Cff explorer

Short list of some of those tools. There are many more than what is listed, so consider this a starting point.Windows CFF Explorer PEView (Currently has limited functionality when analyzing 64-bit files) PE-Bear PEStudioLinux pe-treeMulti-platform pecheckThe tool you choose to use will be a matter of preference and platform. On Windows, I like CFF Explorer. Let’s use it for the final section of this post.Installation of CFF explorer adds a context-menu to Windows that allows you to right-click any file and select “Open with CFF Explorer”. When we open malware.exe with CFF Explorer, we are greeted with the PE file structure and fields that we introduced above. These should look familiar:When we click on the DOS header, we are presented with its fields, including two with which we are now familiar-e_magic and e_lfanew:Examining the NT header, we see the familiar Signature field and the value we identifed earlier:At this point you get the idea. We can continue to use CFF Explorer to investigate the values of the various fields listed above. I’d encourage you to do so yourself using whatever tool you prefer. Definitely investigate the Image File Header and the Optional Header. Using a hex editor, confirm some of the values of the fields that you see in your tool.This guide was meant as an introduction to the PE file format and there is a lot more that we have not covered here. If you would like to learn more, again I’d suggest starting with the Microsoft documentation here. Hopefully you learned as much as I did while writing this article. I hope to continue this series with a deep dive into some other important aspects of the PE file and malware analysis, including the Import Address Table and the practice of packing.References

Yes, this is yet another post about bugs in CFF Explorer. So far I've described:Bug in Metadata Table StreamBug in processing managed resourcesToday, I'll describe an issue with CFF Explorer's RVA2Offset function and provide a solution to the problem (patched executable).And no, I really don't hate CFF Explorer. In fact, it's one of my favorite tools and I use it every day - that's why I keep noticing more and more issues with it. 😉IntroductionHere is an executable that demonstrates the bug: you open it in CFF Explorer and try to check Import Directory. In this case, CFF will show that it's empty.That's incorrect, import directory of this executable is present and valid. It contains 2 DLLs and 3 APIs:In other executables, it can get stuck into eternal loop or - even worse - show incorrect data.Also, CFF's Address Converter feature is affected. In my demo executable, try convert RVA 0x2000 to file offset. It will return 0:So, what's happening here?Background of the bugTo put it simply, bug is triggered when one section in executable has SizeOfRawData much larger than VirtualSize. In my crafted executable it looks like this:Nitpickers corner: it's actually more complicated. The exact condition is ALIGN_UP(sec.SizeOfRawData, pe.FileAlignment) > ALIGN_UP(sec.VirtualSize, pe.SectionAlignment). But who cares about those small details, anyway?And the offending pseudo-code in CFF Explorer looks something like this: foreach (SectionHeader sec in SectionHeaders){ // try to calculate how much data this section actually contains. This goes wrong, if physical size > virtual size. dataSize = sec.sizeOfRawData ? align_up(sec.sizeOfRawData, pe.fileAlignment) : sec.virtualSize; // check if our RVA falls into this range if ( RVA >= sec.virtualAddress && RVA Fixing the bugSince I'm doing binary patches to CFF Explorer, I'm quite limited to what I can do and how. In the end, I chose the following pseudocode: // calculate how much data this section actually contains. dataSize = align_up(sec.sizeOfRawData, pe.fileAlignment); if (dataSize > align_up(sec.virtualSize, pe.sectionAlignment)) { dataSize = align_up(sec.virtualSize, pe.sectionAlignment); }While it doesn't look like much (and it doesn't cover edge cases, for example, when PE file is truncated), in general it should work just fine.Download link for fixed CFF Explorer: also includes all my previous fixes.ConclusionWhile writing this post, I noticed that PE viewer in ExeinfoPE v0.0.4.1 has very similar bug. And ProtectionID v6.6.6. And PETools 1.5 Xmas edition. And Stud_PE 2.1. And LordPE. And then I ran out of tools to test. 😀 Obviously, I can't fix them all. All I can say - use PE editing/viewing tools that actually work, for example, HIEW or IDA. And when you're writing your own PE parser library, make sure you test it on weird executables. Have fun and stay safe!Further readingEro Carrera's pefile.py implementation (code is scattered over several

