Class: PEdump

Inherits:
Object show all
Defined in:
lib/pedump.rb,
lib/pedump/ne.rb,
lib/pedump/pe.rb,
lib/pedump/te.rb,
lib/pedump/clr.rb,
lib/pedump/tls.rb,
lib/pedump/core.rb,
lib/pedump/rich.rb,
lib/pedump/logger.rb,
lib/pedump/packer.rb,
lib/pedump/version.rb,
lib/pedump/security.rb,
lib/pedump/ordlookup.rb,
lib/pedump/resources.rb,
lib/pedump/sig_parser.rb,
lib/pedump/composite_io.rb,
lib/pedump/version_info.rb,
lib/pedump/clr/signature.rb,
lib/pedump/clr/readytorun.rb,
lib/pedump/loader/minidump.rb,
lib/pedump/ne/version_info.rb

Overview

github.com/dotnet/runtime/blob/main/docs/design/coreclr/botr/readytorun-format.md

Defined Under Namespace

Modules: CLR, IMAGE_OPTIONAL_HEADER, SigParser, Unpacker, Version Classes: BITMAPINFOHEADER, CLI, ColoredLogger, Comparer, CompositeIO, DOSStub, EFI_TE_IMAGE_HEADER, ExportedFunction, IMAGE_COR20_HEADER, IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER32, IMAGE_OPTIONAL_HEADER64, IMAGE_RESOURCE_DIRECTORY, IMAGE_SECTION_HEADER, ImportedFunction, Loader, Logger, MINIDUMP_DIRECTORY, MINIDUMP_HEADER, MINIDUMP_MEMORY64_LIST, MINIDUMP_MEMORY_INFO_LIST, MINIDUMP_MEMORY_LIST, NE, PE, Packer, Resource, RichHdr, STRING, StringFileInfo, StringTable, VS_FIXEDFILEINFO, VS_VERSIONINFO, Var, VarFileInfo, VersionString, WIN_CERTIFICATE

Constant Summary collapse

VERSION = 
Version::STRING
MAX_ERRORS = 
100
MAX_IMAGE_IMPORT_DESCRIPTORS = 
1000
MAX_EXPORT_NUMBER_OF_NAMES =

got 7977 in pedump.me/03ad7400080678c6b1984f995d36fd04

16384
GOOD_FUNCTION_NAME_RE = 
/\A[\x21-\x7f]+\Z/
SUPPORTED_SIGNATURES = 
['MZ', 'ZM', 'VZ']
MZ =

www.delorie.com/djgpp/doc/exe/

IOStruct.new( "a2v13Qv2V6",
  :signature,
  :bytes_in_last_block,
  :blocks_in_file,
  :num_relocs,
  :header_paragraphs,
  :min_extra_paragraphs,
  :max_extra_paragraphs,
  :ss,
  :sp,
  :checksum,
  :ip,
  :cs,
  :reloc_table_offset,
  :overlay_number,
  :reserved0,           #  8 reserved bytes
  :oem_id,
  :oem_info,
  :reserved2,           # 20 reserved bytes
  :reserved3,
  :reserved4,
  :reserved5,
  :reserved6,
  :lfanew
)
IMAGE_DATA_DIRECTORY = 
IOStruct.new( "VV", :va, :size, :type )
IMAGE_SUBSYSTEMS =

msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=VS.85).aspx

%w'UNKNOWN NATIVE WINDOWS_GUI WINDOWS_CUI' + [nil,'OS2_CUI',nil,'POSIX_CUI',nil] +
%w'WINDOWS_CE_GUI EFI_APPLICATION EFI_BOOT_SERVICE_DRIVER EFI_RUNTIME_DRIVER EFI_ROM XBOX' +
[nil, 'WINDOWS_BOOT_APPLICATION']
IMAGE_IMPORT_DESCRIPTOR =

sandsprite.com/CodeStuff/Understanding_imports.html stackoverflow.com/questions/5631317/import-table-it-vs-import-address-table-iat

IOStruct.new 'V5',
:OriginalFirstThunk,
:TimeDateStamp,
:ForwarderChain,
:Name,
:FirstThunk,
# manual:
:module_name,
:original_first_thunk,
:first_thunk
IMAGE_EXPORT_DIRECTORY =

msdn.microsoft.com/en-us/library/ms809762.aspx

IOStruct.new 'V2v2V7',
:Characteristics,
:TimeDateStamp,
:MajorVersion,          # These fields appear to be unused and are set to 0.
:MinorVersion,          # These fields appear to be unused and are set to 0.
:Name,
:Base,                  # The starting ordinal number for exported functions
:NumberOfFunctions,     # UNSIGNED!, perfectly valid when = 0xffff_ffff, see corkami/dllord.dll
:NumberOfNames,
:AddressOfFunctions,
:AddressOfNames,
:AddressOfNameOrdinals,
# manual:
:name, :entry_points, :names, :name_ordinals, :functions,
:description
EFI_IMAGE_DATA_DIRECTORY =

www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-specifications-general-technology.html wiki.phoenix.com/wiki/index.php/EFI_TE_IMAGE_HEADER formats.kaitai.io/uefi_te/index.html ho.ax/tag/efi/ github.com/gdbinit/TELoader

IOStruct.new( "VV", :va, :size )
TE = 
EFI_TE_IMAGE_HEADER
IMAGE_TLS_DIRECTORY32 = 
IOStruct.new 'V6',
:StartAddressOfRawData,
:EndAddressOfRawData,
:AddressOfIndex,
:AddressOfCallBacks,
:SizeOfZeroFill,
:Characteristics
IMAGE_TLS_DIRECTORY64 = 
IOStruct.new 'Q4V2',
:StartAddressOfRawData,
:EndAddressOfRawData,
:AddressOfIndex,
:AddressOfCallBacks,
:SizeOfZeroFill,
:Characteristics
RICH_IDS =

