Monday, July 27, 2009

Dump PE format string resource

Code below can be used to dump PE string resource using python.

import os
import re
import pefile #http://code.google.com/p/pefile/
import sys

def DumpStr(fname):
    try:
        pe = pefile.PE(fname)
    except:
        print sys.exc_info()[0]
        print "Continue to the next exe/dll"
        return

    # The List will contain all the extracted Unicode strings
    #
    strings = list()

    # Fetch the index of the resource directory entry containing the strings
    #
    try:
        rt_string_idx = [
            entry.id for entry in
            pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_STRING'])
    except (ValueError,AttributeError):
        return
    # Get the directory entry
    #

    rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]

    # For each of the entries (which will each contain a block of 16 strings)
    #
    for entry in rt_string_directory.directory.entries:

      # Get the RVA of the string data and
      # size of the string data
      #
      data_rva = entry.directory.entries[0].data.struct.OffsetToData
      size = entry.directory.entries[0].data.struct.Size

      # Retrieve the actual data and start processing the strings
      #
      data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
      offset = 0
      while True:
        # Exit once there's no more data to read
        if offset>=size:
          break
        # Fetch the length of the unicode string
        #
        ustr_length = pe.get_word_from_data(data[offset:offset+2], 0)
        offset += 2

        # If the string is empty, skip it
        if ustr_length==0:
          continue

        # Get the Unicode string
        #
        ustr = pe.get_string_u_at_rva(data_rva+offset, max_length=ustr_length)
        offset += ustr_length*2
        strings.append(ustr)

    for strx in strings:
        sSearch = "Set Device"
        m = re.search(sSearch,strx)
        if m:
            print strx

path="c:/app/bin"
dirList = os.listdir(path)
for fname in dirList:
    m = re.search("exe|dll",fname)
    if m:
        print os.path.join(path,fname)
        fullname = os.path.join(path,fname)
        DumpStr(fullname)

Enjoy
~ts

No comments: