Module pe-parser
Lua module to parse a Portable Executable (.exe , .dll, etc.) file and extract metadata.
NOTE: numerical information is extracted as strings (hex) to prevent numerical overflows in case of 64 bit fields (bit/flag fields). Pointer arithmetic is still done numerically, so for very large files this could lead to undefined results. Use with care!
Version 0.5, copyright (c) 2013-2018 Thijs Schreijer
Functions
dump (obj) | Dumps the output parsed. |
get_fileoffset (obj, RVA) | Calculates the fileoffset of a given RVA. |
msvcrt (infile) | Checks the msvcrt dll the binary was linked against. |
parse (target) | Parses a file and extracts the information. |
toDec (IN) | convert HEX to integer |
toHex (IN, len) | convert integer to HEX representation |
Tables
const | Table with named constants/flag-constants. |
Functions
- dump (obj)
-
Dumps the output parsed.
This function is also available as a method on the parsed output table
Parameters:
- obj
- get_fileoffset (obj, RVA)
-
Calculates the fileoffset of a given RVA.
This function is also available as a method on the parsed output table
Parameters:
- obj a parsed object (return value from parse)
- RVA an RVA value to convert to a fileoffset (either number or hex-string)
Returns:
-
fileoffset of the given RVA (number)
- msvcrt (infile)
-
Checks the msvcrt dll the binary was linked against.
Mixing and matching dlls only works when they all are using the same runtime, if
not unexpected errors will probably occur.
Checks the binary provided and then traverses all imported dlls to find the msvcrt
used (it will only look for the dlls in the same directory).
Parameters:
- infile binary file to check
Returns:
-
msvcrt name (uppercase, without extension) + file where the reference was found, or nil + error
- parse (target)
-
Parses a file and extracts the information.
All numbers are delivered as "string" types containing hex values (to prevent numerical overflows in case of 64bit sizes or bit-fields), see toHex and toDec conversion functions.
Parameters:
- target
Returns:
-
table with data, or nil + error
Usage:
local pe = require("pe-parser") local obj = pe.parse("c:\lua\lua.exe") obj:dump()
- toDec (IN)
-
convert HEX to integer
Parameters:
- IN the string to convert to dec
Returns:
-
number in dec format
- toHex (IN, len)
-
convert integer to HEX representation
Parameters:
- IN the number to convert to hex
- len the size to return, any result smaller will be prefixed by "0"s
Returns:
-
string containing hex representation
Tables
- const
-
Table with named constants/flag-constants.
Named elements can be looked up by their name in the const table. The sub tables are index by value.
For flag fields the name is extended with
_flags
.Fields:
- Magic
- [20b]
Usage:
-- lookup descriptive name for the myobj.Magic value local desc = pe.const.Magic(myobj.Magic) -- get list of flag names, indexed by flag values, for the Characteristics field local flag_list = pe.const.Characteristics_flags