pe-parser

Contents

• Functions
• Tables

Modules

• pe-parser

Topics

• readme

Module pe-parser

Lua module to parse a Portable Executable (.exe , .dll, etc.) file and extract metadata.

NOTE: numerical information is extracted as strings (hex) to prevent numerical overflows in case of 64 bit fields (bit/flag fields). Pointer arithmetic is still done numerically, so for very large files this could lead to undefined results. Use with care!

Version 0.5, copyright (c) 2013-2018 Thijs Schreijer

Functions

dump (obj)	Dumps the output parsed.
get_fileoffset (obj, RVA)	Calculates the fileoffset of a given RVA.
msvcrt (infile)	Checks the msvcrt dll the binary was linked against.
parse (target)	Parses a file and extracts the information.
toDec (IN)	convert HEX to integer
toHex (IN, len)	convert integer to HEX representation

Tables

const

Table with named constants/flag-constants.

Functions

dump (obj)

Dumps the output parsed. This function is also available as a method on the parsed output table

Parameters:

• obj

get_fileoffset (obj, RVA)

Calculates the fileoffset of a given RVA. This function is also available as a method on the parsed output table

Parameters:

• obj a parsed object (return value from parse)
• RVA an RVA value to convert to a fileoffset (either number or hex-string)

Returns:

fileoffset of the given RVA (number)

msvcrt (infile)

Checks the msvcrt dll the binary was linked against. Mixing and matching dlls only works when they all are using the same runtime, if not unexpected errors will probably occur. Checks the binary provided and then traverses all imported dlls to find the msvcrt used (it will only look for the dlls in the same directory).

Parameters:

• infile binary file to check

Returns:

msvcrt name (uppercase, without extension) + file where the reference was found, or nil + error

parse (target)

Parses a file and extracts the information. All numbers are delivered as "string" types containing hex values (to prevent numerical overflows in case of 64bit sizes or bit-fields), see toHex and toDec conversion functions.

Parameters:

• target

Returns:

table with data, or nil + error

Usage:

local pe = require("pe-parser")
local obj = pe.parse("c:\lua\lua.exe")
obj:dump()

toDec (IN)

convert HEX to integer

Parameters:

• IN the string to convert to dec

Returns:

number in dec format

toHex (IN, len)

convert integer to HEX representation

Parameters:

• IN the number to convert to hex
• len the size to return, any result smaller will be prefixed by "0"s

Returns:

string containing hex representation

Tables

const

Table with named constants/flag-constants. Named elements can be looked up by their name in the const table. The sub tables are index by value. For flag fields the name is extended with _flags.

Fields:

• Magic
• [20b]

Usage:

-- lookup descriptive name for the myobj.Magic value
local desc = pe.const.Magic(myobj.Magic)

-- get list of flag names, indexed by flag values, for the Characteristics field
local flag_list = pe.const.Characteristics_flags