data from raw.githubusercontent.com/dishather/richprint/master/comp_id.txt

{
  0x00010000 => "[---] Unmarked objects",
  0x00000000 => "[---] Unmarked objects (old)",
  0x01047086 => "[ C ] VS2019 v16.6.2 build 28806",
  0x01037086 => "[ASM] VS2019 v16.6.2 build 28806",
  0x01057086 => "[C++] VS2019 v16.6.2 build 28806",
  0x00ff7086 => "[RES] VS2019 v16.6.2 build 28806",
  0x01027086 => "[LNK] VS2019 v16.6.2 build 28806",
  0x01007086 => "[EXP] VS2019 v16.6.2 build 28806",
  0x01017086 => "[IMP] VS2019 v16.6.2 build 28806",
  0x01047085 => "[ C ] VS2019 v16.6.0 build 28805",
  0x01037085 => "[ASM] VS2019 v16.6.0 build 28805",
  0x01057085 => "[C++] VS2019 v16.6.0 build 28805",
  0x00ff7085 => "[RES] VS2019 v16.6.0 build 28805",
  0x01027085 => "[LNK] VS2019 v16.6.0 build 28805",
  0x01007085 => "[EXP] VS2019 v16.6.0 build 28805",
  0x01017085 => "[IMP] VS2019 v16.6.0 build 28805",
  0x01046fc6 => "[ C ] VS2019 v16.5.5 build 28614",
  0x01036fc6 => "[ASM] VS2019 v16.5.5 build 28614",
  0x01056fc6 => "[C++] VS2019 v16.5.5 build 28614",
  0x00ff6fc6 => "[RES] VS2019 v16.5.5 build 28614",
  0x01026fc6 => "[LNK] VS2019 v16.5.5 build 28614",
  0x01006fc6 => "[EXP] VS2019 v16.5.5 build 28614",
  0x01016fc6 => "[IMP] VS2019 v16.5.5 build 28614",
  0x01046fc4 => "[ C ] VS2019 v16.5.2 build 28612 (*)",
  0x01036fc4 => "[ASM] VS2019 v16.5.2 build 28612 (*)",
  0x01056fc4 => "[C++] VS2019 v16.5.2 build 28612 (*)",
  0x00ff6fc4 => "[RES] VS2019 v16.5.2 build 28612 (*)",
  0x01026fc4 => "[LNK] VS2019 v16.5.2 build 28612 (*)",
  0x01016fc4 => "[IMP] VS2019 v16.5.2 build 28612 (*)",
  0x01006fc4 => "[EXP] VS2019 v16.5.2 build 28612 (*)",
  0x01046fc3 => "[ C ] VS2019 v16.5.1 build 28611 (*)",
  0x01036fc3 => "[ASM] VS2019 v16.5.1 build 28611 (*)",
  0x01056fc3 => "[C++] VS2019 v16.5.1 build 28611 (*)",
  0x00ff6fc3 => "[RES] VS2019 v16.5.1 build 28611 (*)",
  0x01026fc3 => "[LNK] VS2019 v16.5.1 build 28611 (*)",
  0x01016fc3 => "[IMP] VS2019 v16.5.1 build 28611 (*)",
  0x01006fc3 => "[EXP] VS2019 v16.5.1 build 28611 (*)",
  0x01046fc2 => "[ C ] VS2019 v16.5.0 build 28610 (*)",
  0x01036fc2 => "[ASM] VS2019 v16.5.0 build 28610 (*)",
  0x01056fc2 => "[C++] VS2019 v16.5.0 build 28610 (*)",
  0x00ff6fc2 => "[RES] VS2019 v16.5.0 build 28610 (*)",
  0x01026fc2 => "[LNK] VS2019 v16.5.0 build 28610 (*)",
  0x01016fc2 => "[IMP] VS2019 v16.5.0 build 28610 (*)",
  0x01006fc2 => "[EXP] VS2019 v16.5.0 build 28610 (*)",
  0x01046e9f => "[ C ] VS2019 v16.4.6 build 28319 (*)",
  0x01036e9f => "[ASM] VS2019 v16.4.6 build 28319 (*)",
  0x01056e9f => "[C++] VS2019 v16.4.6 build 28319 (*)",
  0x00ff6e9f => "[RES] VS2019 v16.4.6 build 28319 (*)",
  0x01026e9f => "[LNK] VS2019 v16.4.6 build 28319 (*)",
  0x01006e9f => "[EXP] VS2019 v16.4.6 build 28319 (*)",
  0x01016e9f => "[IMP] VS2019 v16.4.6 build 28319 (*)",
  0x01046e9c => "[ C ] VS2019 v16.4.4 build 28316 (*)",
  0x01036e9c => "[ASM] VS2019 v16.4.4 build 28316 (*)",
  0x01056e9c => "[C++] VS2019 v16.4.4 build 28316 (*)",
  0x00ff6e9c => "[RES] VS2019 v16.4.4 build 28316 (*)",
  0x01026e9c => "[LNK] VS2019 v16.4.4 build 28316 (*)",
  0x01006e9c => "[EXP] VS2019 v16.4.4 build 28316 (*)",
  0x01016e9c => "[IMP] VS2019 v16.4.4 build 28316 (*)",
  0x01046e9b => "[ C ] VS2019 v16.4.3 build 28315",
  0x01036e9b => "[ASM] VS2019 v16.4.3 build 28315",
  0x01056e9b => "[C++] VS2019 v16.4.3 build 28315",
  0x00ff6e9b => "[RES] VS2019 v16.4.3 build 28315",
  0x01026e9b => "[LNK] VS2019 v16.4.3 build 28315",
  0x01006e9b => "[EXP] VS2019 v16.4.3 build 28315",
  0x01016e9b => "[IMP] VS2019 v16.4.3 build 28315",
  0x01046e9a => "[ C ] VS2019 v16.4.0 build 28314 (*)",
  0x01036e9a => "[ASM] VS2019 v16.4.0 build 28314 (*)",
  0x01056e9a => "[C++] VS2019 v16.4.0 build 28314 (*)",
  0x00ff6e9a => "[RES] VS2019 v16.4.0 build 28314 (*)",
  0x01026e9a => "[LNK] VS2019 v16.4.0 build 28314 (*)",
  0x01016e9a => "[IMP] VS2019 v16.4.0 build 28314 (*)",
  0x01006e9a => "[EXP] VS2019 v16.4.0 build 28314 (*)",
  0x01046dc9 => "[ C ] VS2019 v16.3.2 build 28105 (*)",
  0x01036dc9 => "[ASM] VS2019 v16.3.2 build 28105 (*)",
  0x01056dc9 => "[C++] VS2019 v16.3.2 build 28105 (*)",
  0x00ff6dc9 => "[RES] VS2019 v16.3.2 build 28105 (*)",
  0x01026dc9 => "[LNK] VS2019 v16.3.2 build 28105 (*)",
  0x01016dc9 => "[IMP] VS2019 v16.3.2 build 28105 (*)",
  0x01006dc9 => "[EXP] VS2019 v16.3.2 build 28105 (*)",
  0x01046d01 => "[ C ] VS2019 v16.2.3 build 27905 (*)",
  0x01036d01 => "[ASM] VS2019 v16.2.3 build 27905 (*)",
  0x01056d01 => "[C++] VS2019 v16.2.3 build 27905 (*)",
  0x00ff6d01 => "[RES] VS2019 v16.2.3 build 27905 (*)",
  0x01026d01 => "[LNK] VS2019 v16.2.3 build 27905 (*)",
  0x01016d01 => "[IMP] VS2019 v16.2.3 build 27905 (*)",
  0x01006d01 => "[EXP] VS2019 v16.2.3 build 27905 (*)",
  0x01046c36 => "[ C ] VS2019 v16.1.2 build 27702 (*)",
  0x01036c36 => "[ASM] VS2019 v16.1.2 build 27702 (*)",
  0x01056c36 => "[C++] VS2019 v16.1.2 build 27702 (*)",
  0x00ff6c36 => "[RES] VS2019 v16.1.2 build 27702 (*)",
  0x01026c36 => "[LNK] VS2019 v16.1.2 build 27702 (*)",
  0x01016c36 => "[IMP] VS2019 v16.1.2 build 27702 (*)",
  0x01006c36 => "[EXP] VS2019 v16.1.2 build 27702 (*)",
  0x01046b74 => "[ C ] VS2019 v16.0.0 build 27508",
  0x01036b74 => "[ASM] VS2019 v16.0.0 build 27508",
  0x01056b74 => "[C++] VS2019 v16.0.0 build 27508",
  0x00ff6b74 => "[RES] VS2019 v16.0.0 build 27508",
  0x01026b74 => "[LNK] VS2019 v16.0.0 build 27508",
  0x01006b74 => "[EXP] VS2019 v16.0.0 build 27508",
  0x01016b74 => "[IMP] VS2019 v16.0.0 build 27508",
  0x01046996 => "[ C ] VS2017 v15.9.11 build 27030 (*)",
  0x01036996 => "[ASM] VS2017 v15.9.11 build 27030 (*)",
  0x01056996 => "[C++] VS2017 v15.9.11 build 27030 (*)",
  0x00ff6996 => "[RES] VS2017 v15.9.11 build 27030 (*)",
  0x01026996 => "[LNK] VS2017 v15.9.11 build 27030 (*)",
  0x01016996 => "[IMP] VS2017 v15.9.11 build 27030 (*)",
  0x01006996 => "[EXP] VS2017 v15.9.11 build 27030 (*)",
  0x01046993 => "[ C ] VS2017 v15.9.7 build 27027 (*)",
  0x01036993 => "[ASM] VS2017 v15.9.7 build 27027 (*)",
  0x01056993 => "[C++] VS2017 v15.9.7 build 27027 (*)",
  0x00ff6993 => "[RES] VS2017 v15.9.7 build 27027 (*)",
  0x01026993 => "[LNK] VS2017 v15.9.7 build 27027 (*)",
  0x01016993 => "[IMP] VS2017 v15.9.7 build 27027 (*)",
  0x01006993 => "[EXP] VS2017 v15.9.7 build 27027 (*)",
  0x01046992 => "[ C ] VS2017 v15.9.5 build 27026 (*)",
  0x01036992 => "[ASM] VS2017 v15.9.5 build 27026 (*)",
  0x01056992 => "[C++] VS2017 v15.9.5 build 27026 (*)",
  0x00ff6992 => "[RES] VS2017 v15.9.5 build 27026 (*)",
  0x01026992 => "[LNK] VS2017 v15.9.5 build 27026 (*)",
  0x01016992 => "[IMP] VS2017 v15.9.5 build 27026 (*)",
  0x01006992 => "[EXP] VS2017 v15.9.5 build 27026 (*)",
  0x01046991 => "[ C ] VS2017 v15.9.4 build 27025 (*)",
  0x01036991 => "[ASM] VS2017 v15.9.4 build 27025 (*)",
  0x01056991 => "[C++] VS2017 v15.9.4 build 27025 (*)",
  0x00ff6991 => "[RES] VS2017 v15.9.4 build 27025 (*)",
  0x01026991 => "[LNK] VS2017 v15.9.4 build 27025 (*)",
  0x01016991 => "[IMP] VS2017 v15.9.4 build 27025 (*)",
  0x01006991 => "[EXP] VS2017 v15.9.4 build 27025 (*)",
  0x0104698f => "[ C ] VS2017 v15.9.1 build 27023 (*)",
  0x0103698f => "[ASM] VS2017 v15.9.1 build 27023 (*)",
  0x0105698f => "[C++] VS2017 v15.9.1 build 27023 (*)",
  0x00ff698f => "[RES] VS2017 v15.9.1 build 27023 (*)",
  0x0102698f => "[LNK] VS2017 v15.9.1 build 27023 (*)",
  0x0101698f => "[IMP] VS2017 v15.9.1 build 27023 (*)",
  0x0100698f => "[EXP] VS2017 v15.9.1 build 27023 (*)",
  0x0104686c => "[ C ] VS2017 v15.8.5 build 26732 (*)",
  0x0103686c => "[ASM] VS2017 v15.8.5 build 26732 (*)",
  0x0105686c => "[C++] VS2017 v15.8.5 build 26732 (*)",
  0x00ff686c => "[RES] VS2017 v15.8.5 build 26732 (*)",
  0x0102686c => "[LNK] VS2017 v15.8.5 build 26732 (*)",
  0x0101686c => "[IMP] VS2017 v15.8.5 build 26732 (*)",
  0x0100686c => "[EXP] VS2017 v15.8.5 build 26732 (*)",
  0x0104686a => "[ C ] VS2017 v15.8.9? build 26730 (*)",
  0x0103686a => "[ASM] VS2017 v15.8.9? build 26730 (*)",
  0x0105686a => "[C++] VS2017 v15.8.9? build 26730 (*)",
  0x00ff686a => "[RES] VS2017 v15.8.9? build 26730 (*)",
  0x0102686a => "[LNK] VS2017 v15.8.9? build 26730 (*)",
  0x0101686a => "[IMP] VS2017 v15.8.9? build 26730 (*)",
  0x0100686a => "[EXP] VS2017 v15.8.9? build 26730 (*)",
  0x01046869 => "[ C ] VS2017 v15.8.4 build 26729 (*)",
  0x01036869 => "[ASM] VS2017 v15.8.4 build 26729 (*)",
  0x01056869 => "[C++] VS2017 v15.8.4 build 26729 (*)",
  0x00ff6869 => "[RES] VS2017 v15.8.4 build 26729 (*)",
  0x01026869 => "[LNK] VS2017 v15.8.4 build 26729 (*)",
  0x01016869 => "[IMP] VS2017 v15.8.4 build 26729 (*)",
  0x01006869 => "[EXP] VS2017 v15.8.4 build 26729 (*)",
  0x01046866 => "[ C ] VS2017 v15.8.0 build 26726 (*)",
  0x01036866 => "[ASM] VS2017 v15.8.0 build 26726 (*)",
  0x01056866 => "[C++] VS2017 v15.8.0 build 26726 (*)",
  0x00ff6866 => "[RES] VS2017 v15.8.0 build 26726 (*)",
  0x01026866 => "[LNK] VS2017 v15.8.0 build 26726 (*)",
  0x01016866 => "[IMP] VS2017 v15.8.0 build 26726 (*)",
  0x01006866 => "[EXP] VS2017 v15.8.0 build 26726 (*)",
  0x01046741 => "[ C ] VS2017 v15.7.5 build 26433 (*)",
  0x01036741 => "[ASM] VS2017 v15.7.5 build 26433 (*)",
  0x01056741 => "[C++] VS2017 v15.7.5 build 26433 (*)",
  0x00ff6741 => "[RES] VS2017 v15.7.5 build 26433 (*)",
  0x01026741 => "[LNK] VS2017 v15.7.5 build 26433 (*)",
  0x01016741 => "[IMP] VS2017 v15.7.5 build 26433 (*)",
  0x01006741 => "[EXP] VS2017 v15.7.5 build 26433 (*)",
  0x0104673f => "[ C ] VS2017 v15.7.4 build 26431 (*)",
  0x0103673f => "[ASM] VS2017 v15.7.4 build 26431 (*)",
  0x0105673f => "[C++] VS2017 v15.7.4 build 26431 (*)",
  0x00ff673f => "[RES] VS2017 v15.7.4 build 26431 (*)",
  0x0102673f => "[LNK] VS2017 v15.7.4 build 26431 (*)",
  0x0101673f => "[IMP] VS2017 v15.7.4 build 26431 (*)",
  0x0100673f => "[EXP] VS2017 v15.7.4 build 26431 (*)",
  0x0104673e => "[ C ] VS2017 v15.7.3 build 26430 (*)",
  0x0103673e => "[ASM] VS2017 v15.7.3 build 26430 (*)",
  0x0105673e => "[C++] VS2017 v15.7.3 build 26430 (*)",
  0x00ff673e => "[RES] VS2017 v15.7.3 build 26430 (*)",
  0x0102673e => "[LNK] VS2017 v15.7.3 build 26430 (*)",
  0x0101673e => "[IMP] VS2017 v15.7.3 build 26430 (*)",
  0x0100673e => "[EXP] VS2017 v15.7.3 build 26430 (*)",
  0x0104673d => "[ C ] VS2017 v15.7.2 build 26429 (*)",
