Custom Column script to parse PE files

Discuss and share scripts and script files...
Post Reply
fernandom
Posts: 1
Joined: 30 Jul 2024 00:28

Custom Column script to parse PE files

Post by fernandom »

Hi folks,

New XYplorer user here. First of all, thanks for this great tool! <3

I'm trying to create a custom column script that shows some information about PE files. Here's my code:

Code: Select all

$mz = readfile(<cc_item>, , 2);

if $mz != "MZ" {
    return "Not MZ";
}

//readfile(filename, [mode], [numbytes], [codepage], [start=1])
$lfanew = readfile(<cc_item>, , 4, , 0x3c + 1);
$pesig_ofs = "";

// Loop through the data previously read
for ($i=0; $i < 4; $i++) {
    $byte = substr($lfanew, $i, 1);
    $val = asc($byte);
    $pesig_ofs = hex($val, 2) . $pesig_ofs;
}

return $pesig_ofs;
My final goal is to show more information about the PE file (architecture, compilation timestamp, etc), but at this point I'm just trying to return the 4-byte offset of the PE signature that's stored at offset 0x3C of a PE file. For a PE file with the value 0x80 (80 00 00 00) at offset 0x3C, hex() returns 0xAC to me:
xy.png
xy.png (85.36 KiB) Viewed 2389 times
I believe this has something to do with the fact hex() operates on signed integers only (according to the documentation). I tried to implement my own (unsigned) hex2dec() function, but I found no way to perform bitwise operations either. Is there a workaround to this problem? I'm probably missing something obvious...

Thanks in advance!
Top
jupe
Posts: 3243
Joined: 20 Oct 2017 21:14
Location: Win10 22H2 120dpi

Re: Custom Column script to parse PE files

Post by jupe »

Try using "r" mode of readfile.
Top
fernandom
Posts: 1
Joined: 30 Jul 2024 00:28

Re: Custom Column script to parse PE files

Post by fernandom »

Thanks, @jupe. This kind of worked, but readfile() now returns a string of 2 characters, even though I've asked it to read 4 bytes. I think it's creating a string of wide characters? Wouldn't that be the expected behavior for the "ru" mode instead?

Code: Select all

$lfanew = readfile(<cc_item>, "r", 4, , 0x3c + 1);
$pesig_ofs = "";

// Loop through the data previously read
for ($i=0; $i < 4; $i++) {
    $byte = substr($lfanew, $i, 1);
    $val = asc($byte);
    $pesig_ofs = hex($val, 2) . $pesig_ofs;
}

// return strlen($pedig_ofs); // returns 2

return $pesig_ofs; // returns 0080 (expected 00000080)
EDIT: It worked with the "ru" mode. I am bit confused, but will proceed for now. :)
Last edited by fernandom on 30 Jul 2024 18:42, edited 1 time in total.
Top
Post Reply

Return to “Script Exchange”