librex 0.0.13 → 0.0.15

data/lib/rex/peparsey.rb

@@ -1,12 +0,0 @@
-#!/usr/bin/env ruby
-
-# $Id: peparsey.rb 5413 2008-02-13 02:43:56Z ramon $
-
-module Rex
-module PeParsey
-
-end
-end
-
-require 'rex/peparsey/pe'
-require 'rex/peparsey/pe_memdump'

data/lib/rex/peparsey/exceptions.rb

@@ -1,32 +0,0 @@
-#!/usr/bin/env ruby
-
-# $Id: exceptions.rb 5871 2008-11-10 21:18:12Z hdm $
-
-module Rex
-module PeParsey
-
-class PeError < ::RuntimeError
-end
-
-class ParseError < PeError
-end
-
-class DosHeaderError < ParseError
-end
-
-class FileHeaderError < ParseError
-end
-
-class OptionalHeaderError < ParseError
-end
-
-class BoundsError < PeError
-end
-
-class WtfError < PeError
-end
-
-class SkipError < PeError
-end
-
-end end

data/lib/rex/peparsey/pe.rb

@@ -1,212 +0,0 @@
-#!/usr/bin/env ruby
-
-# $Id: pe.rb 10036 2010-08-18 04:39:38Z jduck $
-
-require 'rex/image_source'
-require 'rex/peparsey/exceptions'
-require 'rex/peparsey/pebase'
-require 'rex/peparsey/section'
-require 'rex/struct2'
-
-module Rex
-module PeParsey
-class Pe < PeBase
-
-	def initialize(isource)
-
-		#
-		# DOS Header
-		#
-		# Parse the initial dos header, starting at the file beginning
-		#
-		offset = 0
-		dos_header = self.class._parse_dos_header(isource.read(offset, IMAGE_DOS_HEADER_SIZE))
-
-		#
-		# File Header
-		#
-		# If there is going to be a PE, the dos header tells us where to find it
-		# So now we try to parse the file (pe) header
-		#
-		offset += dos_header.e_lfanew
-
-		# most likely an invalid e_lfanew...
-		if offset > isource.size
-			raise FileHeaderError, "e_lfanew looks invalid", caller
-		end
-
-		file_header = self.class._parse_file_header(isource.read(offset, IMAGE_FILE_HEADER_SIZE))
-
-		#
-		# Optional Header
-		#
-		# After the file header, we find the optional header.  Right now
-		# we require a optional header.  Despite it's name, all binaries
-		# that we are interested in should have one.  We need this
-		# header for a lot of stuff, so we die without it...
-		#
-		offset += IMAGE_FILE_HEADER_SIZE
-		optional_header = self.class._parse_optional_header(
-		  isource.read(offset, file_header.SizeOfOptionalHeader)
-		)
-
-		if !optional_header
-			raise OptionalHeaderError, "No optional header!", caller
-		end
-
-		base = optional_header.ImageBase
-
-		#
-		# Section Headers
-		#
-		# After the optional header should be the section headers.
-		# We know how many there should be from the file header...
-		#
-		offset += file_header.SizeOfOptionalHeader
-
-		num_sections = file_header.NumberOfSections
-		section_headers = self.class._parse_section_headers(
-		  isource.read(offset, IMAGE_SIZEOF_SECTION_HEADER * num_sections)
-		)
-
-		#
-		# End of Headers
-		#
-		# After the section headers (which are padded to FileAlignment)
-		# we should find the section data, described by the section
-		# headers...
-		#
-		# So this is the end of our header data, lets store this
-		# in an image source for possible access later...
-		#
-		offset += IMAGE_SIZEOF_SECTION_HEADER * num_sections
-		offset = self.class._align_offset(offset, optional_header.FileAlignment)
-
-		header_section = Section.new(isource.subsource(0, offset), 0, nil)
-
-		#
-		# Sections
-		#
-		# So from here on out should be section data, and then any
-		# trailing data (like authenticode and stuff I think)
-		#
-
-		sections = [ ]
-
-		section_headers.each do |section_header|
-
-			rva         = section_header.VirtualAddress
-			size        = section_header.SizeOfRawData
-			file_offset = section_header.PointerToRawData
-
-			sections << Section.new(
-			  isource.subsource(file_offset, size),
-			  rva,
-			  section_header
-			)
-		end
-
-
-
-		#
-		# Save the stuffs!
-		#
-		# We have parsed enough to load the file up here, now we just
-		# save off all of the structures and data... We will
-		# save our fake header section, the real sections, etc.
-		#
-
-		#
-		# These should not be accessed directly
-		#
-
-		self._isource          = isource
-
-		self._dos_header       = dos_header
-		self._file_header      = file_header
-		self._optional_header  = optional_header
-		self._section_headers  = section_headers
-
-		self.image_base        = base
-		self.sections          = sections
-		self.header_section    = header_section
-
-		self._config_header    = _parse_config_header()
-		self._tls_header       = _parse_tls_header()
-
-		# These can be accessed directly
-		self.hdr               = HeaderAccessor.new
-		self.hdr.dos           = self._dos_header
-		self.hdr.file          = self._file_header
-		self.hdr.opt           = self._optional_header
-		self.hdr.sections      = self._section_headers
-		self.hdr.config        = self._config_header
-		self.hdr.tls           = self._tls_header
-		self.hdr.exceptions    = self._exception_header
-
-		# We load the exception directory last as it relies on hdr.file to be created above.
-		self._exception_header = _load_exception_directory()
-	end
-
-	#
-	# Return everything that's going to be mapped in the process
-	# and accessable.  This should include all of the sections
-	# and our "fake" section for the header data...
-	#
-	def all_sections
-		[ header_section ] + sections
-	end
-
-	#
-	# Returns true if this binary is for a 64-bit architecture.
-	#
-	def ptr_64?
-		[
-			IMAGE_FILE_MACHINE_IA64,
-			IMAGE_FILE_MACHINE_ALPHA64,
-			IMAGE_FILE_MACHINE_AMD64
-		].include?(self._file_header.Machine)
-	end
-
-	#
-	# Returns true if this binary is for a 32-bit architecture.
-	# This check does not take into account 16-bit binaries at the moment.
-	#
-	def ptr_32?
-		ptr_64? == false
-	end
-
-	#
-	# Converts a virtual address to a string representation based on the
-	# underlying architecture.
-	#
-	def ptr_s(va)
-		(ptr_32?) ? ("0x%.8x" % va) : ("0x%.16x" % va)
-	end
-
-	#
-	# Converts a file offset into a virtual address
-	#
-	def file_offset_to_va(offset)
-		image_base + file_offset_to_rva(offset)
-	end
-
-	#
-	# Read raw bytes from the specified offset in the underlying file
-	#
-	# NOTE: You should pass raw file offsets into this, not offsets from
-	# the beginning of the section. If you need to read from within a 
-	# section, add section.file_offset prior to passing the offset in.
-	#
-	def read(offset, len)
-		_isource.read(offset, len)
-	end
-
-	def size
-		_isource.size
-	end
-	def length
-		_isource.size
-	end
-
-end end end

data/lib/rex/peparsey/pe_memdump.rb

@@ -1,63 +0,0 @@
-#!/usr/bin/env ruby
-
-# $Id: pe_memdump.rb 5871 2008-11-10 21:18:12Z hdm $
-
-require 'rex/image_source'
-require 'rex/peparsey/exceptions'
-require 'rex/peparsey/pebase'
-require 'rex/peparsey/section'
-require 'rex/struct2'
-
-#
-# This class is for use with memdump.exe generated dump images.  It basically
-# just lies, gets the ImageBase from the file name, and generates 1 big
-# header_section with all of the data in it...