I’ve received a Secunia report email about a buffer overflow vulnerability in the CFF Explorer. I was quite amused =). I mean, I usually get emails sent me by users about bugs in the CFF, never got an email by Secunia before. However, it’s always good to get bug reports. The bug itself was related to a string overflow in the resource editor. I put string safe functions quite some time ago in the old kernel of the CFF, but apparently I missed one. So, since I had already the project open to fix this bug, I also added support for .NET unoptimized metadata streams. Which is the most important new feature in this release.Both suffered from a bug where they’d fail in case the assembly to reproduce/protect didn’t have a .rsrc section. Since at the time I wrote the code all .NET assemblies had a .rsrc section, I took it for granted and didn’t include specific checks.Fixed some bugs in both applications. In particular, made some part of the CFF Explorer more robust. The current CFF Explorer still contains the core I wrote when I was 19yo. The newer kernel, which I don’t know if I’ll ever get the time to finish, doesn’t have the same problems. Anyway, this should improve rebuilding, resources importing and displaying of .NET table elements with extremely long names (more than 4096 characters). Arguments can now be passed through command line just by making them follow the name of the script. E.g.: “CFF Explorer.exe” “C:\mydir\script.cff” arg1 arg2 “arg 3” To access the arguments from the scripting part you can use the global variables argv and argc, which are the same thing as in C. Actually, argv would’ve been sufficient as it is a table and its size can be retrieved with “#”, argc is

Select "Open with CFF Explorer" There he is. Right off, you get some basic details about the file... We can see that it was probably originally compiled with Microsoft Visual C++ 7 for example. (That's only a guess CFF makes from the routines inside) We can also see it's MD5 and SHA-1 checksums, we could compare those with another file that seemed similar, and if they didn't match exactly we know that one of them has been edited.What we really want to do right now though, is add a new section to this executable. So if we click the Section Headers (highlighted in the illustration above) off the tree view on the left... we can see what sections are there right now. Now we can see all the sections in the executable already, and have a peek at the hex data each bit stores, or; before we select a section, (as in the illustration above) the entire file.Back to the point, this executable already has a KPTTrans Section, but now we want to add another... an Item, or Exp table. To do that, right click in the grey space (that's gray if you happen to live state side of the pond) below the list of sections, as indicated in the last illustration, and pick "Add Section (Empty Space)". Of course, if you have your data, tables or whatever then you could "Add Section (File Data)" but I'm assuming you (like me) don't have that much fore thought. Now... next you need to decide how big a section to add. That depends how big the table or whatever is, but I'm just going to add a 512 byte section.By default the section can be read from, and written to during execution, but cannot contain code. So it's great for storing extra

In 2024, the college fantasy football hobby took a giant leap forward in popularity and participation. The industry gained a massive boost from the return of EA Sports College Football after an 11-year hiatus, and large CFF Best Ball Tournaments took flight for the first time. The number of people seeking college fantasy football rankings, information and insight skyrocketed.In the past, I have usually waited until mid-March or later to publish the first CFF player rankings. Yet, it is clear that CFF Best Ball leagues and drafts are already taking place on Fantrax, and it is a great time to kick off the 2025 campaign—spring practices are just around the corner and the transfer portal is closed until April 16, 2025.Over the last two weeks, I put together the rankings to help diehards and newbies navigate the large player pool in college football. Of course, changes will be made as new information comes out and depth charts are updated. For now, enjoy my fellow CFF diehards.There’s no such thing as too much football! 2022 is the perfect time to add the college game to your fantasy football repertoire. Whether you want to create your own league or join an existing league, the Fantrax College Football Commissioner is the place to go!2025 CFF Positional BreakdownsQuarterbacksIn my humble opinion, the quarterback position is the deepest at this time in the process. I am very excited about the top six in the rankings (LaNorris Sellers, Cade Klubnik, Blake Horvath, Arch Manning, Avery Johnson, and DJ Lagway) and would like to acquire at least one of the elite signal callers. In the second tier (7-15), I have nine players ranked and will seek to acquire two of the top 15 if one of the quarterbacks falls outside of the first seven rounds of a draft.When building a CFF roster, acquiring a quarterback who can produce over 40 Fantasy Points (FPs) in any given game is such a tremendous boost to weekly victories and winning a championship that it is difficult to pass up. I do not like to take a flier on two quarterbacks, hoping that both become CFF stars. I would prefer to draft one stud, another solid weekly contributor (16-30 in my rankings), and embrace risk only while selecting a third quarterback with upside.CADE 👏 KLUBNIK 👏@CadeKlubnikQB ran 50-YDs for the TD to give the No. 20 Tigers the 24-20 lead @ClemsonFB | @ClemsonTigers | #GoTigers pic.twitter.com/X4Dx8GtDo7— ACC Digital Network (@theACCDN) November 16, 2024Twitterverse on Fire!Who is the most interesting quarterback as a fantasy player to transfer teams in 2025?Fernando Mendoza, Indiana: 12%Devon Dampier, Utah: 32%Thomas Castellanos, Florida State: 11%John Mateer, Oklahoma: 45%“Outside the box on this one. For me, it is