mirror of https://github.com/x64dbg/btparser
552 lines
14 KiB
Plaintext
552 lines
14 KiB
Plaintext
1:
|
|
2:
|
|
3:
|
|
4:
|
|
5:
|
|
6:
|
|
7:
|
|
8:
|
|
9:
|
|
10:
|
|
11:
|
|
12:
|
|
13:
|
|
14:
|
|
15:
|
|
16:
|
|
17:
|
|
18:
|
|
19: local int64 rsrc_va , rsrc_sa , rsrc_ea , res_level ;
|
|
20: local int32 rTypeID , rNameID , rLanguageID ;
|
|
21: local int res_show_log = 0 ;
|
|
22:
|
|
23:
|
|
24: GoTo_rsrc_section ( ) ;
|
|
25: if ( rsrc_va > 0 )
|
|
26: {
|
|
27:
|
|
28: RESfromPEDiscover ( ) ;
|
|
29: }
|
|
30: else
|
|
31: {
|
|
32:
|
|
33: RESfromRESDiscover ( ) ;
|
|
34: }
|
|
35:
|
|
36:
|
|
37: typedef struct {
|
|
38: char Signature [ 2 ] ;
|
|
39: WORD LengthOfImage ;
|
|
40: WORD SizeOfFile ;
|
|
41: WORD NumberOfRelocationItems ;
|
|
42: WORD SizeOfHeader ;
|
|
43: WORD MinPara ;
|
|
44: WORD MaxPara ;
|
|
45: WORD OffsetStack ;
|
|
46: WORD InitialSp ;
|
|
47: WORD NegativeChecksum ;
|
|
48: WORD InitialIp ;
|
|
49: WORD OffsetCs ;
|
|
50: WORD OffsetFirstRelocationItem ;
|
|
51: WORD OverlayNumber ;
|
|
52: WORD Res1 ;
|
|
53: WORD Res2 ;
|
|
54: WORD Res3 ;
|
|
55: WORD Res4 ;
|
|
56: WORD OemId ;
|
|
57: WORD OemInfo ;
|
|
58: WORD Res5 [ 10 ] ;
|
|
59: DWORD OffsetToPEHeader ;
|
|
60: } DosExeHeader ;
|
|
61:
|
|
62: typedef struct {
|
|
63: int32 DirExport ;
|
|
64: int32 DirExportSize ;
|
|
65: int32 DirImport ;
|
|
66: int32 DirImportSize ;
|
|
67: int32 DirResource ;
|
|
68: int32 DirResourceSize ;
|
|
69: int32 DirException ;
|
|
70: int32 DirExceptionSize ;
|
|
71: int32 DirSecurity ;
|
|
72: int32 DirSecuritySize ;
|
|
73: int32 DirBasereloc ;
|
|
74: int32 DirBaserelocSize ;
|
|
75: int32 DirDebug ;
|
|
76: int32 DirDebugSize ;
|
|
77: int32 DirArchitecture ;
|
|
78: int32 DirArchitectureSize ;
|
|
79: int32 DirGlobalptr ;
|
|
80: int32 DirGlobalptrSize ;
|
|
81: int32 DirTls ;
|
|
82: int32 DirTlsSize ;
|
|
83: int32 DirLoadConfig ;
|
|
84: int32 DirLoadConfig_size ;
|
|
85: int32 DirBoundImport ;
|
|
86: int32 DirBoundImportSize ;
|
|
87: int32 DirIat ;
|
|
88: int32 DirIatSize ;
|
|
89: int32 DirDelayImport ;
|
|
90: int32 DirDelayImportSize ;
|
|
91: int32 DirComDescriptor ;
|
|
92: int32 DirComDescriptorSize ;
|
|
93: int32 DirX ;
|
|
94: int32 DirXSize ;
|
|
95: } DataDirectory ;
|
|
96:
|
|
97: typedef struct {
|
|
98: int32 rva ;
|
|
99: int32 size ;
|
|
100: } DataDir ;
|
|
101:
|
|
102: typedef struct {
|
|
103: char Sig [ 4 ] ;
|
|
104: int16 CpuType ;
|
|
105: int16 NumSections ;
|
|
106: time_t Tm ;
|
|
107: int32 PointerToSymbolTable ;
|
|
108: int32 NumberOfSymbols ;
|
|
109: int16 NtHeaderSize ;
|
|
110: int16 Flags ;
|
|
111: } PeHeader ;
|
|
112:
|
|
113: typedef struct {
|
|
114: int16 Res3 ;
|
|
115: char LMajor ;
|
|
116: char LMinor ;
|
|
117: int32 SizeOfCode ;
|
|
118: int32 SizeOfInitData ;
|
|
119: int32 SizeOfUninitData ;
|
|
120: int32 EntrypointRva ;
|
|
121: int32 BaseOfCode ;
|
|
122: int32 BaseOfData ;
|
|
123: int32 ImageBase ;
|
|
124: int32 SectionAlign ;
|
|
125: int32 FileAlign ;
|
|
126: int16 OsMajor ;
|
|
127: int16 OsMinor ;
|
|
128: int16 UserMajor ;
|
|
129: int16 UserMinor ;
|
|
130: int16 SubsystemMajor ;
|
|
131: int16 SubsystemMinor ;
|
|
132: int32 Win32VersionValue ;
|
|
133: int32 ImageSize ;
|
|
134: int32 HeaderSize ;
|
|
135: int32 FileChecksum ;
|
|
136: int16 Subsystem ;
|
|
137: int16 DllFlags ;
|
|
138: int32 StackReserveSize ;
|
|
139: int32 StackCommitSize ;
|
|
140: int32 HeapReserveSize ;
|
|
141: int32 HeapCommitSize ;
|
|
142: int32 LoaderFlags ;
|
|
143: int32 NumInterestingRvaSize ;
|
|
144: } OptionalHeader ;
|
|
145:
|
|
146: typedef struct {
|
|
147: char Name [ 8 ] ;
|
|
148: int32 VirtualSize ;
|
|
149: int32 VirtualAddress ;
|
|
150: int32 SizeOfRawData ;
|
|
151: int32 PointerToRawData ;
|
|
152: int32 PointerToRelocations ;
|
|
153: int32 PointerToLinenumbers ;
|
|
154: int16 NumberOfRelocations ;
|
|
155: int16 NumberOfLinenumbers ;
|
|
156: int32 Characteristics ;
|
|
157: } SectionTable ;
|
|
158:
|
|
159: void GetResourceDirectory ( )
|
|
160: {
|
|
161: res_level += 1 ;
|
|
162: struct
|
|
163: {
|
|
164: local int32 j ;
|
|
165: uint32 Characteristics ;
|
|
166: DOSTIME TimeStamp ;
|
|
167: DOSDATE DataStamp ;
|
|
168: uint16 MajorVersion ;
|
|
169: uint16 MinorVersion ;
|
|
170: uint16 NumberOfNameEntries ;
|
|
171: uint16 NumberOfIDEntries ;
|
|
172: for ( j = 0 ; j < NumberOfNameEntries ; j ++ )
|
|
173: {
|
|
174: struct
|
|
175: {
|
|
176: local int64 currentaddress ;
|
|
177: uint32 NameRVA : 31 < format = hex > ;
|
|
178: int TopBit : 1 ;
|
|
179: currentaddress = FTell ( ) ;
|
|
180: FSeek ( rsrc_sa + NameRVA ) ;
|
|
181: int16 Length ;
|
|
182: wchar_t UnicodeString [ Length ] ;
|
|
183: if ( res_show_log == 1 ) { Printf ( "\nLevel %d. " , res_level ) ; }
|
|
184: if ( res_show_log == 1 ) { Printf ( "Name: %s" , UnicodeString ) ; }
|
|
185: FSeek ( currentaddress ) ;
|
|
186:
|
|
187: uint32 DataEntryRVA : 31 < format = hex > ;
|
|
188: int PointToChild : 1 ;
|
|
189: currentaddress = FTell ( ) ;
|
|
190: if ( PointToChild == 1 )
|
|
191: {
|
|
192: FSeek ( rsrc_sa + DataEntryRVA ) ;
|
|
193: GetResourceDirectory ( ) ;
|
|
194: FSeek ( currentaddress ) ;
|
|
195: } ;
|
|
196: } DirectoryNameEntry ;
|
|
197: } ;
|
|
