Carve Exe is a simple best effort tool to carve PE and ELF files from arbitrary, binary files (e.g. memory dumps and executables).
Project description
Carve Exe
Carve Exe is a simple best effort tool to carve PE and ELF files from arbitrary, binary files (e.g. memory dumps and executables).
Carve Exe is:
- Simple: it's only a couple of lines of Python.
- Modular: it's easy to add a new file format.
- Best effort: it tries to cover the most common cases, but it is likely possible to craft a valid PE/ELF file that will not be carved correctly by this tool, as the PE and ELF formats are complex.
- Smart about loading files: it is possible to carve 100GB files, without loading the whole file into memory, as the files are parsed byte-per-byte.
Carve Exe depends on pefile and pyelftools to do all the heavy lifting of parsing the actual file formats.
It should be noted that executables with wrong values in their headers (e.g. wrong section sizes), will produce wrong output. Garbage in, garbage out.
Installation
$ pip install poetry
$ git clone git@github.com:joren485/carve-exe.git
$ cd exe-carver
$ poetry install
Usage
Help
$ poetry shell
$ carve-exe --help
Usage: carve-exe [OPTIONS]
Carve PE files from binary blob.
╭─ Options ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * --input -i PATH Input file or directory [default: None] [required] │
│ * --output -o DIRECTORY Output directory [default: None] [required] │
│ --install-completion Install completion for the current shell. │
│ --show-completion Show completion for the current shell, to copy it or customize the installation. │
│ --help Show this message and exit. │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Example
$ poetry shell
$ carve-exe --input test/input.bin --output /tmp/ # Carve test/input.bin and write output to /tmp/
$ carve-exe --input test/ --output /tmp/ # Carve all files in test/ and write output to /tmp/
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
carve_exe-1.0.0.tar.gz
(3.7 kB
view details)
Built Distribution
File details
Details for the file carve_exe-1.0.0.tar.gz.
File metadata
- Download URL: carve_exe-1.0.0.tar.gz
- Upload date:
- Size: 3.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.3 CPython/3.12.4 Linux/6.9.7-arch1-1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 8aa9c025cdd28b3b79d21f39f384ffa07af0c52412ff5e4ec4004c9eece0243e |
|
| MD5 | 026f33c28f655336541e7a5200d7ea25 |
|
| BLAKE2b-256 | 2ebed050ba173f15be88b679e3aefe7a4a713be5125da5ec1148d8c48701c6e2 |
File details
Details for the file carve_exe-1.0.0-py3-none-any.whl.
File metadata
- Download URL: carve_exe-1.0.0-py3-none-any.whl
- Upload date:
- Size: 5.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.3 CPython/3.12.4 Linux/6.9.7-arch1-1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 98dd6a38af348c21e243d2fcacf8cae725bee2c8bb0d71a696430cba76bfda95 |
|
| MD5 | 9da480637a917ff455fd198fb83bb8a5 |
|
| BLAKE2b-256 | 81f23d574f4ca7306a2deeeb40851ada19eb50f8c9d5a55361e97ec42e303d72 |