  0x0103673d => "[ASM] VS2017 v15.7.2 build 26429 (*)",
  0x0105673d => "[C++] VS2017 v15.7.2 build 26429 (*)",
  0x00ff673d => "[RES] VS2017 v15.7.2 build 26429 (*)",
  0x0102673d => "[LNK] VS2017 v15.7.2 build 26429 (*)",
  0x0101673d => "[IMP] VS2017 v15.7.2 build 26429 (*)",
  0x0100673d => "[EXP] VS2017 v15.7.2 build 26429 (*)",
  0x0104673c => "[ C ] VS2017 v15.7.1 build 26428 (*)",
  0x0103673c => "[ASM] VS2017 v15.7.1 build 26428 (*)",
  0x0105673c => "[C++] VS2017 v15.7.1 build 26428 (*)",
  0x00ff673c => "[RES] VS2017 v15.7.1 build 26428 (*)",
  0x0102673c => "[LNK] VS2017 v15.7.1 build 26428 (*)",
  0x0101673c => "[IMP] VS2017 v15.7.1 build 26428 (*)",
  0x0100673c => "[EXP] VS2017 v15.7.1 build 26428 (*)",
  0x01046614 => "[ C ] VS2017 v15.6.7 build 26132 (*)",
  0x01036614 => "[ASM] VS2017 v15.6.7 build 26132 (*)",
  0x01056614 => "[C++] VS2017 v15.6.7 build 26132 (*)",
  0x00ff6614 => "[RES] VS2017 v15.6.7 build 26132 (*)",
  0x01026614 => "[LNK] VS2017 v15.6.7 build 26132 (*)",
  0x01016614 => "[IMP] VS2017 v15.6.7 build 26132 (*)",
  0x01006614 => "[EXP] VS2017 v15.6.7 build 26132 (*)",
  0x01046613 => "[ C ] VS2017 v15.6.6 build 26131 (*)",
  0x01036613 => "[ASM] VS2017 v15.6.6 build 26131 (*)",
  0x01056613 => "[C++] VS2017 v15.6.6 build 26131 (*)",
  0x00ff6613 => "[RES] VS2017 v15.6.6 build 26131 (*)",
  0x01026613 => "[LNK] VS2017 v15.6.6 build 26131 (*)",
  0x01016613 => "[IMP] VS2017 v15.6.6 build 26131 (*)",
  0x01006613 => "[EXP] VS2017 v15.6.6 build 26131 (*)",
  0x01046611 => "[ C ] VS2017 v15.6.3 build 26129 (*)",
  0x01036611 => "[ASM] VS2017 v15.6.3 build 26129 (*)",
  0x01056611 => "[C++] VS2017 v15.6.3 build 26129 (*)",
  0x00ff6611 => "[RES] VS2017 v15.6.3 build 26129 (*)",
  0x01026611 => "[LNK] VS2017 v15.6.3 build 26129 (*)",
  0x01016611 => "[IMP] VS2017 v15.6.3 build 26129 (*)",
  0x01006611 => "[EXP] VS2017 v15.6.3 build 26129 (*)",
  0x01046610 => "[ C ] VS2017 v15.6.0 build 26128 (*)",
  0x01036610 => "[ASM] VS2017 v15.6.0 build 26128 (*)",
  0x01056610 => "[C++] VS2017 v15.6.0 build 26128 (*)",
  0x00ff6610 => "[RES] VS2017 v15.6.0 build 26128 (*)",
  0x01026610 => "[LNK] VS2017 v15.6.0 build 26128 (*)",
  0x01016610 => "[IMP] VS2017 v15.6.0 build 26128 (*)",
  0x01006610 => "[EXP] VS2017 v15.6.0 build 26128 (*)",
  0x010464eb => "[ C ] VS2017 v15.5.6 build 25835 (*)",
  0x010364eb => "[ASM] VS2017 v15.5.6 build 25835 (*)",
  0x010564eb => "[C++] VS2017 v15.5.6 build 25835 (*)",
  0x00ff64eb => "[RES] VS2017 v15.5.6 build 25835 (*)",
  0x010264eb => "[LNK] VS2017 v15.5.6 build 25835 (*)",
  0x010164eb => "[IMP] VS2017 v15.5.6 build 25835 (*)",
  0x010064eb => "[EXP] VS2017 v15.5.6 build 25835 (*)",
  0x010464ea => "[ C ] VS2017 v15.5.4 build 25834",
  0x010364ea => "[ASM] VS2017 v15.5.4 build 25834",
  0x010564ea => "[C++] VS2017 v15.5.4 build 25834",
  0x00ff64ea => "[RES] VS2017 v15.5.4 build 25834",
  0x010264ea => "[LNK] VS2017 v15.5.4 build 25834",
  0x010064ea => "[EXP] VS2017 v15.5.4 build 25834",
  0x010164ea => "[IMP] VS2017 v15.5.4 build 25834",
  0x010464e7 => "[ C ] VS2017 v15.5.2 build 25831 (*)",
  0x010364e7 => "[ASM] VS2017 v15.5.2 build 25831 (*)",
  0x010564e7 => "[C++] VS2017 v15.5.2 build 25831 (*)",
  0x00ff64e7 => "[RES] VS2017 v15.5.2 build 25831 (*)",
  0x010264e7 => "[LNK] VS2017 v15.5.2 build 25831 (*)",
  0x010164e7 => "[IMP] VS2017 v15.5.2 build 25831 (*)",
  0x010064e7 => "[EXP] VS2017 v15.5.2 build 25831 (*)",
  0x010463cb => "[ C ] VS2017 v15.4.5 build 25547 (*)",
  0x010363cb => "[ASM] VS2017 v15.4.5 build 25547 (*)",
  0x010563cb => "[C++] VS2017 v15.4.5 build 25547 (*)",
  0x00ff63cb => "[RES] VS2017 v15.4.5 build 25547 (*)",
  0x010263cb => "[LNK] VS2017 v15.4.5 build 25547 (*)",
  0x010163cb => "[IMP] VS2017 v15.4.5 build 25547 (*)",
  0x010063cb => "[EXP] VS2017 v15.4.5 build 25547 (*)",
  0x010463c6 => "[ C ] VS2017 v15.4.4 build 25542 (*)",
  0x010363c6 => "[ASM] VS2017 v15.4.4 build 25542 (*)",
  0x010563c6 => "[C++] VS2017 v15.4.4 build 25542 (*)",
  0x00ff63c6 => "[RES] VS2017 v15.4.4 build 25542 (*)",
  0x010263c6 => "[LNK] VS2017 v15.4.4 build 25542 (*)",
  0x010163c6 => "[IMP] VS2017 v15.4.4 build 25542 (*)",
  0x010063c6 => "[EXP] VS2017 v15.4.4 build 25542 (*)",
  0x010463a3 => "[ C ] VS2017 v15.3.3 build 25507 (*)",
  0x010363a3 => "[ASM] VS2017 v15.3.3 build 25507 (*)",
  0x010563a3 => "[C++] VS2017 v15.3.3 build 25507 (*)",
  0x00ff63a3 => "[RES] VS2017 v15.3.3 build 25507 (*)",
  0x010263a3 => "[LNK] VS2017 v15.3.3 build 25507 (*)",
  0x010163a3 => "[IMP] VS2017 v15.3.3 build 25507 (*)",
  0x010063a3 => "[EXP] VS2017 v15.3.3 build 25507 (*)",
  0x010463a2 => "[ C ] VS2017 v15.3 build 25506 (*)",
  0x010363a2 => "[ASM] VS2017 v15.3 build 25506 (*)",
  0x010563a2 => "[C++] VS2017 v15.3 build 25506 (*)",
  0x00ff63a2 => "[RES] VS2017 v15.3 build 25506 (*)",
  0x010263a2 => "[LNK] VS2017 v15.3 build 25506 (*)",
  0x010163a2 => "[IMP] VS2017 v15.3 build 25506 (*)",
  0x010063a2 => "[EXP] VS2017 v15.3 build 25506 (*)",
  0x010461b9 => "[ C ] VS2017 v15.0 build 25017 (*)",
  0x010361b9 => "[ASM] VS2017 v15.0 build 25017 (*)",
  0x010561b9 => "[C++] VS2017 v15.0 build 25017 (*)",
  0x00ff61b9 => "[RES] VS2017 v15.0 build 25017 (*)",
  0x010261b9 => "[LNK] VS2017 v15.0 build 25017 (*)",
  0x010161b9 => "[IMP] VS2017 v15.0 build 25017 (*)",
  0x010061b9 => "[EXP] VS2017 v15.0 build 25017 (*)",
  0x01045e97 => "[ C ] VS2015 UPD3.1 build 24215",
  0x01055e97 => "[C++] VS2015 UPD3.1 build 24215",
  0x01025e97 => "[LNK] VS2015 UPD3.1 build 24215",
  0x01005e97 => "[EXP] VS2015 UPD3.1 build 24215",
  0x01015e97 => "[IMP] VS2015 UPD3.1 build 24215",
  0x01045e95 => "[ C ] VS2015 UPD3 build 24213",
  0x01035e92 => "[ASM] VS2015 UPD3 build 24210",
  0x01055e95 => "[C++] VS2015 UPD3 build 24213",
  0x00ff5e92 => "[RES] VS2015 UPD3 build 24210",
  0x01025e95 => "[LNK] VS2015 UPD3 build 24213",
  0x01005e95 => "[EXP] VS2015 UPD3 build 24213",
  0x01015e95 => "[IMP] VS2015 UPD3 build 24213",
  0x01045e92 => "[ C ] VS2015 Update 3 [14.0] build 24210 (*)",
  0x01055e92 => "[C++] VS2015 Update 3 [14.0] build 24210 (*)",
  0x01025e92 => "[LNK] VS2015 Update 3 [14.0] build 24210 (*)",
  0x01015e92 => "[IMP] VS2015 Update 3 [14.0] build 24210 (*)",
  0x01005e92 => "[EXP] VS2015 Update 3 [14.0] build 24210 (*)",
  0x01045d6e => "[ C ] VS2015 UPD2 build 23918",
  0x01035d6e => "[ASM] VS2015 UPD2 build 23918",
  0x01055d6e => "[C++] VS2015 UPD2 build 23918",
  0x00ff5d6e => "[RES] VS2015 UPD2 build 23918",
  0x01025d6e => "[LNK] VS2015 UPD2 build 23918",
  0x01005d6e => "[EXP] VS2015 UPD2 build 23918",
  0x01015d6e => "[IMP] VS2015 UPD2 build 23918",
  0x01045bd2 => "[ C ] VS2015 UPD1 build 23506",
  0x01035bd2 => "[ASM] VS2015 UPD1 build 23506",
  0x01055bd2 => "[C++] VS2015 UPD1 build 23506",
  0x00ff5bd2 => "[RES] VS2015 UPD1 build 23506",
  0x01025bd2 => "[LNK] VS2015 UPD1 build 23506",
  0x01005bd2 => "[EXP] VS2015 UPD1 build 23506",
  0x01015bd2 => "[IMP] VS2015 UPD1 build 23506",
  0x010459f2 => "[ C ] VS2015 [14.0] build 23026",
  0x010359f2 => "[ASM] VS2015 [14.0] build 23026",
  0x010559f2 => "[C++] VS2015 [14.0] build 23026",
  0x00ff59f2 => "[RES] VS2015 [14.0] build 23026",
  0x010259f2 => "[LNK] VS2015 [14.0] build 23026",
  0x010059f2 => "[EXP] VS2015 [14.0] build 23026",
  0x010159f2 => "[IMP] VS2015 [14.0] build 23026",
  0x00e0527a => "[ C ] VS2013 Nobemver CTP [12.0] build 21114 (*)",
  0x00df527a => "[ASM] VS2013 Nobemver CTP [12.0] build 21114 (*)",
  0x00e1527a => "[C++] VS2013 Nobemver CTP [12.0] build 21114 (*)",
  0x00db527a => "[RES] VS2013 Nobemver CTP [12.0] build 21114 (*)",
  0x00de527a => "[LNK] VS2013 Nobemver CTP [12.0] build 21114 (*)",
  0x00dd527a => "[IMP] VS2013 Nobemver CTP [12.0] build 21114 (*)",
  0x00dc527a => "[EXP] VS2013 Nobemver CTP [12.0] build 21114 (*)",
  0x00e09eb5 => "[ C ] VS2013 UPD5 build 40629",
  0x00e19eb5 => "[C++] VS2013 UPD5 build 40629",
  0x00db9eb5 => "[RES] VS2013 Update 5 [12.0] build 40629 (*)",
  0x00de9eb5 => "[LNK] VS2013 UPD5 build 40629",
  0x00dc9eb5 => "[EXP] VS2013 UPD5 build 40629",
  0x00dd9eb5 => "[IMP] VS2013 UPD5 build 40629",
  0x00df9eb5 => "[ASM] VS2013 UPD5 build 40629",
  0x00e0797d => "[ C ] VS2013 UPD4 build 31101 (*)",
  0x00e1797d => "[C++] VS2013 UPD4 build 31101 (*)",
  0x00db797d => "[RES] VS2013 UPD4 build 31101 (*)",
  0x00de797d => "[LNK] VS2013 UPD4 build 31101 (*)",
  0x00dc797d => "[EXP] VS2013 UPD4 build 31101 (*)",
  0x00dd797d => "[IMP] VS2013 UPD4 build 31101 (*)",
  0x00df797d => "[ASM] VS2013 UPD4 build 31101 (*)",
  0x00e07803 => "[ C ] VS2013 UPD3 build 30723 (*)",
  0x00e17803 => "[C++] VS2013 UPD3 build 30723 (*)",
  0x00db7803 => "[RES] VS2013 UPD3 build 30723 (*)",
  0x00de7803 => "[LNK] VS2013 UPD3 build 30723 (*)",
  0x00dc7803 => "[EXP] VS2013 UPD3 build 30723 (*)",
  0x00dd7803 => "[IMP] VS2013 UPD3 build 30723 (*)",
  0x00df7803 => "[ASM] VS2013 UPD3 build 30723 (*)",
  0x00e07725 => "[ C ] VS2013 UPD2 build 30501",
  0x00e17725 => "[C++] VS2013 UPD2 build 30501",
  0x00db7725 => "[RES] VS2013 Update 2 [12.0] build 30501 (*)",
  0x00de7725 => "[LNK] VS2013 UPD2 build 30501",
  0x00dc7725 => "[EXP] VS2013 UPD2 build 30501",
  0x00dd7725 => "[IMP] VS2013 UPD2 build 30501",
  0x00df7725 => "[ASM] VS2013 UPD2 build 30501",
  0x00e07674 => "[ C ] VS2013 Update2 RC [12.0] build 30324 (*)",
  0x00df7674 => "[ASM] VS2013 Update2 RC [12.0] build 30324 (*)",
  0x00e17674 => "[C++] VS2013 Update2 RC [12.0] build 30324 (*)",
  0x00db7674 => "[RES] VS2013 Update2 RC [12.0] build 30324 (*)",
  0x00de7674 => "[LNK] VS2013 Update2 RC [12.0] build 30324 (*)",
  0x00dd7674 => "[IMP] VS2013 Update2 RC [12.0] build 30324 (*)",
  0x00dc7674 => "[EXP] VS2013 Update2 RC [12.0] build 30324 (*)",
  0x00e0520d => "[ C ] VS2013 build 21005",
  0x00e1520d => "[C++] VS2013 build 21005",
  0x00db520d => "[RES] VS2013 build 21005",
  0x00de520d => "[LNK] VS2013 build 21005",
  0x00dc520d => "[EXP] VS2013 build 21005",
  0x00dd520d => "[IMP] VS2013 build 21005",
  0x00df520d => "[ASM] VS2013 build 21005",
  0x00e0515b => "[ C ] VS2013 RC [12.0] build 20827 (*)",
  0x00df515b => "[ASM] VS2013 RC [12.0] build 20827 (*)",
  0x00e1515b => "[C++] VS2013 RC [12.0] build 20827 (*)",