198: for ( j = 0 ; j < NumberOfIDEntries ; j ++ )
|
|
199: {
|
|
200: struct
|
|
201: {
|
|
202: local int64 currentaddress ;
|
|
203: switch ( res_level )
|
|
204: {
|
|
205: case 1 :
|
|
206: uint32 IntegerID < comment = ShowType > ;
|
|
207: rTypeID = IntegerID ;
|
|
208: if ( res_show_log == 1 ) { Printf ( "\n%s" , ShowType ( rTypeID ) ) ; }
|
|
209: break ;
|
|
210: case 2 :
|
|
211: uint32 IntegerID < comment = ShowName > ;
|
|
212: rNameID = IntegerID ;
|
|
213: if ( res_show_log == 1 ) { Printf ( "\n%s" , ShowName ( rNameID ) ) ; }
|
|
214: break ;
|
|
215: case 3 :
|
|
216: uint32 IntegerID < comment = ShowLanguage > ;
|
|
217: rLanguageID = IntegerID ;
|
|
218: if ( res_show_log == 1 ) { Printf ( "\n%s" , ShowLanguage ( rLanguageID ) ) ; }
|
|
219: break ;
|
|
220: }
|
|
221: uint32 DataEntryRVA : 31 < format = hex > ;
|
|
222: int PointToChild : 1 ;
|
|
223: currentaddress = FTell ( ) ;
|
|
224: if ( PointToChild == 1 )
|
|
225: {
|
|
226: FSeek ( rsrc_sa + DataEntryRVA ) ;
|
|
227: GetResourceDirectory ( ) ;
|
|
228: FSeek ( currentaddress ) ;
|
|
229: }
|
|
230: else
|
|
231: {
|
|
232: FSeek ( rsrc_sa + DataEntryRVA ) ;
|
|
233: struct
|
|
234: {
|
|
235: local int64 ba1 , ba2 ;
|
|
236: int32 DataRVA < format = hex > ;
|
|
237: int32 Size ;
|
|
238: int32 Codepage ;
|
|
239: int32 Reserved ;
|
|
240: FSeek ( DataRVA - ( rsrc_va - rsrc_sa ) ) ;
|
|
241: if ( rTypeID == 16 )
|
|
242: {
|
|
243: struct
|
|
244: {
|
|
245: ba1 = FTell ( ) ;
|
|
246: char VersionInfoRAWData [ Size ] ;
|
|
247: ba2 = FTell ( ) ;
|
|
248: FSeek ( ba1 ) ;
|
|
249: VersionInfo ( ) ;
|
|
250: FSeek ( ba2 ) ;
|
|
251: } versioninfo ;
|
|
252: }
|
|
253: else
|
|
254: {
|
|
255: char ResourceRAWData [ Size ] ;
|
|
256: } ;
|
|
257: } DataEntry ;
|
|
258: FSeek ( currentaddress ) ;
|
|
259: } ;
|
|
260: } DirectoryIDEntry ;
|
|
261: } ;
|
|
262: } DirectoryTable ;
|
|
263: res_level -= 1 ;
|
|
264: } ;
|
|
265:
|
|
266: string ShowType ( uint32 ID )
|
|
267: {
|
|
268: local string s ;
|
|
269: switch ( ID )
|
|
270: {
|
|
271: case 1 : s = "Cursor" ; break ;
|
|
272: case 2 : s = "Bitmap" ; break ;
|
|
273: case 3 : s = "Icon" ; break ;
|
|
274: case 4 : s = "Menu" ; break ;
|
|
275: case 5 : s = "Dialog box" ; break ;
|
|
276: case 6 : s = "String table entry" ; break ;
|
|
277: case 7 : s = "Font directory" ; break ;
|
|
278: case 8 : s = "Font" ; break ;
|
|
279: case 9 : s = "Accelerator table" ; break ;
|
|
280: case 10 : s = "Application defined resource (raw data)" ; break ;
|
|
281: case 11 : s = "Message table entry" ; break ;
|
|
282: case 12 : s = "Group cursor" ; break ;
