Code below can be used to dump PE string resource using python.
Enjoy
~ts
import os
import re
import pefile #http://code.google.com/p/pefile/
import sys
def DumpStr(fname):
try:
pe = pefile.PE(fname)
except:
print sys.exc_info()[0]
print "Continue to the next exe/dll"
return
# The List will contain all the extracted Unicode strings
#
strings = list()
# Fetch the index of the resource directory entry containing the strings
#
try:
rt_string_idx = [
entry.id for entry in
pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_STRING'])
except (ValueError,AttributeError):
return
# Get the directory entry
#
rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
# For each of the entries (which will each contain a block of 16 strings)
#
for entry in rt_string_directory.directory.entries:
# Get the RVA of the string data and
# size of the string data
#
data_rva = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
# Retrieve the actual data and start processing the strings
#
data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
offset = 0
while True:
# Exit once there's no more data to read
if offset>=size:
break
# Fetch the length of the unicode string
#
ustr_length = pe.get_word_from_data(data[offset:offset+2], 0)
offset += 2
# If the string is empty, skip it
if ustr_length==0:
continue
# Get the Unicode string
#
ustr = pe.get_string_u_at_rva(data_rva+offset, max_length=ustr_length)
offset += ustr_length*2
strings.append(ustr)
for strx in strings:
sSearch = "Set Device"
m = re.search(sSearch,strx)
if m:
print strx
path="c:/app/bin"
dirList = os.listdir(path)
for fname in dirList:
m = re.search("exe|dll",fname)
if m:
print os.path.join(path,fname)
fullname = os.path.join(path,fname)
DumpStr(fullname)
Enjoy
~ts
Comments