  0x00db515b => "[RES] VS2013 RC [12.0] build 20827 (*)",
  0x00de515b => "[LNK] VS2013 RC [12.0] build 20827 (*)",
  0x00dd515b => "[IMP] VS2013 RC [12.0] build 20827 (*)",
  0x00dc515b => "[EXP] VS2013 RC [12.0] build 20827 (*)",
  0x00e05089 => "[ C ] VS2013 Preview [12.0] build 20617 (*)",
  0x00df5089 => "[ASM] VS2013 Preview [12.0] build 20617 (*)",
  0x00e15089 => "[C++] VS2013 Preview [12.0] build 20617 (*)",
  0x00db5089 => "[RES] VS2013 Preview [12.0] build 20617 (*)",
  0x00de5089 => "[LNK] VS2013 Preview [12.0] build 20617 (*)",
  0x00dd5089 => "[IMP] VS2013 Preview [12.0] build 20617 (*)",
  0x00dc5089 => "[EXP] VS2013 Preview [12.0] build 20617 (*)",
  0x00ceee66 => "[ C ] VS2012 UPD4 build 61030",
  0x00cfee66 => "[C++] VS2012 UPD4 build 61030",
  0x00cdee66 => "[ASM] VS2012 UPD4 build 61030",
  0x00c9ee66 => "[RES] VS2012 UPD4 build 61030",
  0x00ccee66 => "[LNK] VS2012 UPD4 build 61030",
  0x00caee66 => "[EXP] VS2012 UPD4 build 61030",
  0x00cbee66 => "[IMP] VS2012 UPD4 build 61030",
  0x00ceecc2 => "[ C ] VS2012 UPD3 build 60610 (*)",
  0x00cfecc2 => "[C++] VS2012 UPD3 build 60610 (*)",
  0x00cdecc2 => "[ASM] VS2012 UPD3 build 60610 (*)",
  0x00c9ecc2 => "[RES] VS2012 UPD3 build 60610 (*)",
  0x00ccecc2 => "[LNK] VS2012 UPD3 build 60610 (*)",
  0x00caecc2 => "[EXP] VS2012 UPD3 build 60610 (*)",
  0x00cbecc2 => "[IMP] VS2012 UPD3 build 60610 (*)",
  0x00ceeb9b => "[ C ] VS2012 UPD2 build 60315 (*)",
  0x00cfeb9b => "[C++] VS2012 UPD2 build 60315 (*)",
  0x00cdeb9b => "[ASM] VS2012 UPD2 build 60315 (*)",
  0x00c9eb9b => "[RES] VS2012 UPD2 build 60315 (*)",
  0x00cceb9b => "[LNK] VS2012 UPD2 build 60315 (*)",
  0x00caeb9b => "[EXP] VS2012 UPD2 build 60315 (*)",
  0x00cbeb9b => "[IMP] VS2012 UPD2 build 60315 (*)",
  0x00cec7a2 => "[ C ] VS2012 UPD1 build 51106 (*)",
  0x00cfc7a2 => "[C++] VS2012 UPD1 build 51106 (*)",
  0x00cdc7a2 => "[ASM] VS2012 UPD1 build 51106 (*)",
  0x00c9c7a2 => "[RES] VS2012 UPD1 build 51106 (*)",
  0x00ccc7a2 => "[LNK] VS2012 UPD1 build 51106 (*)",
  0x00cac7a2 => "[EXP] VS2012 UPD1 build 51106 (*)",
  0x00cbc7a2 => "[IMP] VS2012 UPD1 build 51106 (*)",
  0x00cec751 => "[ C ] VS2012 November CTP [11.0] build 51025 (*)",
  0x00cdc751 => "[ASM] VS2012 November CTP [11.0] build 51025 (*)",
  0x00cfc751 => "[C++] VS2012 November CTP [11.0] build 51025 (*)",
  0x00c9c751 => "[RES] VS2012 November CTP [11.0] build 51025 (*)",
  0x00ccc751 => "[LNK] VS2012 November CTP [11.0] build 51025 (*)",
  0x00cbc751 => "[IMP] VS2012 November CTP [11.0] build 51025 (*)",
  0x00cac751 => "[EXP] VS2012 November CTP [11.0] build 51025 (*)",
  0x00cec627 => "[ C ] VS2012 build 50727",
  0x00cfc627 => "[C++] VS2012 build 50727",
  0x00c9c627 => "[RES] VS2012 build 50727",
  0x00cdc627 => "[ASM] VS2012 build 50727",
  0x00cac627 => "[EXP] VS2012 build 50727",
  0x00cbc627 => "[IMP] VS2012 build 50727",
  0x00ccc627 => "[LNK] VS2012 build 50727",
  0x00aa9d1b => "[ C ] VS2010 SP1 build 40219",
  0x00ab9d1b => "[C++] VS2010 SP1 build 40219",
  0x009d9d1b => "[LNK] VS2010 SP1 build 40219",
  0x009a9d1b => "[RES] VS2010 SP1 build 40219",
  0x009b9d1b => "[EXP] VS2010 SP1 build 40219",
  0x009c9d1b => "[IMP] VS2010 SP1 build 40219",
  0x009e9d1b => "[ASM] VS2010 SP1 build 40219",
  0x00aa766f => "[ C ] VS2010 build 30319",
  0x00ab766f => "[C++] VS2010 build 30319",
  0x009d766f => "[LNK] VS2010 build 30319",
  0x009a766f => "[RES] VS2010 build 30319",
  0x009b766f => "[EXP] VS2010 build 30319",
  0x009c766f => "[IMP] VS2010 build 30319",
  0x009e766f => "[ASM] VS2010 build 30319",
  0x00aa520b => "[ C ] VS2010 Beta 2 [10.0] build 21003 (*)",
  0x009e520b => "[ASM] VS2010 Beta 2 [10.0] build 21003 (*)",
  0x00ab520b => "[C++] VS2010 Beta 2 [10.0] build 21003 (*)",
  0x009a520b => "[RES] VS2010 Beta 2 [10.0] build 21003 (*)",
  0x009d520b => "[LNK] VS2010 Beta 2 [10.0] build 21003 (*)",
  0x009c520b => "[IMP] VS2010 Beta 2 [10.0] build 21003 (*)",
  0x009b520b => "[EXP] VS2010 Beta 2 [10.0] build 21003 (*)",
  0x00aa501a => "[ C ] VS2010 Beta 1 [10.0] build 20506 (*)",
  0x009e501a => "[ASM] VS2010 Beta 1 [10.0] build 20506 (*)",
  0x00ab501a => "[C++] VS2010 Beta 1 [10.0] build 20506 (*)",
  0x009a501a => "[RES] VS2010 Beta 1 [10.0] build 20506 (*)",
  0x009d501a => "[LNK] VS2010 Beta 1 [10.0] build 20506 (*)",
  0x009c501a => "[IMP] VS2010 Beta 1 [10.0] build 20506 (*)",
  0x009b501a => "[EXP] VS2010 Beta 1 [10.0] build 20506 (*)",
  0x00837809 => "[ C ] VS2008 SP1 build 30729",
  0x00847809 => "[C++] VS2008 SP1 build 30729",
  0x00947809 => "[RES] VS2008 SP1 [9.0] build 30729 (*)",
  0x00957809 => "[ASM] VS2008 SP1 build 30729",
  0x00927809 => "[EXP] VS2008 SP1 build 30729",
  0x00937809 => "[IMP] VS2008 SP1 build 30729",
  0x00917809 => "[LNK] VS2008 SP1 build 30729",
  0x0083521e => "[ C ] VS2008 build 21022",
  0x0084521e => "[C++] VS2008 build 21022",
  0x0091521e => "[LNK] VS2008 build 21022",
  0x0094521e => "[RES] VS2008 build 21022",
  0x0092521e => "[EXP] VS2008 build 21022",
  0x0093521e => "[IMP] VS2008 build 21022",
  0x0095521e => "[ASM] VS2008 build 21022",
  0x008350e2 => "[ C ] VS2008 Beta 2 [9.0] build 20706 (*)",
  0x009550e2 => "[ASM] VS2008 Beta 2 [9.0] build 20706 (*)",
  0x008450e2 => "[C++] VS2008 Beta 2 [9.0] build 20706 (*)",
  0x009450e2 => "[RES] VS2008 Beta 2 [9.0] build 20706 (*)",
  0x009150e2 => "[LNK] VS2008 Beta 2 [9.0] build 20706 (*)",
  0x009350e2 => "[IMP] VS2008 Beta 2 [9.0] build 20706 (*)",
  0x009250e2 => "[EXP] VS2008 Beta 2 [9.0] build 20706 (*)",
  0x006dc627 => "[ C ] VS2005 build 50727",
  0x006ec627 => "[C++] VS2005 build 50727",
  0x0078c627 => "[LNK] VS2005 build 50727",
  0x007cc627 => "[RES] VS2005 build 50727",
  0x007ac627 => "[EXP] VS2005 build 50727",
  0x007bc627 => "[IMP] VS2005 build 50727",
  0x007dc627 => "[ASM] VS2005 build 50727",
  0x006dc490 => "[ C ] VS2005 [8.0] build 50320 (*)",
  0x007dc490 => "[ASM] VS2005 [8.0] build 50320 (*)",
  0x006ec490 => "[C++] VS2005 [8.0] build 50320 (*)",
  0x007cc490 => "[RES] VS2005 [8.0] build 50320 (*)",
  0x0078c490 => "[LNK] VS2005 [8.0] build 50320 (*)",
  0x007bc490 => "[IMP] VS2005 [8.0] build 50320 (*)",
  0x007ac490 => "[EXP] VS2005 [8.0] build 50320 (*)",
  0x006dc427 => "[ C ] VS2005 Beta 2 [8.0] build 50215 (*)",
  0x007dc427 => "[ASM] VS2005 Beta 2 [8.0] build 50215 (*)",
  0x006ec427 => "[C++] VS2005 Beta 2 [8.0] build 50215 (*)",
  0x007cc427 => "[RES] VS2005 Beta 2 [8.0] build 50215 (*)",
  0x0078c427 => "[LNK] VS2005 Beta 2 [8.0] build 50215 (*)",
  0x007bc427 => "[IMP] VS2005 Beta 2 [8.0] build 50215 (*)",
  0x007ac427 => "[EXP] VS2005 Beta 2 [8.0] build 50215 (*)",
  0x006d9e9f => "[ C ] VS2005 Beta 1 [8.0] build 40607 (*)",
  0x007d9e9f => "[ASM] VS2005 Beta 1 [8.0] build 40607 (*)",
  0x006e9e9f => "[C++] VS2005 Beta 1 [8.0] build 40607 (*)",
  0x007c9e9f => "[RES] VS2005 Beta 1 [8.0] build 40607 (*)",
  0x00789e9f => "[LNK] VS2005 Beta 1 [8.0] build 40607 (*)",
  0x007b9e9f => "[IMP] VS2005 Beta 1 [8.0] build 40607 (*)",
  0x007a9e9f => "[EXP] VS2005 Beta 1 [8.0] build 40607 (*)",
  0x006d9d76 => "[ C ] Windows Server 2003 SP1 DDK (for AMD64) build 40310 (*)",
  0x007d9d76 => "[ASM] Windows Server 2003 SP1 DDK (for AMD64) build 40310 (*)",
  0x006e9d76 => "[C++] Windows Server 2003 SP1 DDK (for AMD64) build 40310 (*)",
  0x007c9d76 => "[RES] Windows Server 2003 SP1 DDK (for AMD64) build 40310 (*)",
  0x00789d76 => "[LNK] Windows Server 2003 SP1 DDK (for AMD64) build 40310 (*)",
  0x007b9d76 => "[IMP] Windows Server 2003 SP1 DDK (for AMD64) build 40310 (*)",
  0x007a9d76 => "[EXP] Windows Server 2003 SP1 DDK (for AMD64) build 40310 (*)",
  0x005f178e => "[ C ] VS2003 (.NET) SP1 build 6030",
  0x0060178e => "[C++] VS2003 (.NET) SP1 build 6030",
  0x005a178e => "[LNK] VS2003 (.NET) SP1 build 6030",
  0x000f178e => "[ASM] VS2003 (.NET) SP1 build 6030",
  0x005e178e => "[RES] VS.NET 2003 SP1 [7.1] build 6030 (*)",
  0x005c178e => "[EXP] VS2003 (.NET) SP1 build 6030",
  0x005d178e => "[IMP] VS2003 (.NET) SP1 build 6030",
  0x005f0fc3 => "[ C ] Windows Server 2003 SP1 DDK build 4035 (*)",
  0x000f0fc3 => "[ASM] Windows Server 2003 SP1 DDK build 4035 (*)",
  0x00600fc3 => "[C++] Windows Server 2003 SP1 DDK build 4035 (*)",
  0x005e0fc3 => "[RES] Windows Server 2003 SP1 DDK build 4035 (*)",
  0x005a0fc3 => "[LNK] Windows Server 2003 SP1 DDK build 4035 (*)",
  0x005d0fc3 => "[IMP] Windows Server 2003 SP1 DDK build 4035 (*)",
  0x005c0fc3 => "[EXP] Windows Server 2003 SP1 DDK build 4035 (*)",
  0x005f0c05 => "[ C ] VS2003 (.NET) build 3077",
  0x00600c05 => "[C++] VS2003 (.NET) build 3077",
  0x000f0c05 => "[ASM] VS2003 (.NET) build 3077",
  0x005e0bec => "[RES] VS2003 (.NET) build 3052",
  0x005c0c05 => "[EXP] VS2003 (.NET) build 3077",
  0x005d0c05 => "[IMP] VS2003 (.NET) build 3077",
  0x005a0c05 => "[LNK] VS2003 (.NET) build 3077",
  0x005e0c05 => "[RES] VS.NET 2003 [7.1] build 3077 (*)",
  0x001c24fa => "[ C ] VS2002 (.NET) build 9466",
  0x001d24fa => "[C++] VS2002 (.NET) build 9466",
  0x004024fa => "[ASM] VS2002 (.NET) build 9466",
  0x003d24fa => "[LNK] VS2002 (.NET) build 9466",
  0x004524fa => "[RES] VS2002 (.NET) build 9466",
  0x003f24fa => "[EXP] VS2002 (.NET) build 9466",
  0x001924fa => "[IMP] VS2002 (.NET) build 9466",
  0x001c23d8 => "[ C ] Windows XP SP1 DDK build 9176 (*)",
  0x004023d8 => "[ASM] Windows XP SP1 DDK build 9176 (*)",
  0x001d23d8 => "[C++] Windows XP SP1 DDK build 9176 (*)",
  0x004523d8 => "[RES] Windows XP SP1 DDK build 9176 (*)",
  0x003d23d8 => "[LNK] Windows XP SP1 DDK build 9176 (*)",
  0x001923d8 => "[IMP] Windows XP SP1 DDK build 9176 (*)",
  0x003f23d8 => "[EXP] Windows XP SP1 DDK build 9176 (*)",
  0x000a2636 => "[ C ] VS98 (6.0) SP6 build 8804",
  0x000b2636 => "[C++] VS98 (6.0) SP6 build 8804",
  0x00152306 => "[ C ] VC++ 6.0 SP5 build 8804",
  0x00162306 => "[C++] VC++ 6.0 SP5 build 8804",
  0x000420ff => "[LNK] VC++ 6.0 SP5 imp/exp build 8447",
  0x000606c7 => "[RES] VS98 (6.0) SP6 cvtres build 1736",
  0x000a1fe8 => "[ C ] VS98 (6.0) build 8168",
  0x000b1fe8 => "[C++] VS98 (6.0) build 8168",
  0x000606b8 => "[RES] VS98 (6.0) cvtres build 1720",
  0x00041fe8 => "[LNK] VS98 (6.0) imp/exp build 8168",
  0x00060684 => "[RES] VS97 (5.0) SP3 cvtres 5.00.1668",
  0x00021c87 => "[IMP] VS97 (5.0) SP3 link 5.10.7303",
}
CUR_ICO_HEADER =