|
|
283: case 14 : s = "Group icon" ; break ;
|
|
284: case 16 : s = "Version information" ; break ;
|
|
285: case 17 : s = "Dlginclude" ; break ;
|
|
286: case 19 : s = "Plug and play resource" ; break ;
|
|
287: case 20 : s = "VXD" ; break ;
|
|
288: case 21 : s = "Animated cursor" ; break ;
|
|
289: case 22 : s = "Animated icon" ; break ;
|
|
290: case 23 : s = "HTML" ; break ;
|
|
291: case 24 : s = "Side-by-side assembly manifest" ; break ;
|
|
292: }
|
|
293: SPrintf ( s , "1. Resource type: %s" , s ) ;
|
|
294: return s ;
|
|
295: }
|
|
296: string ShowName ( uint32 ID )
|
|
297: {
|
|
298: local string s ;
|
|
299: SPrintf ( s , "2. Name ID: %d" , ID ) ;
|
|
300: return s ;
|
|
301: }
|
|
302:
|
|
303: string ShowSName ( wstring Str )
|
|
304: {
|
|
305: local string s ;
|
|
306: SPrintf ( s , "2. Name: %s" , Str ) ;
|
|
307: return s ;
|
|
308: }
|
|
309:
|
|
310: string ShowLanguage ( uint32 ID )
|
|
311: {
|
|
312: local string s ;
|
|
313: SPrintf ( s , "3. Language ID: %d" , ID ) ;
|
|
314: return s ;
|
|
315: }
|
|
316:
|
|
317: void RESfromPEDiscover ( )
|
|
318: {
|
|
319: rsrc_sa = FTell ( ) ;
|
|
320: struct
|
|
321: {
|
|
322: if ( res_show_log == 1 ) Printf ( "\nResources list." ) ;
|
|
323: res_level = 0 ;
|
|
324: GetResourceDirectory ( ) ;
|
|
325: } ResourcesStructure ;
|
|
326: }
|
|
327:
|
|
328: void GoTo_rsrc_section ( )
|
|
329: {
|
|
330: local int32 i ;
|
|
331: rsrc_sa = 0 ;
|
|
332: rsrc_va = 0 ;
|
|
333: DosExeHeader DOSHead < hidden = true > ;
|
|
334:
|
|
335: if ( ! Memcmp ( DOSHead . Signature , "MZ" , 2 ) )
|
|
336: {
|
|
337: char dosstub [ DOSHead . OffsetToPEHeader - ( DOSHead . SizeOfHeader * 0x10 ) ] < hidden = true > ;
|
|
338: PeHeader PEHead < hidden = true > ;
|
|
339: if ( ! Memcmp ( PEHead . Sig , "PE" , 2 ) )
|
|
340: {
|
|
341: OptionalHeader OptionalHead < hidden = true > ;
|
|
342: DataDir dd [ 16 ] < hidden = true > ;
|
|
343: SectionTable sec [ PEHead . NumSections ] < hidden = true > ;
|
|
344: for ( i = 0 ; i < PEHead . NumSections ; i ++ )
|
|
345: {
|
|
346: FSeek ( sec [ i ] . PointerToRawData ) ;
|
|
347: if ( ! Strcmp ( sec [ i ] . Name , ".rsrc" ) )
|
|
348: {
|
|
349: rsrc_sa = FTell ( ) ;
|
|
350: rsrc_va = sec [ i ] . VirtualAddress ;
|
|
351: }
|
|
352: }
|
|
353: }
|
|
354: }
|
|
355: FSeek ( rsrc_sa ) ;
|
|
356: }
|
|
357:
|
|
358: int Padding4Bytes ( int Value )
|
|
359: {
|
|
360: return ( Value % 4 > 0 ) * ( 4 - Value % 4 ) ;
|
|
361: }
|
|
362:
|
|
363: void VersionInfo ( )
|
|
364: {
|
|
365: struct
|
|
366: {
|
|
367: WORD wLength ;
|
|
368: WORD wValueLength ;
|
|
369: WORD wType ;
|
|