-#
-
-module Rex
-module PeParsey
-class PeMemDump < Pe
-
-	def self.new_from_string(data)
-		raise NotImplementError
-	end
-
-	def self.new_from_file(filename, disk_backed = false)
-	
-		if filename[-4, 4] != '.rng'
-			raise "Not a .rng file: #{filename}"
-		end
-		
-		if filename[-9, 9] == "index.rng"
-			raise SkipError
-		end
-
-		file = File.open(filename, 'rb')
-
-		if disk_backed
-			obj = ImageSource::Disk.new(file)
-		else
-			obj = ImageSource::Memory.new(file.read)
-			obj.close
-		end
-
-		return self.new(obj, filename.gsub(/.*[\/\\]/, '')[0,8].hex)
-	end
-
-	def initialize(isource, base)
-		self._isource = isource
-		self.header_section = Section.new(isource, base, nil)
-		self.sections = [ self.header_section ]
-		self.image_base = 0
-	end
-	
-	def all_sections
-		self.sections
-	end
-
-	# No 64-bit support
-	def ptr_64?
-		false
-	end
-
-end end end

data/lib/rex/peparsey/pebase.rb

@@ -1,1680 +0,0 @@
-#!/usr/bin/env ruby
-
-# $Id: pebase.rb 10036 2010-08-18 04:39:38Z jduck $
-
-require 'rex/peparsey/exceptions'
-require 'rex/struct2'
-
-module Rex
-module PeParsey
-class PeBase
-
-
-	# #define IMAGE_DOS_SIGNATURE                 0x5A4D      // MZ
-
-	IMAGE_DOS_SIGNATURE = 0x5a4d
-
-	#
-	# typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
-	#     WORD   e_magic;                     // Magic number
-	#     WORD   e_cblp;                      // Bytes on last page of file
-	#     WORD   e_cp;                        // Pages in file
-	#     WORD   e_crlc;                      // Relocations
-	#     WORD   e_cparhdr;                   // Size of header in paragraphs
-	#     WORD   e_minalloc;                  // Minimum extra paragraphs needed
-	#     WORD   e_maxalloc;                  // Maximum extra paragraphs needed
-	#     WORD   e_ss;                        // Initial (relative) SS value
-	#     WORD   e_sp;                        // Initial SP value
-	#     WORD   e_csum;                      // Checksum
-	#     WORD   e_ip;                        // Initial IP value
-	#     WORD   e_cs;                        // Initial (relative) CS value
-	#     WORD   e_lfarlc;                    // File address of relocation table
-	#     WORD   e_ovno;                      // Overlay number
-	#     WORD   e_res[4];                    // Reserved words
-	#     WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
-	#     WORD   e_oeminfo;                   // OEM information; e_oemid specific
-	#     WORD   e_res2[10];                  // Reserved words
-	#     LONG   e_lfanew;                    // File address of new exe header
-	#   } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
-	#
-
-	IMAGE_DOS_HEADER_SIZE = 64
-	IMAGE_DOS_HEADER = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint16v', 'e_magic',     IMAGE_DOS_SIGNATURE ],
-	  [ 'uint16v', 'e_cblp',      0 ],
