1. Hi! Yeah, this post is really old...

    But I'm author of PEReader assembly in github.
    If you would mind to share with me your sample code (expecting/get), I'll try to fix it.

    Thanks in advice.

Leave a Reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

Your email address will not be published.

3  ×  nine  =