370: wstring szKey ;
|
|
371: if ( ! Strcmp ( szKey , "VS_VERSION_INFO" ) )
|
|
372: {
|
|
373: byte padding_n [ Padding4Bytes ( sizeof ( wValueLength ) ) ] ;
|
|
374: struct
|
|
375: {
|
|
376: DWORD dwSignature < format = hex > ;
|
|
377: struct
|
|
378: {
|
|
379: WORD StructureMinorVersion ;
|
|
380: WORD StructureMajorVersion ;
|
|
381: } dwStrucVersion ;
|
|
382: struct
|
|
383: {
|
|
384: WORD FileMinorVersion ;
|
|
385: WORD FileMajorVersion ;
|
|
386: } dwFileVersionMS ;
|
|
387: struct
|
|
388: {
|
|
389: WORD FileBuildNumber ;
|
|
390: WORD FileRevision ;
|
|
391: } dwFileVersionLS ;
|
|
392: struct
|
|
393: {
|
|
394: WORD FileMinorVersion ;
|
|
395: WORD FileMajorVersion ;
|
|
396: } dwProductVersionMS ;
|
|
397: struct
|
|
398: {
|
|
399: WORD FileBuildNumber ;
|
|
400: WORD FileRevision ;
|
|
401: } dwProductVersionLS ;
|
|
402: DWORD dwFileFlagsMask ;
|
|
403: DWORD dwFileFlags ;
|
|
404: DWORD dwFileOS ;
|
|
405: DWORD dwFileType ;
|
|
406: DWORD dwFileSubtype ;
|
|
407: DWORD dwFileDateMS ;
|
|
408: DWORD dwFileDateLS ;
|
|
409: } VS_FIXEDFILEINFO ;
|
|
410: if ( VS_FIXEDFILEINFO . dwSignature == 0xFEEF04BD )
|
|
411: {
|
|
412: byte Padding2 [ Padding4Bytes ( sizeof ( VS_FIXEDFILEINFO ) ) ] ;
|
|
413:
|
|
414: struct
|
|
415: {
|
|
416: FSkip ( 6 ) ;
|
|
417: wstring szKeyCheck < hidden = true > ;
|
|
418: FSkip ( - 6 - sizeof ( szKeyCheck ) ) ;
|
|
419: if ( ! Strcmp ( szKeyCheck , "StringFileInfo" ) )
|
|
420: {
|
|
421: local int HeaderLength ;
|
|
422: local int64 LenghtLeft ;
|
|
423: WORD wLength ;
|
|
424: WORD wValueLength ;
|
|
425: WORD wType ;
|
|
426: wstring szKey ;
|
|
427: HeaderLength = 6 + sizeof ( szKey ) ;
|
|
428: byte Padding [ Padding4Bytes ( HeaderLength ) ] ;
|
|
429: LenghtLeft = wLength - HeaderLength - Padding4Bytes ( HeaderLength ) ;
|
|
430: while ( LenghtLeft > 0 )
|
|
431: {
|
|
432: struct
|
|
433: {
|
|
434: local int HeaderLength ;
|
|
435: WORD wLength ;
|
|
436: WORD wValueLength ;
|
|
437: WORD wType ;
|
|
438: wstring szKey ;
|
|
439: HeaderLength = 6 + sizeof ( szKey ) ;
|
|
440: byte Padding [ Padding4Bytes ( HeaderLength ) ] ;
|
|
441: local int64 LenghtLeft ;
|
|
442: LenghtLeft = wLength - 6 - sizeof ( szKey ) ;
|
|
443: while ( LenghtLeft > 0 )
|
|
444: {
|
|
445: struct
|
|
446: {
|
|
447: local int HeaderLength ;
|
|
448: WORD wLength ;
|
|
449: WORD wValueLength ;
|
|
450: WORD wType ;
|
|
451: wstring szKey ;
|
|
452: HeaderLength = 6 + sizeof ( szKey ) ;
|
|
453: byte Padding [ Padding4Bytes ( HeaderLength ) ] ;
|
|
454: wstring Value ;
|
|
455: byte padding_v [ Padding4Bytes ( sizeof ( Value ) ) ] ;
|
|