-	  [ 'uint16v', 'e_cp',        0 ],
-	  [ 'uint16v', 'e_crlc',      0 ],
-	  [ 'uint16v', 'e_cparhdr',   0 ],
-	  [ 'uint16v', 'e_minalloc',  0 ],
-	  [ 'uint16v', 'e_maxalloc',  0 ],
-	  [ 'uint16v', 'e_ss',        0 ],
-	  [ 'uint16v', 'e_sp',        0 ],
-	  [ 'uint16v', 'e_csum',      0 ],
-	  [ 'uint16v', 'e_ip',        0 ],
-	  [ 'uint16v', 'e_cs',        0 ],
-	  [ 'uint16v', 'e_lfarlc',    0 ],
-	  [ 'uint16v', 'e_ovno',      0 ],
-	  [ 'template', 'e_res', Rex::Struct2::CStructTemplate.new(
-	    [ 'uint16v', 'e_res_0', 0 ],
-	    [ 'uint16v', 'e_res_1', 0 ],
-	    [ 'uint16v', 'e_res_2', 0 ],
-	    [ 'uint16v', 'e_res_3', 0 ]
-	  )],
-	  [ 'uint16v', 'e_oemid',     0 ],
-	  [ 'uint16v', 'e_oeminfo',   0 ],
-	  [ 'template', 'e_res2', Rex::Struct2::CStructTemplate.new(
-	    [ 'uint16v', 'e_res2_0', 0 ],
-	    [ 'uint16v', 'e_res2_1', 0 ],
-	    [ 'uint16v', 'e_res2_2', 0 ],
-	    [ 'uint16v', 'e_res2_3', 0 ],
-	    [ 'uint16v', 'e_res2_4', 0 ],
-	    [ 'uint16v', 'e_res2_5', 0 ],
-	    [ 'uint16v', 'e_res2_6', 0 ],
-	    [ 'uint16v', 'e_res2_7', 0 ],
-	    [ 'uint16v', 'e_res2_8', 0 ],
-	    [ 'uint16v', 'e_res2_9', 0 ]
-	  )],
-	  [ 'uint32v', 'e_lfanew',    0 ]
-	)
-
-
-	class HeaderAccessor
-		attr_accessor :dos, :file, :opt, :sections, :config, :exceptions, :tls
-		def initialize
-		end
-	end
-
-	class GenericStruct
-		attr_accessor :struct
-		def initialize(_struct)
-			self.struct = _struct
-		end
-
-		# The following methods are just pass-throughs for struct
-
-		# Access a value
-		def v
-			struct.v
-		end
-
-		# Access a value by array
-		def [](*args)
-			struct[*args]
-		end
-
-		# Obtain an array of all fields
-		def keys
-			struct.keys
-		end
-
-		def method_missing(meth, *args)
-			v[meth.to_s] || (raise NoMethodError.new, meth)
-		end
-	end
-
-	class GenericHeader < GenericStruct
-	end
-
-	class DosHeader < GenericHeader
-
-		def initialize(rawdata)
-			dos_header = IMAGE_DOS_HEADER.make_struct
-
-			if !dos_header.from_s(rawdata)
-				raise DosHeaderError, "Couldn't parse IMAGE_DOS_HEADER", caller
-			end
-
-			if dos_header.v['e_magic'] != IMAGE_DOS_SIGNATURE
-				raise DosHeaderError, "Couldn't find DOS e_magic", caller
-			end
-
-			self.struct = dos_header
-		end
-
-		def e_lfanew
-			v['e_lfanew']
-		end
-	end
-
-
-	def self._parse_dos_header(rawdata)
-		return DosHeader.new(rawdata)
-	end
-
-	#
-	# typedef struct _IMAGE_FILE_HEADER {
-	#     WORD    Machine;
-	#     WORD    NumberOfSections;
-	#     DWORD   TimeDateStamp;
-	#     DWORD   PointerToSymbolTable;
-	#     DWORD   NumberOfSymbols;
-	#     WORD    SizeOfOptionalHeader;
-	#     WORD    Characteristics;
-	# } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
-	#
-	# #define IMAGE_NT_SIGNATURE                  0x00004550  // PE00
-	# #define IMAGE_FILE_MACHINE_I386              0x014c  // Intel 386.
