x64dbg
/
btparser
mirror of https://github.com/x64dbg/btparser
1
0
Fork 0
Code Releases Activity
btparser/cparser/tests/RESTemplate.bt

552 lines
18 KiB
Plaintext
Raw Normal View History

initial commit (lexer working for very very simple files)
2016-06-05 06:00:36 +08:00
//------------------------------------
//--- 010 Editor v1.2 Binary Template
//
// Author: Sergey Evtushenko wildcar@mail.ru
// Purpose: Display resources structure of a res file or PE file with Resources
// Info for the .rsrc section format in PE file was taken from http://msdn.microsoft.com/en-us/library/ms809762.aspx,
// but full understanding came after this https://forum.intern0t.org/security-tutorials-guides/4135-portable-executable-format-its-rsrc-section.html
// Info for RES file format was taken from http://msdn.microsoft.com/en-us/library/windows/desktop/ms648007(v=vs.85).aspx
// There is not all the pure truth but there is some info at least
// Additionally this template display the VersionInfo resource structure
// Info for this format was taken from http://msdn.microsoft.com/en-us/library/windows/desktop/ff468916(v=vs.85).aspx
// There is also not all the truth but there is some info at least
// This template is using modified EXETemplate for skip right to rsrc section. Thanks to Blaine Lefebvre for it.
// File mask: *.res, *.exe, *.dll
// Date: 2014-07-29
// Place: Zaprudnya (sometimes Moscow), Russia
// Local global variables :)
local int64 rsrc_va, rsrc_sa, rsrc_ea, res_level;
local int32 rTypeID, rNameID, rLanguageID;
local int res_show_log=0; // Switch it to 1 for verbose output (there is output only for PE)
// Skip right to the .rsrc section
GoTo_rsrc_section();
if (rsrc_va>0)
{
//PE file detected
RESfromPEDiscover();
}
else
{
// else we think that it is a RES file
RESfromRESDiscover();
}
// DOS exe format
typedef struct {
char Signature[2];
WORD LengthOfImage;
WORD SizeOfFile;
WORD NumberOfRelocationItems;
WORD SizeOfHeader;
WORD MinPara;
WORD MaxPara;
WORD OffsetStack;
WORD InitialSp;
WORD NegativeChecksum;
WORD InitialIp;
WORD OffsetCs;
WORD OffsetFirstRelocationItem;
WORD OverlayNumber;
WORD Res1;
WORD Res2;
WORD Res3;
WORD Res4;
WORD OemId;
WORD OemInfo;
WORD Res5[10];
DWORD OffsetToPEHeader;
} DosExeHeader;
typedef struct {
int32 DirExport;
int32 DirExportSize;
int32 DirImport;
int32 DirImportSize;
int32 DirResource;
int32 DirResourceSize;
int32 DirException;
int32 DirExceptionSize;
int32 DirSecurity;
int32 DirSecuritySize;
int32 DirBasereloc;
int32 DirBaserelocSize;
int32 DirDebug;
int32 DirDebugSize;
int32 DirArchitecture;
int32 DirArchitectureSize;
int32 DirGlobalptr;
int32 DirGlobalptrSize;
int32 DirTls;
int32 DirTlsSize;
int32 DirLoadConfig;
int32 DirLoadConfig_size;
int32 DirBoundImport;
int32 DirBoundImportSize;
int32 DirIat;
int32 DirIatSize;
int32 DirDelayImport;
int32 DirDelayImportSize;
int32 DirComDescriptor;
int32 DirComDescriptorSize;
int32 DirX;
int32 DirXSize;
} DataDirectory;
typedef struct {
int32 rva;
int32 size;
} DataDir;
typedef struct {
char Sig[4];
int16 CpuType;
int16 NumSections;
time_t Tm;
int32 PointerToSymbolTable;
int32 NumberOfSymbols;
int16 NtHeaderSize;
int16 Flags;
} PeHeader;
typedef struct {
int16 Res3;
char LMajor;
char LMinor;
int32 SizeOfCode;
int32 SizeOfInitData;
int32 SizeOfUninitData;
int32 EntrypointRva;
int32 BaseOfCode;
int32 BaseOfData;
int32 ImageBase;
int32 SectionAlign;
int32 FileAlign;
int16 OsMajor;
int16 OsMinor;
int16 UserMajor;
int16 UserMinor;
int16 SubsystemMajor;
int16 SubsystemMinor;
int32 Win32VersionValue;
int32 ImageSize;
int32 HeaderSize;
int32 FileChecksum;
int16 Subsystem;
int16 DllFlags;
int32 StackReserveSize;
int32 StackCommitSize;
int32 HeapReserveSize;
int32 HeapCommitSize;
int32 LoaderFlags;
int32 NumInterestingRvaSize;
} OptionalHeader;
typedef struct{
char Name[8];
int32 VirtualSize;
