-
-
Notifications
You must be signed in to change notification settings - Fork 595
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Long section names in PE #1043
Comments
It's straightforward enough--in case anyone else runs into this: class StringTable:
string_data: bytes
def __init__(self, filename, binary):
string_table_ofs = binary.header.pointerto_symbol_table + binary.header.numberof_symbols * 18
with open(filename, 'rb') as f:
f.seek(string_table_ofs)
string_data = f.read(4)
size = struct.unpack('<I', string_data)[0]
string_data += f.read(size - 4)
self.string_data = string_data
def lookup(self, offset):
endofs = self.string_data.index(b'\0', offset)
return self.string_data[offset:endofs].decode()
...
dbg_binary = lief.parse(dbg_filename)
# load COFF string table
string_table = StringTable(dbg_filename, dbg_binary)
# augment section names
extended_names = []
for section in dbg_binary.sections:
if section.name.startswith('/'):
offset = int(section.name[1:])
extended_names.append(string_table.lookup(offset))
else:
extended_names.append(section.name) |
Thank you @laanwj for raising this issue. It makes sense to have this support. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
These are used for mingw debug information.
x86_64-w64-mingw32-objdump -r
output:LIEF output:
From what I read, the
/<X>
in the normal section name is interpreted as an decimal string containing an offset fromPE_Header.PointerToSymbolTable + PE_Header.NumberOfSymbols*18
to a zero-terminated string containing the full section name.As i'm trying to parse DWARF information inside a PE binary, it would be nice if these were accessible somehow.
Though it seems clearly possible to work around this limitation by doing the lookup manually.
The text was updated successfully, but these errors were encountered: