Skip to main content

Dump PE format string resource

By
Code below can be used to dump PE string resource using python.

import os
import re
import pefile #http://code.google.com/p/pefile/
import sys

def DumpStr(fname):
    try:
        pe = pefile.PE(fname)
    except:
        print sys.exc_info()[0]
        print "Continue to the next exe/dll"
        return

    # The List will contain all the extracted Unicode strings
    #
    strings = list()

    # Fetch the index of the resource directory entry containing the strings
    #
    try:
        rt_string_idx = [
            entry.id for entry in
            pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_STRING'])
    except (ValueError,AttributeError):
        return
    # Get the directory entry
    #

    rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]

    # For each of the entries (which will each contain a block of 16 strings)
    #
    for entry in rt_string_directory.directory.entries:

      # Get the RVA of the string data and
      # size of the string data
      #
      data_rva = entry.directory.entries[0].data.struct.OffsetToData
      size = entry.directory.entries[0].data.struct.Size

      # Retrieve the actual data and start processing the strings
      #
      data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
      offset = 0
      while True:
        # Exit once there's no more data to read
        if offset>=size:
          break
        # Fetch the length of the unicode string
        #
        ustr_length = pe.get_word_from_data(data[offset:offset+2], 0)
        offset += 2

        # If the string is empty, skip it
        if ustr_length==0:
          continue

        # Get the Unicode string
        #
        ustr = pe.get_string_u_at_rva(data_rva+offset, max_length=ustr_length)
        offset += ustr_length*2
        strings.append(ustr)

    for strx in strings:
        sSearch = "Set Device"
        m = re.search(sSearch,strx)
        if m:
            print strx

path="c:/app/bin"
dirList = os.listdir(path)
for fname in dirList:
    m = re.search("exe|dll",fname)
    if m:
        print os.path.join(path,fname)
        fullname = os.path.join(path,fname)
        DumpStr(fullname)

Enjoy
~ts

Comments

Post a Comment

Popular posts from this blog

Error! Could not locate dkms.conf file install VirtualBox 4.1.8 on Ubuntu 11.10

By
Tried to update my Ubuntu host today and it did pickup that new version of VirtualBox is available (4.1.8). All other packages installed properly except that VirtualBox installation was complaining about missing dkms.conf file, see error message below. $: sudo /etc/init.d/vboxdrv setup * Stopping VirtualBox kernel modules [ OK ] * Uninstalling old VirtualBox DKMS kernel modules Error! Could not locate dkms.conf file. File: does not exist. [ OK ] * Trying to register the VirtualBox kernel modules using DKMS [ OK ] * Starting VirtualBox kernel modules [ OK ] Though it looks like installation was fine but I am concerned about its effects to VirtualBox functionality. To fix this, do: $: cd /var/lib/dkms/vboxhost $: sudo rm -r 4.1.4 $: sudo /etc/init.d/vboxdrv setup Of course you have to re...
11 comments
Read more

UnrealEngine GenerateProjectFiles.bat error - could be due to missing RPCUtility.exe

By
Tried to run  GenerateProjectFiles.bat to build Unreal Engine from source ( link ),  but got error like below: C:\>Users\x\UnrealEngine>GenerateProjectFiles.bat Setting up Unreal Engine 4 project files... GenerateProjectFiles ERROR: It looks like you're missing some files that are required in order to generate projects.  Please check that you've downloaded and unpacked the engine source code, binaries, content and third-party dependencies before running this script. To fix, run setup.bat like: C:\Users\x\prj\UnrealEngine>setup.bat Note that you have to say no to the prompt Would you like to overwrite your changes (y/n)? .
1 comment
Read more