456: } String ;
|
|
457: LenghtLeft -= sizeof ( String ) ;
|
|
458: }
|
|
459: } StringTable ;
|
|
460: LenghtLeft -= sizeof ( StringTable ) ;
|
|
461: }
|
|
462: }
|
|
463: } StringFileInfo ;
|
|
464:
|
|
465: struct
|
|
466: {
|
|
467: FSkip ( 6 ) ;
|
|
468: wstring szKeyCheck < hidden = true > ;
|
|
469: FSkip ( - 6 - sizeof ( szKeyCheck ) ) ;
|
|
470: if ( ! Strcmp ( szKeyCheck , "VarFileInfo" ) )
|
|
471: {
|
|
472: local int HeaderLength ;
|
|
473: local int64 LenghtLeft ;
|
|
474: WORD wLength ;
|
|
475: WORD wValueLength ;
|
|
476: WORD wType ;
|
|
477: wstring szKey ;
|
|
478: HeaderLength = 6 + sizeof ( szKey ) ;
|
|
479: byte Padding [ Padding4Bytes ( HeaderLength ) ] ;
|
|
480: LenghtLeft = wLength - HeaderLength - Padding4Bytes ( HeaderLength ) ;
|
|
481: while ( LenghtLeft > 0 )
|
|
482: {
|
|
483: struct
|
|
484: {
|
|
485: local int HeaderLength ;
|
|
486: WORD wLength ;
|
|
487: WORD wValueLength ;
|
|
488: WORD wType ;
|
|
489: wstring szKey ;
|
|
490: HeaderLength = 6 + sizeof ( szKey ) ;
|
|
491: byte Padding [ Padding4Bytes ( HeaderLength ) ] ;
|
|
492: DWORD Value < format = hex > ;
|
|
493: } Var ;
|
|
494: LenghtLeft -= sizeof ( Var ) ;
|
|
495: }
|
|
496: }
|
|
497: } VarFileInfo ;
|
|
498: }
|
|
499: }
|
|
500: } VS_VERSIONINFO ;
|
|
501: }
|
|
502:
|
|
503: void RESfromRESDiscover ( )
|
|
504: {
|
|
505: while ( ! FEof ( ) )
|
|
506: {
|
|
507: struct
|
|
508: {
|
|
509: DWORD DataSize ;
|
|
510: DWORD HeaderSize ;
|
|
511: WORD TYPE_type ;
|
|
512: if ( TYPE_type == 0xFFFF )
|
|
513: {
|
|
514: WORD TYPE < comment = ShowType > ;
|
|
515: }
|
|
516: else
|
|
517: {
|
|
518: FSkip ( - 2 ) ;
|
|
519: wstring sType ;
|
|
520: byte padding_t [ Padding4Bytes ( sizeof ( sType ) ) ] ;
|
|
521: }
|
|
522: WORD NAME_type ;
|
|
523: if ( NAME_type == 0xFFFF )
|
|
524: {
|
|
525: WORD NAME < comment = ShowName > ;
|
|
526: }
|
|
527: else
|
|
528: {
|
|
529: FSkip ( - 2 ) ;
|
|
530: wstring sName < comment = ShowSName > ;
|
|
531: local int32 pn_size ;
|
|
532: byte padding_n [ Padding4Bytes ( sizeof ( sName ) ) ] ;
|
|
533: }
|
|
534: DWORD DataVersion ;
|
|
535: WORD MemoryFlags ;
|
|
536: WORD LanguageId < comment = ShowLanguage > ;
|
|
537: DWORD Version ;
|
|
538: DWORD Characteristics ;
|
|
539: char ResourceRAWData [ DataSize ] ;
|
|
540: if ( TYPE == 16 )
|
|
541: {
|
|
542: local int64 ba1 , ba2 ;
|
|
543: ba2 = FTell ( ) ;
|
|
544: ba1 = ba2 - DataSize ;
|
|
545: FSeek ( ba1 ) ;
|
|
546: VersionInfo ( ) ;
|
|
547: FSeek ( ba2 ) ;
|
|
548: }
|
|
549: byte padding [ Padding4Bytes ( DataSize ) ] ;
|
|
550: } Resource ;
|
|
551: }
|
|
552: } tok_eof |