int32 VirtualAddress;
int32 SizeOfRawData;
int32 PointerToRawData;
int32 PointerToRelocations;
int32 PointerToLinenumbers;
int16 NumberOfRelocations;
int16 NumberOfLinenumbers;
int32 Characteristics;
} SectionTable;
void GetResourceDirectory()
{
res_level+=1;
struct
{
local int32 j;
uint32 Characteristics;
DOSTIME TimeStamp;
DOSDATE DataStamp;
uint16 MajorVersion;
uint16 MinorVersion;
uint16 NumberOfNameEntries;
uint16 NumberOfIDEntries;
for( j=0;j<NumberOfNameEntries;j++)
{
struct
{
local int64 currentaddress;
uint32 NameRVA:31 <format=hex>;
int TopBit:1;
currentaddress= FTell();
FSeek(rsrc_sa+NameRVA);
int16 Length;
wchar_t UnicodeString[Length];
if (res_show_log==1){Printf("\nLevel %d. ",res_level);}
if (res_show_log==1){Printf("Name: %s",UnicodeString);}
FSeek(currentaddress);
uint32 DataEntryRVA:31 <format=hex>;
int PointToChild:1;
currentaddress= FTell();
if (PointToChild==1)
{
FSeek(rsrc_sa+DataEntryRVA);
GetResourceDirectory();
FSeek(currentaddress);
};
} DirectoryNameEntry;
};
for( j=0;j<NumberOfIDEntries;j++)
{
struct
{
local int64 currentaddress;
switch( res_level )
{
case 1:
uint32 IntegerID <comment=ShowType>;
rTypeID=IntegerID;
if (res_show_log==1){Printf("\n%s",ShowType(rTypeID));}
break;
case 2:
uint32 IntegerID <comment=ShowName>;
rNameID=IntegerID;
if (res_show_log==1){Printf("\n%s",ShowName(rNameID));}
break;
case 3:
uint32 IntegerID <comment=ShowLanguage>;
rLanguageID=IntegerID;
if (res_show_log==1){Printf("\n%s",ShowLanguage(rLanguageID));}
break;
}
uint32 DataEntryRVA:31 <format=hex>;
int PointToChild:1;
currentaddress= FTell();
if (PointToChild==1)
{
FSeek(rsrc_sa+DataEntryRVA);
GetResourceDirectory();
FSeek(currentaddress);
}
else
{
FSeek(rsrc_sa+DataEntryRVA);
struct
{
local int64 ba1, ba2;
int32 DataRVA <format=hex>;
int32 Size;
int32 Codepage;
int32 Reserved;
FSeek(DataRVA-(rsrc_va-rsrc_sa));
if (rTypeID==16)
{
struct
{
ba1=FTell();
char VersionInfoRAWData[Size];
ba2=FTell();
FSeek(ba1);
VersionInfo();
FSeek(ba2);
} versioninfo;
}
else
{
char ResourceRAWData[Size];
};
} DataEntry;
FSeek(currentaddress);
};
} DirectoryIDEntry;
};
} DirectoryTable;
res_level-=1;
};
string ShowType(uint32 ID)
{
local string s;
switch( ID)
{
case 1: s="Cursor";break;
case 2: s="Bitmap";break;
case 3: s="Icon";break;
case 4: s="Menu";break;
case 5: s="Dialog box";break;
case 6: s="String table entry";break;
case 7: s="Font directory";break;
case 8: s="Font";break;
case 9: s="Accelerator table";break;
case 10: s="Application defined resource (raw data)";break;
case 11: s="Message table entry";break;
case 12: s="Group cursor";break;
case 14: s="Group icon";break;
case 16: s="Version information";break;
case 17: s="Dlginclude";break;
case 19: s="Plug and play resource";break;
case 20: s="VXD";break;
case 21: s="Animated cursor";break;
case 22: s="Animated icon";break;
case 23: s="HTML";break;
case 24: s="Side-by-side assembly manifest";break;
}
SPrintf( s, "1. Resource type: %s", s );
return s;
}
string ShowName(uint32 ID)
{
local string s;
SPrintf( s, "2. Name ID: %d", ID );
return s;
}
string ShowSName(wstring Str)
{
local string s;
SPrintf( s, "2. Name: %s", Str );
return s;
}
string ShowLanguage(uint32 ID)
{
local string s;
SPrintf( s, "3. Language ID: %d", ID );
return s;
}
void RESfromPEDiscover()
{
rsrc_sa=FTell();
struct
{
if (res_show_log==1) Printf("\nResources list.");
res_level=0;
GetResourceDirectory();
} ResourcesStructure;
}
void GoTo_rsrc_section()
{
local int32 i;
rsrc_sa=0;
rsrc_va=0;
DosExeHeader DOSHead <hidden=true>;
//Check if this is a PE file, if not we cannot get the rsrc section, probably this is a plain .res file, so we should start from 0
if ( !Memcmp(DOSHead.Signature,"MZ",2) )
{
char dosstub[DOSHead.OffsetToPEHeader-(DOSHead.SizeOfHeader*0x10)] <hidden=true>;
PeHeader PEHead <hidden=true>;
if ( !Memcmp(PEHead.Sig,"PE",2) )
{
OptionalHeader OptionalHead <hidden=true>;
DataDir dd[16] <hidden=true>;
SectionTable sec[PEHead.NumSections] <hidden=true>;
for ( i = 0 ; i < PEHead.NumSections ; i++ )
{
FSeek(sec[i].PointerToRawData);
if ( !Strcmp(sec[i].Name,".rsrc") )
{
rsrc_sa=FTell();
rsrc_va=sec[i].VirtualAddress;
}
}
}
}
FSeek(rsrc_sa);
}
int Padding4Bytes(int Value)
{
return (Value%4>0)*(4-Value%4);
}
void VersionInfo()
{
struct
{
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
if (!Strcmp(szKey,"VS_VERSION_INFO")) // Check that it is true VS_VERSION_INFO (The 1st step)
{
byte padding_n[Padding4Bytes(sizeof(wValueLength))];
struct
{
DWORD dwSignature <format=hex>;
struct
{
WORD StructureMinorVersion;
WORD StructureMajorVersion;
} dwStrucVersion;
struct
{
WORD FileMinorVersion;
WORD FileMajorVersion;
} dwFileVersionMS;
struct
{
WORD FileBuildNumber;
WORD FileRevision;
} dwFileVersionLS;
struct
{
WORD FileMinorVersion;
WORD FileMajorVersion;
} dwProductVersionMS;
struct
{
WORD FileBuildNumber;
WORD FileRevision;
} dwProductVersionLS;
DWORD dwFileFlagsMask;
DWORD dwFileFlags;
DWORD dwFileOS;
DWORD dwFileType;
DWORD dwFileSubtype;
DWORD dwFileDateMS;
DWORD dwFileDateLS;
} VS_FIXEDFILEINFO;
if (VS_FIXEDFILEINFO.dwSignature==0xFEEF04BD) // Check that it is true VS_VERSION_INFO (The 2nd step)
{
byte Padding2[Padding4Bytes(sizeof(VS_FIXEDFILEINFO))]; // Should be no reason this to exist
// Check of StringFileInfo existence
struct
{
FSkip(6);
wstring szKeyCheck <hidden=true>;
FSkip(-6-sizeof(szKeyCheck));
if (!Strcmp(szKeyCheck,"StringFileInfo"))
{
local int HeaderLength;
local int64 LenghtLeft;
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
HeaderLength=6+sizeof(szKey);
byte Padding[Padding4Bytes(HeaderLength)];
LenghtLeft=wLength-HeaderLength-Padding4Bytes(HeaderLength);
while (LenghtLeft>0)
{
struct
{
local int HeaderLength;
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
HeaderLength=6+sizeof(szKey);
byte Padding[Padding4Bytes(HeaderLength)];
local int64 LenghtLeft;
LenghtLeft=wLength-6-sizeof(szKey);
while (LenghtLeft>0)
{
struct
{
local int HeaderLength;
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
HeaderLength=6+sizeof(szKey);
byte Padding[Padding4Bytes(HeaderLength)];
wstring Value;
byte padding_v[Padding4Bytes(sizeof(Value))];
}String;
LenghtLeft-=sizeof(String);
}
}StringTable;
LenghtLeft-=sizeof(StringTable);
}
}
} StringFileInfo;
// Check of VarFileInfo existence
struct
{
FSkip(6);
wstring szKeyCheck <hidden=true>;
FSkip(-6-sizeof(szKeyCheck));
if (!Strcmp(szKeyCheck,"VarFileInfo"))
{
local int HeaderLength;
local int64 LenghtLeft;
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
HeaderLength=6+sizeof(szKey);
byte Padding[Padding4Bytes(HeaderLength)];
LenghtLeft=wLength-HeaderLength-Padding4Bytes(HeaderLength);
while (LenghtLeft>0)
{
struct
{
local int HeaderLength;
WORD wLength;
WORD wValueLength;
WORD wType;
wstring szKey;
HeaderLength=6+sizeof(szKey);
byte Padding[Padding4Bytes(HeaderLength)];
DWORD Value <format=hex>;
} Var;
LenghtLeft-=sizeof(Var);
}
}
} VarFileInfo;
}
}
} VS_VERSIONINFO;
}
void RESfromRESDiscover()
{
while (!FEof())
{
struct
{
DWORD DataSize;
DWORD HeaderSize;
WORD TYPE_type;
if (TYPE_type==0xFFFF)
{
WORD TYPE <comment=ShowType>;
}
else
{
FSkip(-2);
wstring sType;
byte padding_t[Padding4Bytes(sizeof(sType))];
}
WORD NAME_type;
if (NAME_type==0xFFFF)
{
WORD NAME <comment=ShowName>;
}
else
{
FSkip(-2);
wstring sName <comment=ShowSName>;
local int32 pn_size;
byte padding_n[Padding4Bytes(sizeof(sName))];
}
DWORD DataVersion;
WORD MemoryFlags;
WORD LanguageId <comment=ShowLanguage>;
DWORD Version;
DWORD Characteristics;
char ResourceRAWData[DataSize];
if (TYPE==16)
{
local int64 ba1, ba2;
ba2=FTell();
ba1=ba2-DataSize;
FSeek(ba1);
VersionInfo();
FSeek(ba2);
}
byte padding[Padding4Bytes(DataSize)];
} Resource;
}
}