www.devsource.com/c/a/Architecture/Resources-From-PE-I/2/

IOStruct.new('v3',
  :wReserved, # always 0
  :wResID,    # always 2
  :wNumImages # Number of cursor images/directory entries
)
CURDIRENTRY = 
IOStruct.new 'v4Vv',
:wWidth,
:wHeight, # Divide by 2 to get the actual height.
:wPlanes,
:wBitCount,
:dwBytesInImage,
:wID
CURSOR_HOTSPOT = 
IOStruct.new 'v2', :x, :y
ICODIRENTRY = 
IOStruct.new 'C4v2Vv',
:bWidth,
:bHeight,
:bColors,
:bReserved,
:wPlanes,
:wBitCount,
:dwBytesInImage,
:wID
ROOT_RES_NAMES =

numeration is started from 1

[nil] + # numeration is started from 1
%w'CURSOR BITMAP ICON MENU DIALOG STRING FONTDIR FONT ACCELERATORS RCDATA' +
%w'MESSAGETABLE GROUP_CURSOR' + [nil] + %w'GROUP_ICON' + [nil] +
%w'VERSION DLGINCLUDE' + [nil] + %w'PLUGPLAY VXD ANICURSOR ANIICON HTML MANIFEST'
IMAGE_RESOURCE_DIRECTORY_ENTRY = 
IOStruct.new 'V2',
:Name, :OffsetToData,
:name, :data
IMAGE_RESOURCE_DATA_ENTRY = 
IOStruct.new 'V4',
:OffsetToData, :Size, :CodePage, :Reserved
MINIDUMP_LOCATION_DESCRIPTOR = 
IOStruct.new 'LL', :DataSize, :Rva
MINIDUMP_MEMORY_INFO = 
IOStruct.new 'QQLLQLLLL',
:BaseAddress,
:AllocationBase,
:AllocationProtect,
:__alignment1,
:RegionSize,
:State,
:Protect,
:Type,
:__alignment2
MINIDUMP_MEMORY_DESCRIPTOR = 
IOStruct.new 'QLL',
:StartOfMemoryRange,
:DataSize,
:Rva
MINIDUMP_MEMORY_DESCRIPTOR64 = 
IOStruct.new 'QQ',
:StartOfMemoryRange,
:DataSize
MINIDUMP_STREAM_TYPE =

msdn.microsoft.com/en-us/library/windows/desktop/ms680394(v=vs.85).aspx

{
       0 => :UnusedStream,
       1 => :ReservedStream0,
       2 => :ReservedStream1,
       3 => :ThreadListStream,
       4 => :ModuleListStream,
       5 => :MemoryListStream,             # MINIDUMP_MEMORY_LIST
       6 => :ExceptionStream,
       7 => :SystemInfoStream,
       8 => :ThreadExListStream,
       9 => :Memory64ListStream,           # MINIDUMP_MEMORY64_LIST
      10 => :CommentStreamA,
      11 => :CommentStreamW,
      12 => :HandleDataStream,
      13 => :FunctionTableStream,
      14 => :UnloadedModuleListStream,
      15 => :MiscInfoStream,
      16 => :MemoryInfoListStream,         # MINIDUMP_MEMORY_INFO_LIST
      17 => :ThreadInfoListStream,
      18 => :HandleOperationListStream,
  0xffff => :LastReservedStream,

