//------------------------------------------------ //--- 010 Editor v12.0.1 Script File // // File: FindPE.1sc // Authors: Fernando Mercês // Version: 0.1 // Purpose: Finds PE files within the current file. // The script will try to guess the size of the PE // files found based on their furthest section. A new // file tab is created for every PE file found. Limitations: // It doesn't see overlay data from PE files found. // Category: Search // History: // 0.1 2022-09-09 Fernando Mercês: Initial release. //------------------------------------------------ uint64 i; LONG e_lfanew; DWORD pesig; int64 PeFileSize; const int64 CurrentFileSize = FileSize(); const int idx = GetFileNum(); int64 InferPESize(DWORD PeSigOffset) { WORD NumberOfSections = ReadUShort(PeSigOffset + 6); WORD SizeOfOptionalHeader = ReadUShort(PeSigOffset + 20); DWORD PointerToRawData, HighestPointerToRawData = 0; DWORD SizeOfRawData, HighestSizeOfRawData = 0; local uint64 i; FSeek(PeSigOffset + 24 + SizeOfOptionalHeader); // Section Headers for (i=0; i HighestPointerToRawData) { HighestPointerToRawData = PointerToRawData; HighestSizeOfRawData = SizeOfRawData; } FSkip(20); // Next section } return HighestSizeOfRawData + HighestPointerToRawData; } TFindResults r = FindAll("MZ"); for (i=0; i= CurrentFileSize) continue; e_lfanew = ReadUInt(r.start[i] + 0x3c); // e_lfanew is always at 0x3c if (e_lfanew + 4 >= CurrentFileSize) continue; Printf(" e_lfanew: %#x\n", e_lfanew); pesig = ReadUInt(r.start[i] + e_lfanew); // e_lfanew should point to PE\0\0 if (pesig != 0x00004550) continue; Printf(" Valid PE Signature (PE\\0\\0): %#x\n", r.start[i] + e_lfanew); PeFileSize = InferPESize(r.start[i] + e_lfanew); Printf(" Guessed PE file size (bytes): %ld\n", PeFileSize); SetSelection(r.start[i], PeFileSize); CopyToClipboard(); FileNew("Hex", true); PasteFromClipboard(); FileSelect(idx); }