truekonrads · August 31, 2017 22:46
diff --git a/gistfile1.txt b/gistfile1.txt
 import pefile
 import pprint

 pe = pefile.PE(r"D:\Training\AdditionalDLLs\Security\MsAuditE.dll")


 for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries:
    if entry.id == 11:
        actual_data = entry.directory.entries[0].directory.entries[0].data
        size = actual_data.struct.Size
        data_rva = actual_data.struct.OffsetToData
        print "[DD] Going with {}".format(actual_data.struct)
        data = pe.get_memory_mapped_image()[data_rva:data_rva + size]
        _MESSAGE_RESOURCE_DATA = {'MessageResourceBlocks': []}
        _MESSAGE_RESOURCE_DATA[
            'NumberOfBlocks'] = pe.get_dword_from_data(data, 0)
        for i in range(0, _MESSAGE_RESOURCE_DATA['NumberOfBlocks']):
            mrb_offset = 1 + i * 3

            mrb = {}
            mrb['LowId'] = pe.get_dword_from_data(data, mrb_offset + 0)
            mrb['HighId'] = pe.get_dword_from_data(data, mrb_offset + 1)
            mrb['OffsetToEntries'] = pe.get_dword_from_data(
                data, mrb_offset + 2)
            mrb['MessageRecordEntry'] = []
            mre_offset = 0
            for mre_id in range(mrb['LowId'], mrb['HighId'] + 1):
                # print "[DD] MRE OFFSET {}".format(mre_offset)
                mre = {'id': mre_id}
                mre['Length'] = pe.get_word_from_data(
                    data[mre_offset + mrb['OffsetToEntries']:], 0)
                mre['Flags'] = pe.get_word_from_data(
                    data[mre_offset + mrb['OffsetToEntries']:], 1)
                if mre['Flags'] == 0:
                    mre['Text'] = data[mre_offset + mrb['OffsetToEntries'] +
                                       4:mre_offset + mrb['OffsetToEntries'] + 4 + mre['Length']]
                else:
                    mre['Text'] = pe.get_string_u_at_rva(
                        data_rva + mre_offset + mrb['OffsetToEntries'] + 4, max_length=mre['Length'])
                # print "[DD] mre: {}".format(mre)
                mre_offset += mre['Length']
                mrb['MessageRecordEntry'].append(mre)
            print "[DD] mrb_offset: {}, mrb {}".format(mrb_offset, mrb)

            _MESSAGE_RESOURCE_DATA['MessageResourceBlocks'].append(mrb)
        # print pprint.pprint(_MESSAGE_RESOURCE_DATA)
        from IPython import embed
        embed()
        break
	import pefile
	import pprint

	pe = pefile.PE(r"D:\Training\AdditionalDLLs\Security\MsAuditE.dll")


	for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries:
	if entry.id == 11:
	actual_data = entry.directory.entries[0].directory.entries[0].data
	size = actual_data.struct.Size
	data_rva = actual_data.struct.OffsetToData
	print "[DD] Going with {}".format(actual_data.struct)
	data = pe.get_memory_mapped_image()[data_rva:data_rva + size]
	_MESSAGE_RESOURCE_DATA = {'MessageResourceBlocks': []}
	_MESSAGE_RESOURCE_DATA[
	'NumberOfBlocks'] = pe.get_dword_from_data(data, 0)
	for i in range(0, _MESSAGE_RESOURCE_DATA['NumberOfBlocks']):
	mrb_offset = 1 + i * 3

	mrb = {}
	mrb['LowId'] = pe.get_dword_from_data(data, mrb_offset + 0)
	mrb['HighId'] = pe.get_dword_from_data(data, mrb_offset + 1)
	mrb['OffsetToEntries'] = pe.get_dword_from_data(
	data, mrb_offset + 2)
	mrb['MessageRecordEntry'] = []
	mre_offset = 0
	for mre_id in range(mrb['LowId'], mrb['HighId'] + 1):
	# print "[DD] MRE OFFSET {}".format(mre_offset)
	mre = {'id': mre_id}
	mre['Length'] = pe.get_word_from_data(
	data[mre_offset + mrb['OffsetToEntries']:], 0)
	mre['Flags'] = pe.get_word_from_data(
	data[mre_offset + mrb['OffsetToEntries']:], 1)
	if mre['Flags'] == 0:
	mre['Text'] = data[mre_offset + mrb['OffsetToEntries'] +
	4:mre_offset + mrb['OffsetToEntries'] + 4 + mre['Length']]
	else:
	mre['Text'] = pe.get_string_u_at_rva(
	data_rva + mre_offset + mrb['OffsetToEntries'] + 4, max_length=mre['Length'])
	# print "[DD] mre: {}".format(mre)
	mre_offset += mre['Length']
	mrb['MessageRecordEntry'].append(mre)
	print "[DD] mrb_offset: {}, mrb {}".format(mrb_offset, mrb)

	_MESSAGE_RESOURCE_DATA['MessageResourceBlocks'].append(mrb)
	# print pprint.pprint(_MESSAGE_RESOURCE_DATA)
	from IPython import embed
	embed()
	break