  # Special types saved by google breakpad
  # https://chromium.googlesource.com/breakpad/breakpad/+/846b6335c5b0ba46dfa2ed96fccfa3f7a02fa2f1/src/google_breakpad/common/minidump_format.h#311
  0x47670001 => :BreakpadInfoStream,
  0x47670002 => :BreakpadAssertionInfoStream,
  0x47670003 => :BreakpadLinuxCpuInfo,
  0x47670004 => :BreakpadLinuxProcStatus,
  0x47670005 => :BreakpadLinuxLsbRelease,
  0x47670006 => :BreakpadLinuxCmdLine,
  0x47670007 => :BreakpadLinuxEnviron,
  0x47670008 => :BreakpadLinuxAuxv,
  0x47670009 => :BreakpadLinuxMaps,
  0x4767000A => :BreakpadLinuxDsoDebug,

  # Saved by crashpad
  # https://chromium.googlesource.com/crashpad/crashpad/+/doc/minidump/minidump_extensions.h#95
  0x43500001 => :CrashpadInfo,

  # Saved by Syzyasan
  # https://github.com/google/syzygy/blob/c8bb4927f07fec0de8834c4774ddaafef0bc099f/syzygy/kasko/api/client.h#L28
  # https://github.com/google/syzygy/blob/master/syzygy/crashdata/crashdata.proto
  0x4B6B0001 => :SyzyasanCrashdata,

  # Saved by Chromium
  0x4B6B0002 => :ChromiumStabilityReport,
  0x4B6B0003 => :ChromiumSystemProfile,
  0x4B6B0004 => :ChromiumGwpAsanData,
}
@@logger = 
nil

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(io = nil, params = {}) ⇒ PEdump

Returns a new instance of PEdump.



42
43
44
45
46
47
48
49
50
 
# File 'lib/pedump.rb', line 42

def initialize io = nil, params = {}
  if io.is_a?(Hash)
    @io, params = nil, io
  else
    @io = io
  end
  @force = params[:force]
  @logger = @@logger = Logger.create(params)
end

Instance Attribute Details

#fnameObject

Returns the value of attribute fname.



31
32
33
 
# File 'lib/pedump.rb', line 31

def fname
  @fname
end

#forceObject

Returns the value of attribute force.



31
32
33
 
# File 'lib/pedump.rb', line 31

def force
  @force
end

#ioObject

Returns the value of attribute io.



31
32
33
 
# File 'lib/pedump.rb', line 31

def io
  @io
end

#loggerObject

Returns the value of attribute logger.



31
32
33
 
# File 'lib/pedump.rb', line 31

def logger
  @logger
end

Class Method Details

.dump(fname, params = {}) ⇒ Object 



329
330
331
 
# File 'lib/pedump.rb', line 329

def self.dump fname, params = {}
  new(fname, params).dump
end

.loggerObject 



35
 
# File 'lib/pedump/core.rb', line 35

def logger;    @@logger;   end

.logger=(l) ⇒ Object 



36
 
# File 'lib/pedump/core.rb', line 36

def logger= l; @@logger=l; end

.ordlookup(dll, ord, make_name: false) ⇒ Object 



5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
# File 'lib/pedump/ordlookup.rb', line 5

def self.ordlookup(dll, ord, make_name: false)
  dll = dll.downcase
  @ordlookup ||= {}
  @ordlookup[dll] ||= 
    begin
      yml_fname = File.expand_path(File.dirname(__FILE__) + "/../../data/ordlookup/" + dll + ".yml")
      if File.exist?(yml_fname)
        YAML.load_file(yml_fname)
      else
        {}
      end
    end
  @ordlookup[dll][ord] || (make_name ? "ord#{ord}" : nil)
end

.quietObject 



333
334
335
336
337
338
339
 
# File 'lib/pedump.rb', line 333

def self.quiet
  oldlevel = @@logger.level
  @@logger.level = ::Logger::FATAL
  yield
ensure
  @@logger.level = oldlevel
end

Instance Method Details

#_detect_formatObject 



530
531
532
533
534
535
536
537
538
 
# File 'lib/pedump.rb', line 530

def _detect_format
  return :pe if @pe
  return :ne if @ne
  return :te if @te
  return :pe if pe()
  return :ne if ne()
  return :te if te()
  nil
end

#_dump_handle(h) ⇒ Object 



480
481
482
483
484
485
486
487
488
489
 
# File 'lib/pedump.rb', line 480

def _dump_handle h
  if pe(h) # also calls mz(h)
    rich_hdr h
    resources h
    imports h   # also calls tls(h)
    exports h
    packer h
  elsif te(h)
  end
end

#_read_resource_directory_tree(f) ⇒ Object 



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
# File 'lib/pedump/resources.rb', line 12

def _read_resource_directory_tree f
  return nil unless pe(f) && pe(f).ioh && f
  res_dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE]
  return [] if !res_dir || (res_dir.va == 0 && res_dir.size == 0)
  res_va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE].va
  res_section = @pe.section_table.find{ |t| t.VirtualAddress == res_va }
  unless res_section
    logger.warn "[?] can't find resource section for va=0x#{res_va.to_s(16)}"
    return []
  end
  f.seek res_section.PointerToRawData
  IMAGE_RESOURCE_DIRECTORY.base = res_section.PointerToRawData
  #@resource_data_base = res_section.PointerToRawData - res_section.VirtualAddress
  IMAGE_RESOURCE_DIRECTORY.read(f)
end

#_scan_pe_resources(f = @io, dir = nil) ⇒ Object 



379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
 
# File 'lib/pedump/resources.rb', line 379

def _scan_pe_resources f=@io, dir=nil
  dir ||= resource_directory(f)
  return nil unless dir
  @pe_res_errors ||= 0
  r = []
  dir.entries.each_with_index do |entry,idx|
    case entry.data
      when IMAGE_RESOURCE_DIRECTORY
        if dir == @resource_directory # root resource directory
          entry_type =
            if entry.Name & 0x8000_0000 == 0
              # root resource directory & entry name is a number
              ROOT_RES_NAMES[entry.Name] || entry.name
            else
              entry.name
            end
          r += _scan_pe_resources(f,entry.data).each do |res|
            res.type = entry_type
            res.parse f
          end
        else
          r += _scan_pe_resources(f,entry.data).each do |res|
            res.name = res.name == "##{res.lang}" ? entry.name : "#{entry.name} / #{res.name}"
            res.id ||= entry.Name if entry.Name.is_a?(Numeric) && entry.Name < 0x8000_0000
          end
        end
      when IMAGE_RESOURCE_DATA_ENTRY
        file_offset = va2file(entry.data.OffsetToData, :quiet => (@pe_res_errors > MAX_ERRORS))
        unless file_offset
          @pe_res_errors += 1
          if @pe_res_errors > MAX_ERRORS
            PEdump.logger.warn "[?] too many errors getting resource data, stopped on #{idx} of #{dir.entries.size}"
            break
          end
        end
        r << Resource.new(
          nil,          # type
          entry.name,
          nil,          # id
          entry.Name,   # lang
          #entry.data.OffsetToData + @resource_data_base,
          file_offset,
          entry.data.Size,
          entry.data.CodePage,
          entry.data.Reserved
        )
      else
        if entry.data
          logger.error "[!] invalid resource entry: #{entry.data.inspect}"
        else
          # show NULL entries only in verbose mode
          logger.info  "[!] invalid resource entry: #{entry.data.inspect}"
        end
    end
  end
  r.flatten.compact
end

#clr_header(f = @io) ⇒ Object

module CLR



581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
 
# File 'lib/pedump/clr.rb', line 581

def clr_header f=@io
  return nil unless pe(f) && pe(f).ioh && f

  dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::CLR_Header]
  return nil if !dir || (dir.va == 0 && dir.size == 0)

  file_offset = va2file(dir.va)
  return nil unless file_offset

  if f.checked_seek(file_offset)
    IMAGE_COR20_HEADER.read(f)
  else
    logger.warn "[?] CLR header beyond EOF"
    nil
  end
end

#clr_metadata(f = @io) ⇒ Object 



598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
 
# File 'lib/pedump/clr.rb', line 598

def clr_metadata f=@io
  return nil unless hdr = clr_header(f)

  dir = hdr&.MetaData
  return nil if !dir || (dir.va.to_i == 0 || dir.size.to_i == 0)

  file_offset = va2file(dir.va)
  return nil unless file_offset

  if f.checked_seek(file_offset)
    CLR::MetadataHeader.read(f)
  else
    logger.warn "[?] CLR metadata header beyond EOF"
    nil
  end
end

#clr_readytorun(f = @io) ⇒ Object

module CLR



99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
 
# File 'lib/pedump/clr/readytorun.rb', line 99

def clr_readytorun f=@io
  return nil unless hdr = clr_header(f)

  dir = hdr.ManagedNativeHeader
  return nil if !dir || (dir.va.to_i == 0 && dir.size.to_i == 0)

  file_offset = va2file(dir.va)
  return nil unless file_offset

  f.seek(file_offset)
  magic = f.read(4).unpack1('L')
  return nil if magic != CLR::READYTORUN_HEADER::MAGIC

  f.seek(file_offset)
  CLR::READYTORUN_HEADER.read(f)
end

#clr_streams(f = @io) ⇒ Object 



615
616
617
618
619
620
621
622
623
624
625
626
627
628
 
# File 'lib/pedump/clr.rb', line 615

def clr_streams f=@io
  return nil unless metadata = clr_metadata(f)

  streams = []
  metadata.NumberOfStreams.times do
    if stream = CLR::MetadataStreamHeader.read(f)
      streams << stream
    else
      logger.warn "[?] Error reading CLR stream header"
      break
    end
  end
  streams
end

#clr_strings(f = @io) ⇒ Object 



630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
 
# File 'lib/pedump/clr.rb', line 630

def clr_strings f=@io
  return nil unless dir = clr_header(f)&.MetaData
  return nil unless streams = clr_streams(f)

  strings = CLR::StringsHash.new
  streams.each do |stream|
    next unless stream.name == '#Strings'

    unless f.checked_seek(va2file(dir.va) + stream.offset)
      logger.warn "[?] Error seeking to CLR strings stream"
      return nil
    end
    pos = 0
    while pos < stream.size && !f.eof?
      s = f.gets("\0")
      break unless s

      ssize = s.bytesize
      s.chomp!("\0")
      s.force_encoding('utf-8')
      strings[pos] = s
      pos += ssize
    end

    break
  end
  strings
end

#clr_tables(table_ids_or_f = nil) ⇒ Object 



659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
 
# File 'lib/pedump/clr.rb', line 659

def clr_tables table_ids_or_f=nil
  f = @io
  table_ids = nil

  case table_ids_or_f
  when IO
    f = table_ids_or_f
  when String
    table_ids = table_ids_or_f.split(/\W/).map(&:to_sym)
  when Array
    table_ids = table_ids_or_f
  end

  return nil unless dir = clr_header(f)&.MetaData
  return nil unless streams = clr_streams(f)

  @dynamic_classes ||= {}

  tables = CLR::TablesHash.new
  streams.each do |stream|
    next if stream.name != '#~' && stream.name != '#-' # Metadata Table Stream

    unless f.checked_seek(va2file(dir.va) + stream.offset)
      logger.warn "[?] Error seeking to CLR table stream"
      return nil
    end

    if hdr = CLR::MetadataTableStreamHeader.read(f)
      hdr.sizes_hash.each do |key, nrows|
        raise "Unknown table: #{key}" unless hdr.known_table?(key)

        if fields = CLR::TableDefs[key]
          klass = @dynamic_classes[key] ||= CLR::_create_dynamic_class(fields, hdr, name: key)
          tables[key] = [nil] # 1-based index, 0-th element is NULL
          nrows.times do
            tables[key] << klass.read(f)
          end
        else
          logger.warn "[?] Unknown CLR table: #{key}"
        end
      end
    else
      logger.warn "[?] Error reading CLR table stream header"
      break
    end
  end
  # tables are layed out sequentially in the file, so ALL of them should be read first, even if only some are requested
  tables.delete_if{ |k,v| !table_ids.include?(k) } if table_ids
  tables
end

#data_directory(f = @io) ⇒ Object 



491
492
493
494
495
496
497
 
# File 'lib/pedump.rb', line 491

def data_directory f=@io
  if pe(f)
    pe.ioh && pe.ioh.DataDirectory
  elsif te(f)
    te.DataDirectory
  end
end

#dos_stub(f = @io) ⇒ Object 



354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
 
# File 'lib/pedump.rb', line 354

def dos_stub f=@io
  @dos_stub ||=
    begin
      return nil unless mz = mz(f)
      dos_stub_offset = mz.header_paragraphs.to_i * 0x10
      dos_stub_size   = mz.lfanew.to_i - dos_stub_offset
      if dos_stub_offset < 0
        logger.warn "[?] invalid DOS stub offset #{dos_stub_offset}"
        nil
      elsif f && dos_stub_offset > f.size
        logger.warn "[?] DOS stub offset beyond EOF: #{dos_stub_offset}"
        nil
      elsif dos_stub_size < 0
        logger.warn "[?] invalid DOS stub size #{dos_stub_size}"
        nil
      elsif dos_stub_size == 0
        # no DOS stub, it's ok
        nil
      elsif !f
        # no open file, it's ok
        nil
      else
        return nil if dos_stub_size == MZ::SIZE && dos_stub_offset == 0
        if dos_stub_size > 0x1000
          logger.warn "[?] DOS stub size too big (#{dos_stub_size}), limiting to 0x1000"
          dos_stub_size = 0x1000
        end
        f.seek dos_stub_offset
        DOSStub.new(f.read(dos_stub_size)).tap do |dos_stub|
          dos_stub.offset = dos_stub_offset
          if dos_stub['Rich']
            if @rich_hdr = RichHdr.from_dos_stub(dos_stub)
              dos_stub[dos_stub.index(@rich_hdr)..-1] = ''
            end
          end
        end
      end
    end
end

#dump(f = @io) ⇒ Object

OPTIONAL: assigns @mz, @rich_hdr, @pe, etc



469
470
471
472
473
474
475
476
477
478
 
# File 'lib/pedump.rb', line 469

def dump f=@io
  if f.is_a?(String)
    File.open(f,'rb'){ |f| _dump_handle(f) }
  elsif f.is_a?(::IO)
    _dump_handle f
  elsif @io
    _dump_handle @io
  end
  self
end

#exports(f = @io) ⇒ Object 



777
778
779
780
781
782
783
 
# File 'lib/pedump.rb', line 777

def exports f=@io
  if pe(f)
    pe_exports(f)
  elsif ne(f)
    ne(f).exports
  end
end

#file2va(offset, h = {}) ⇒ Object 



448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
 
# File 'lib/pedump.rb', line 448

def file2va offset, h = {}
  return nil if offset.nil?

  # a special case - PE without sections
  return offset if sections.empty?

  sections.each do |s|
    if (s.PointerToRawData...(s.PointerToRawData+s.SizeOfRawData)).include?(offset)
      return s.VirtualAddress + offset - s.PointerToRawData
    end
  end

  if h[:quiet]
    logger.debug "[?] can't find VA for file_offset 0x#{offset.to_i.to_s(16)} (quiet=true)"
  else
    logger.error "[?] can't find VA for file_offset 0x#{offset.to_i.to_s(16)}"
  end
  nil
end

#imphash(f = @io) ⇒ Object 



599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
 
# File 'lib/pedump.rb', line 599

def imphash f=@io
  return @imphash if @imphash
  return nil unless pe(f) && pe(f).ioh && f

  imports = imports(f)
  return nil if imports.empty?

  a = []
  imports.each do |iid|
    next unless iid.module_name

    # was: [iid.original_first_thunk, iid.first_thunk].compact.flatten
    names = (iid.original_first_thunk || iid.first_thunk).map do |x|
      x.name || PEdump.ordlookup(iid.module_name, x.ordinal, make_name: true)
    end.compact.map(&:downcase).uniq
    libname = iid.module_name.downcase.sub(/\.(ocx|sys|dll)$/,'') # as in python's pefile
    names.each do |name|
      a << "#{libname}.#{name}"
    end
  end

  return nil if a.empty?
  @imphash = Digest::MD5.hexdigest(a.join(","))
end

#imports(f = @io) ⇒ Object 



589
590
591
592
593
594
595
596
597
 
# File 'lib/pedump.rb', line 589

def imports f=@io
  if pe(f)
    pe_imports(f)
  elsif ne(f)
    ne(f).imports
  else
    []
  end
end

#mz(f = @io) ⇒ Object 



341
342
343
344
345
346
347
348
349
350
351
352
 
# File 'lib/pedump.rb', line 341

def mz f=@io
  @mz ||= f && MZ.read(f).tap do |mz|
    if mz.signature != 'MZ' && mz.signature != 'ZM'
      if @force
        #logger.warn  "[?] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}"
      else
        #logger.error "[!] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}. (not forced)"
        return nil
      end
    end
  end
end

#ne(f = @io) ⇒ Object 



402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
 
# File 'lib/pedump/ne.rb', line 402

def ne f=@io
  return @ne if defined?(@ne)
  @ne ||=
    begin
      ne_offset = mz(f) && mz(f).lfanew
      if ne_offset.nil?
        logger.debug "[!] NULL NE offset (e_lfanew)."
        nil
      elsif ne_offset > f.size
        logger.fatal "[!] NE offset beyond EOF."
        nil
      else
        f.seek ne_offset
        if f.read(2) == 'NE'
          f.seek ne_offset
          NE.read f
        else
          nil
        end
      end
    end
end

#ne?Boolean

Returns:

  • (Boolean) 


544
545
546
 
# File 'lib/pedump.rb', line 544

def ne?
  _detect_format() == :ne
end

#packer(f = @io) ⇒ Object Also known as: packers

packer / compiler detection



932
933
934
935
936
937
938
939
940
941
942
 
# File 'lib/pedump.rb', line 932

def packer f=@io
  @packer ||= pe(f) && @pe.ioh &&
    begin
      if PEdump::Packer.all.size == 0
        logger.error "[?] no packer definitions found"
        nil
      else
        Packer.of f, :pedump => self
      end
    end
end

#pe(f = @io) ⇒ Object 



115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
 
# File 'lib/pedump/pe.rb', line 115

def pe f=@io
  @pe ||=
    begin
      pe_offset = mz(f) && mz(f).lfanew
      if pe_offset.nil?
        logger.debug "[!] NULL PE offset (e_lfanew). cannot continue."
        nil
      elsif pe_offset > f.size
        logger.fatal "[!] PE offset beyond EOF. cannot continue."
        nil
      else
        f.seek pe_offset
        PE.read f, :force => @force
      end
    end
end

#pe?Boolean

Returns:

  • (Boolean) 


540
541
542
 
# File 'lib/pedump.rb', line 540

def pe?
  _detect_format() == :pe
end

#pe_exports(f = @io) ⇒ Object 



785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
 
# File 'lib/pedump.rb', line 785

def pe_exports f=@io
  return @exports if @exports
  return nil unless pe(f) && pe(f).ioh && f
  dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT]
  return nil if !dir || (dir.va == 0 && dir.size == 0)
  va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT].va
  file_offset = va2file(va)
  return nil unless file_offset
  if !f.checked_seek(file_offset) || f.eof?
    logger.warn "[?] exports info beyond EOF"
    return nil
  end
  @exports = IMAGE_EXPORT_DIRECTORY.read(f).tap do |x|
    x.entry_points = []
    x.name_ordinals = []
    x.names = []
    if x.Name.to_i != 0 && (ofs = va2file(x.Name))
      f.seek ofs
      if f.eof?
        logger.warn "[?] export ofs 0x#{ofs.to_s(16)} beyond EOF"
        nil
      else
        x.name = f.gets("\x00").chomp("\x00")
      end
    end
    if x.NumberOfFunctions.to_i > 0
      if x.AddressOfFunctions.to_i !=0 && (ofs = va2file(x.AddressOfFunctions))
        f.seek ofs
        x.entry_points = []
        x.NumberOfFunctions.times do
          if f.eof?
            logger.warn "[?] got EOF while reading exports entry_points"
            break
          end
          x.entry_points << f.read(4).unpack('V').first
        end
      end
      if x.AddressOfNameOrdinals.to_i !=0 && (ofs = va2file(x.AddressOfNameOrdinals))
        f.seek ofs
        x.name_ordinals = []
        x.NumberOfNames.times do
          if f.eof?
            logger.warn "[?] got EOF while reading exports name_ordinals"
            break
          end
          x.name_ordinals << f.read(2).unpack('v').first + x.Base
        end
      end
    end
    if x.NumberOfNames.to_i > 0 && x.AddressOfNames.to_i !=0 && (ofs = va2file(x.AddressOfNames))
      f.seek ofs
      x.names = []
      x.NumberOfNames.times do
        if f.eof?
          logger.warn "[?] got EOF while reading exports names"
          break
        end
        x.names << f.read(4).unpack('V').first
      end
      nErrors = 0
      x.names.size.times do |i|
        begin
          f.seek va2file(x.names[i])
          x.names[i] = f.gets("\x00").to_s.chomp("\x00")
        rescue
          nErrors += 1
          if nErrors > MAX_ERRORS
            logger.warn "[?] too many errors getting export names, stopped on #{i} of #{x.names.size}"
            x.names = x.names[0,i]
            break
          end
          nil
        end
      end
    end

    ord2name = {}
    if x.names && x.names.any?
      n = x.NumberOfNames
      if n > MAX_EXPORT_NUMBER_OF_NAMES
        logger.warn "[?] NumberOfNames too big (#{x.NumberOfNames}), limiting to #{MAX_EXPORT_NUMBER_OF_NAMES}"
        n = MAX_EXPORT_NUMBER_OF_NAMES
      end
      n.times do |i|
        ord2name[x.name_ordinals[i]] ||= []
        ord2name[x.name_ordinals[i]] << x.names[i]
      end
    end

    x.functions = []
    x.entry_points.each_with_index do |ep,i|
      names = ord2name[i+x.Base]
      names = names.join(', ') if names
      next if ep.to_i == 0 && names.nil?
      x.functions << ExportedFunction.new(names, i+x.Base, ep)
    end
  end
end

#pe_imports(f = @io) ⇒ Object 



624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
 
# File 'lib/pedump.rb', line 624

def pe_imports f=@io
  return @imports if @imports
  return nil unless pe(f) && pe(f).ioh && f

  dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT]
  return [] if !dir || (dir.va == 0 && dir.size == 0)

  file_offset = va2file(dir.va)
  return nil unless file_offset

  # scan TLS first, to catch many fake imports trick from
  # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/manyimportsW7.asm
  tls_aoi = nil
  if (tls = tls(f)) && tls.any?
    tls_aoi = tls.first.AddressOfIndex.to_i - @pe.ioh.ImageBase.to_i
    tls_aoi = tls_aoi > 0 ? va2file(tls_aoi) : nil
  end

  r = []; t = nil
  if f.checked_seek(file_offset)
    while true
      if tls_aoi && tls_aoi == file_offset+16
        # catched the neat trick! :)
        # f.tell + 12  =  offset of 'FirstThunk' field from start of IMAGE_IMPORT_DESCRIPTOR structure
        logger.warn "[!] catched the 'imports terminator in TLS trick'"
        # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/manyimportsW7.asm
        break
      end
      if r.size >= MAX_IMAGE_IMPORT_DESCRIPTORS
        logger.warn "[!] too many IMAGE_IMPORT_DESCRIPTORs, not reading more than #{r.size}"
        break
      end
      t = IMAGE_IMPORT_DESCRIPTOR.read(f)
      break if t.Name.to_i == 0 # also catches EOF
      r << t
      file_offset += IMAGE_IMPORT_DESCRIPTOR::SIZE
    end
  else
    logger.warn "[?] imports info beyond EOF"
  end

  n_bad_names = 0
  logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" if t && !t.empty?
  @imports = r
  r = nil
  @imports.each_with_index do |x, iidx|
    if n_bad_names > MAX_ERRORS
      logger.warn "[!] too many bad imported function names. skipping further imports parsing"
      @imports = @imports[0,iidx]
      break
    end
    if x.Name.to_i != 0 && (ofs = va2file(x.Name))
      begin
      f.seek ofs
      rescue
        logger.warn "[?] cannot seek to #{ofs} (VA=0x#{x.Name.to_i.to_s(16)} for reading imports, skipped"
        next
      end
      x.module_name = f.gets("\x00").to_s.chomp("\x00")
    end
    [:original_first_thunk, :first_thunk].each do |tbl|
      camel = tbl.capitalize.to_s.gsub(/_./){ |char| char[1..-1].upcase}
      if x[camel].to_i != 0 && (ofs = va2file(x[camel])) && f.checked_seek(ofs)
        x[tbl] ||= []
        if pe.x64?
          x[tbl] << t while (t = f.read(8).to_s.unpack('Q').first).to_i != 0
        else
          x[tbl] << t while (t = f.read(4).to_s.unpack('V').first).to_i != 0
        end
      end
      cache = {}
      bits = pe.x64? ? 64 : 32
      mask = 2**(bits-1)
      idx = -1
      x[tbl] && x[tbl].map! do |t|
        idx += 1
        va = x[camel].to_i + idx*4
        cache[t] ||=
          if t & mask > 0                                 # 0x8000_0000(_0000_0000)
            ImportedFunction.new(nil,nil,t & (mask-1),va) # 0x7fff_ffff(_ffff_ffff)
          elsif ofs=va2file(t, :quiet => true)
            if !f.checked_seek(ofs) || f.eof?
              logger.warn "[?] import ofs 0x#{ofs.to_s(16)} VA=0x#{t.to_s(16)} beyond EOF"
              nil
            else
              hint = f.read(2).unpack('v').first
              name = f.gets("\x00").to_s.chomp("\x00")
              if !name.empty? && name !~ GOOD_FUNCTION_NAME_RE
                n_bad_names += 1
                if n_bad_names > MAX_ERRORS
                  nil
                else
                  ImportedFunction.new(hint, name, nil, va)
                end
              else
                ImportedFunction.new(hint, name, nil, va)
              end
            end
          elsif tbl == :original_first_thunk
            # OriginalFirstThunk entries can not be invalid, show a warning msg
            logger.warn "[?] invalid VA 0x#{t.to_s(16)} in #{camel}[#{idx}] for #{x.module_name}"
            nil
          elsif tbl == :first_thunk
            # FirstThunk entries can be invalid, so `info` msg only
            logger.info "[?] invalid VA 0x#{t.to_s(16)} in #{camel}[#{idx}] for #{x.module_name}"
            nil
          else
            raise "You are not supposed to be here! O_o"
          end
      end
      x[tbl] && x[tbl].compact!
    end # [:original_first_thunk, :first_thunk].each
    if x.original_first_thunk && !x.first_thunk
      logger.warn "[?] import table: empty FirstThunk for #{x.module_name}"
    elsif !x.original_first_thunk && x.first_thunk
      logger.info "[?] import table: empty OriginalFirstThunk for #{x.module_name}"
    elsif logger.debug?
      # compare all but VAs
      #if x.original_first_thunk != x.first_thunk
      #  logger.debug "[?] import table: OriginalFirstThunk != FirstThunk for #{x.module_name}"
      #end
    end
  end # r.each
  @imports
end

#resource_directory(f = @io) ⇒ Object 



3
4
5
6
7
8
9
10
 
# File 'lib/pedump/resources.rb', line 3

def resource_directory f=@io
  @resource_directory ||=
    if pe(f)
      _read_resource_directory_tree(f)
    elsif ne(f)
      ne(f).resource_directory(f)
    end
end

#resources(f = @io) ⇒ Object

resources



915
916
917
918
919
920
921
922
 
# File 'lib/pedump.rb', line 915

def resources f=@io
  @resources ||=
    if pe(f)
      _scan_pe_resources(f)
    elsif ne(f)
      ne(f).resources(f)
    end
end

#rich_hdr(f = @io) ⇒ Object Also known as: rich_header, rich 



394
395
396
 
# File 'lib/pedump.rb', line 394

def rich_hdr f=@io
  dos_stub(f) && @rich_hdr
end

#sections(f = @io) ⇒ Object Also known as: section_table 



499
500
501
502
503
504
505
506
507
 
# File 'lib/pedump.rb', line 499

def sections f=@io
  if pe(f)
    pe.section_table
  elsif ne(f)
    ne.segments
  elsif te(f)
    te.sections
  end
end

#security(f = @io) ⇒ Object Also known as: signature 



2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 
# File 'lib/pedump/security.rb', line 2

def security f=@io
  return nil unless pe(f) && pe(f).ioh && f
  dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::SECURITY]
  return nil if !dir || dir.va == 0

  # IMAGE_DIRECTORY_ENTRY_SECURITY
  # Points to a list of WIN_CERTIFICATE structures, defined in WinTrust.H.
  # Not mapped into memory as part of the image.
  # Therefore, the VirtualAddress field is a file offset, rather than an RVA.
  #
  # http://msdn.microsoft.com/en-us/magazine/bb985997.aspx

  f.seek dir.va
  r = []
  ofs = f.tell
  while !f.eof? && (f.tell-ofs < dir.size)
    r << WIN_CERTIFICATE.read(f)
  end
  r
end

#strings(f = @io) ⇒ Object 



227
228
229
230
231
232
233
234
235
 
# File 'lib/pedump/resources.rb', line 227

def strings f=@io
  r = []
  Array(resources(f)).find_all{ |x| x.type == 'STRING'}.each do |res|
    res.data.each_with_index do |string,idx|
      r << STRING.new( ((res.id.to_i-1)<<4) + idx, res.lang, string ) unless string.empty?
    end
  end
  r
end

#supported_file?(f = @io) ⇒ Boolean

Returns:

  • (Boolean) 


510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
 
# File 'lib/pedump.rb', line 510

def supported_file? f=@io
  pos = f.tell
  sig = f.read(2)
  f.seek(pos)
  if SUPPORTED_SIGNATURES.include?(sig)
    true
  else
    unless @not_supported_sig_warned
      msg = "no supported signature. want: #{SUPPORTED_SIGNATURES.join("/")}, got: #{sig.inspect}"
      if @force
        logger.warn  "[?] #{msg}"
      else
        logger.error "[!] #{msg}. (not forced)"
      end
      @not_supported_sig_warned = true
    end
    false
  end
end

#tail(f = @io) ⇒ Object

tail data



949
950
951
952
953
954
955
956
957
 
# File 'lib/pedump.rb', line 949

def tail f=@io
  tail_start = sections(f).map{ |s| s.PointerToRawData + s.SizeOfRawData }.max
  if tail_start && tail_start < f.size
    f.seek tail_start
    f
  else
    nil
  end
end

#te(f = @io) ⇒ Object 



48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
# File 'lib/pedump/te.rb', line 48

def te f=@io
  return @te if defined?(@te)
  @te ||=
    begin
      te_offset = 0
      f.seek te_offset
      if f.read(2) == 'VZ'
        f.seek te_offset
        EFI_TE_IMAGE_HEADER.read f, :force => @force
      else
        nil
      end
    end
end

#te?Boolean

Returns:

  • (Boolean) 


548
549
550
 
# File 'lib/pedump.rb', line 548

def te?
  _detect_format() == :te
end

#te_shiftObject 



40
41
42
43
44
45
46
 
# File 'lib/pedump/te.rb', line 40

def te_shift
  if @te
    @te.StrippedSize - EFI_TE_IMAGE_HEADER::REAL_SIZE
  else
    0
  end
end

#tls(f = @io) ⇒ Object

TLS



888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
 
# File 'lib/pedump.rb', line 888

def tls f=@io
  @tls ||= pe(f) && pe(f).ioh && f &&
    begin
      dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::TLS]
      return nil if !dir || dir.va == 0
      return nil unless file_offset = va2file(dir.va)
      f.seek file_offset
      if f.eof?
        logger.info "[?] TLS info beyond EOF"
        return nil
      end

      klass = @pe.x64? ? IMAGE_TLS_DIRECTORY64 : IMAGE_TLS_DIRECTORY32
      nEntries = [1,dir.size / klass.const_get('SIZE')].max
      r = []
      nEntries.times do
        break if f.eof? || !(entry = klass.read(f))
        r << entry
      end
      r
    end
end

#va2file(va, h = {}) ⇒ Object 



400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
 
# File 'lib/pedump.rb', line 400

def va2file va, h={}
  return nil if va.nil?

  va0 = va # save for log output of original addr
  if pe?
    # most common case, do nothing
  elsif te?
    va = va - te_shift()
  end

  sections.each do |s|
    if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
      offset = va - s.VirtualAddress
      return (s.PointerToRawData + offset) if offset < s.SizeOfRawData
    end
  end

  # not found with regular search. assume any of VirtualSize was 0, and try with RawSize
  sections.each do |s|
    if (s.VirtualAddress...(s.VirtualAddress+s.SizeOfRawData)).include?(va)
      offset = va - s.VirtualAddress
      return (s.PointerToRawData + offset) if offset < s.SizeOfRawData
    end
  end

  # still not found, bad/zero VirtualSizes & RawSizes ?

  # a special case - PE without sections
  return va if sections.empty?

  # check if only one section
  if sections.size == 1 || sections.all?{ |s| s.VirtualAddress.to_i == 0 }
    s = sections.first
    offset = va - s.VirtualAddress
    return (s.PointerToRawData + offset) if offset < s.SizeOfRawData
    #return va - s.VirtualAddress + s.PointerToRawData
  end

  # TODO: not all VirtualAdresses == 0 case

  if h[:quiet]
    logger.debug "[?] can't find file_offset of VA 0x#{va0.to_i.to_s(16)} (quiet=true)"
  else
    logger.error "[?] can't find file_offset of VA 0x#{va0.to_i.to_s(16)}"
  end
  nil
end

#version_info(f = @io) ⇒ Object 



924
925
926
 
# File 'lib/pedump.rb', line 924

def version_info f=@io
  resources(f) && resources(f).find_all{ |res| res.type == 'VERSION' }.map(&:data).flatten
end