-	# #define IMAGE_FILE_MACHINE_IA64              0x0200  // Intel 64
-	# #define IMAGE_FILE_MACHINE_ALPHA64           0x0284  // ALPHA64
-	# #define IMAGE_FILE_MACHINE_AMD64             0x8664  // AMD64 (K8)
-	# #define IMAGE_SIZEOF_FILE_HEADER             20
-	#
-
-	IMAGE_NT_SIGNATURE       = 0x00004550
-	IMAGE_FILE_MACHINE_I386  = 0x014c
-	IMAGE_FILE_MACHINE_IA64  = 0x0200
-	IMAGE_FILE_MACHINE_ALPHA64 = 0x0284
-	IMAGE_FILE_MACHINE_AMD64 = 0x8664
-	IMAGE_FILE_HEADER_SIZE   = 20+4  # because we include the signature
-	IMAGE_FILE_HEADER = Rex::Struct2::CStructTemplate.new(
-	  # not really in the header, but easier for us this way
-	  [ 'uint32v', 'NtSignature',           0 ],
-	  [ 'uint16v', 'Machine',               0 ],
-	  [ 'uint16v', 'NumberOfSections',      0 ],
-	  [ 'uint32v', 'TimeDateStamp',         0 ],
-	  [ 'uint32v', 'PointerToSymbolTable',  0 ],
-	  [ 'uint32v', 'NumberOfSymbols',       0 ],
-	  [ 'uint16v', 'SizeOfOptionalHeader',  0 ],
-	  [ 'uint16v', 'Characteristics',       0 ]
-	)
-
-	SUPPORTED_MACHINES = [
-		IMAGE_FILE_MACHINE_I386,
-		IMAGE_FILE_MACHINE_IA64,
-		IMAGE_FILE_MACHINE_ALPHA64,
-		IMAGE_FILE_MACHINE_AMD64
-	]
-
-	class FileHeader < GenericHeader
-		def initialize(rawdata)
-			file_header = IMAGE_FILE_HEADER.make_struct
-
-			if !file_header.from_s(rawdata)
-				raise FileHeaderError, "Couldn't parse IMAGE_FILE_HEADER", caller
-			end
-
-			if file_header.v['NtSignature'] != IMAGE_NT_SIGNATURE
-				raise FileHeaderError, "Couldn't find the PE magic!"
-			end
-
-			if SUPPORTED_MACHINES.include?(file_header.v['Machine']) == false
-				raise FileHeaderError, "Unsupported machine type: #{file_header.v['Machine']}", caller
-			end
-
-			self.struct = file_header
-		end
-
-		def Machine
-			v['Machine']
-		end
-
-		def SizeOfOptionalHeader
-			v['SizeOfOptionalHeader']
-		end
-
-		def NumberOfSections
-			v['NumberOfSections']
-		end
-	end
-
-	def self._parse_file_header(rawdata)
-		return FileHeader.new(rawdata)
-	end
-
-	#
-	# typedef struct _IMAGE_IMPORT_DESCRIPTOR {
-	#     union {
-	#         DWORD   Characteristics;            // 0 for terminating null import descriptor
-	#         DWORD   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
-	#     };
-	#     DWORD   TimeDateStamp;                  // 0 if not bound,
-	#                                             // -1 if bound, and real date\time stamp
-	#                                             //     in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
-	#                                             // O.W. date/time stamp of DLL bound to (Old BIND)
-	#
-	#     DWORD   ForwarderChain;                 // -1 if no forwarders
-	#     DWORD   Name;
-	#     DWORD   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)
-	# } IMAGE_IMPORT_DESCRIPTOR;
-	#
-	IMAGE_ORDINAL_FLAG32         = 0x80000000
-	IMAGE_IMPORT_DESCRIPTOR_SIZE = 20
-	IMAGE_IMPORT_DESCRIPTOR = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint32v', 'OriginalFirstThunk',           0 ],
-	  [ 'uint32v', 'TimeDateStamp',                0 ],
-	  [ 'uint32v', 'ForwarderChain',               0 ],
-	  [ 'uint32v', 'Name',                         0 ],
-	  [ 'uint32v', 'FirstThunk',                   0 ]
-	)
-
-	#
-	# typedef struct _IMAGE_IMPORT_BY_NAME {
-	#     WORD    Hint;
-	#     BYTE    Name[1];
-	# } IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
-	#
-
-	class ImportDescriptor
-		attr_accessor :name, :entries
-		def initialize(_name, _entries)
-			self.name    = _name
-			self.entries = _entries
-		end
-	end
-
-	class ImportEntry
-		attr_accessor :name, :ordinal
-		def initialize(_name, _ordinal)
-			self.name     = _name
-			self.ordinal  = _ordinal
-		end
-	end
-
-	#
-	# typedef struct _IMAGE_EXPORT_DIRECTORY {
-	#     DWORD   Characteristics;
-	#     DWORD   TimeDateStamp;
-	#     WORD    MajorVersion;
-	#     WORD    MinorVersion;
-	#     DWORD   Name;
-	#     DWORD   Base;
-	#     DWORD   NumberOfFunctions;
-	#     DWORD   NumberOfNames;
-	#     DWORD   AddressOfFunctions;     // RVA from base of image
-	#     DWORD   AddressOfNames;         // RVA from base of image
-	#     DWORD   AddressOfNameOrdinals;  // RVA from base of image
-	# } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
-	#
-	IMAGE_EXPORT_DESCRIPTOR_SIZE = 40
-	IMAGE_EXPORT_DESCRIPTOR = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint32v', 'Characteristics',              0 ],
-	  [ 'uint32v', 'TimeDateStamp',                0 ],
-	  [ 'uint16v', 'MajorVersion',                 0 ],
-	  [ 'uint16v', 'MinorVersion',                 0 ],
-	  [ 'uint32v', 'Name',                         0 ],
-	  [ 'uint32v', 'Base',                         0 ],
-	  [ 'uint32v', 'NumberOfFunctions',            0 ],
-	  [ 'uint32v', 'NumberOfNames',                0 ],
-	  [ 'uint32v', 'AddressOfFunctions',           0 ],
-	  [ 'uint32v', 'AddressOfNames',               0 ],
-	  [ 'uint32v', 'AddressOfNameOrdinals',        0 ]
-	)
-
-	class ExportDirectory
-		attr_accessor :name, :entries, :base
-
-		def initialize(_name, _entries, _base)
-			self.name    = _name
-			self.entries = _entries
-			self.base    = _base
-		end
-	end
-
-	class ExportEntry
-		attr_accessor :name, :ordinal, :rva
-		def initialize(_name, _ordinal, _rva)
-			self.name     = _name
-			self.ordinal  = _ordinal
-			self.rva      = _rva
-		end
-	end
-
-	#
-	# typedef struct _IMAGE_DATA_DIRECTORY {
-	#     DWORD   VirtualAddress;
-	#     DWORD   Size;
-	# } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
-	#
-	IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
-	IMAGE_DATA_DIRECTORY_SIZE        = 8
-	IMAGE_DIRECTORY_ENTRY_EXPORT         = 0
-	IMAGE_DIRECTORY_ENTRY_IMPORT         = 1
-	IMAGE_DIRECTORY_ENTRY_RESOURCE       = 2
-	IMAGE_DIRECTORY_ENTRY_EXCEPTION      = 3
-	IMAGE_DIRECTORY_ENTRY_SECURITY       = 4
-	IMAGE_DIRECTORY_ENTRY_BASERELOC      = 5
-	IMAGE_DIRECTORY_ENTRY_DEBUG          = 6
-	IMAGE_DIRECTORY_ENTRY_COPYRIGHT      = 7
-	IMAGE_DIRECTORY_ENTRY_ARCHITECTURE   = 7
-	IMAGE_DIRECTORY_ENTRY_GLOBALPTR      = 8
-	IMAGE_DIRECTORY_ENTRY_TLS            = 9
-	IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    = 10
-	IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   = 11
-	IMAGE_DIRECTORY_ENTRY_IAT            = 12
-	IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   = 13
-	IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14
-	IMAGE_DATA_DIRECTORY = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint32v', 'VirtualAddress',               0 ],
-	  [ 'uint32v', 'Size',                         0 ]
-	)
-
-	#
-	# typedef struct _IMAGE_OPTIONAL_HEADER {
-	#     //
-	#     // Standard fields.
-	#     //
-	#
-	#     WORD    Magic;
-	#     BYTE    MajorLinkerVersion;
-	#     BYTE    MinorLinkerVersion;
-	#     DWORD   SizeOfCode;
-	#     DWORD   SizeOfInitializedData;
-	#     DWORD   SizeOfUninitializedData;
-	#     DWORD   AddressOfEntryPoint;
-	#     DWORD   BaseOfCode;
-	#     DWORD   BaseOfData;
-	#
-	#     //
-	#     // NT additional fields.
-	#     //
-	#
-	#     DWORD   ImageBase;
-	#     DWORD   SectionAlignment;
-	#     DWORD   FileAlignment;
-	#     WORD    MajorOperatingSystemVersion;
-	#     WORD    MinorOperatingSystemVersion;
-	#     WORD    MajorImageVersion;
-	#     WORD    MinorImageVersion;
-	#     WORD    MajorSubsystemVersion;
-	#     WORD    MinorSubsystemVersion;
-	#     DWORD   Win32VersionValue;
-	#     DWORD   SizeOfImage;
-	#     DWORD   SizeOfHeaders;
-	#     DWORD   CheckSum;
-	#     WORD    Subsystem;
-	#     WORD    DllCharacteristics;
-	#     DWORD   SizeOfStackReserve;
-	#     DWORD   SizeOfStackCommit;
-	#     DWORD   SizeOfHeapReserve;
-	#     DWORD   SizeOfHeapCommit;
-	#     DWORD   LoaderFlags;
-	#     DWORD   NumberOfRvaAndSizes;
-	#     IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
-	# } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
-	#
-	# #define IMAGE_NT_OPTIONAL_HDR32_MAGIC      0x10b
-	# #define IMAGE_SIZEOF_NT_OPTIONAL32_HEADER    224
-	#
-
-	IMAGE_NT_OPTIONAL_HDR32_MAGIC     = 0x10b
-	IMAGE_SIZEOF_NT_OPTIONAL32_HEADER = 224
-	IMAGE_OPTIONAL_HEADER32 = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint16v', 'Magic',                        0 ],
-	  [ 'uint8',   'MajorLinkerVersion',           0 ],
-	  [ 'uint8',   'MinorLinkerVersion',           0 ],
-	  [ 'uint32v', 'SizeOfCode',                   0 ],
-	  [ 'uint32v', 'SizeOfInitializeData',         0 ],
-	  [ 'uint32v', 'SizeOfUninitializeData',       0 ],
-	  [ 'uint32v', 'AddressOfEntryPoint',          0 ],
-	  [ 'uint32v', 'BaseOfCode',                   0 ],
-	  [ 'uint32v', 'BaseOfData',                   0 ],
-	  [ 'uint32v', 'ImageBase',                    0 ],
-	  [ 'uint32v', 'SectionAlignment',             0 ],
-	  [ 'uint32v', 'FileAlignment',                0 ],
-	  [ 'uint16v', 'MajorOperatingSystemVersion',  0 ],
-	  [ 'uint16v', 'MinorOperatingSystemVersion',  0 ],
-	  [ 'uint16v', 'MajorImageVersion',            0 ],
-	  [ 'uint16v', 'MinorImageVersion',            0 ],
-	  [ 'uint16v', 'MajorSubsystemVersion',        0 ],
-	  [ 'uint16v', 'MinorSubsystemVersion',        0 ],
-	  [ 'uint32v', 'Win32VersionValue',            0 ],
-	  [ 'uint32v', 'SizeOfImage',                  0 ],
-	  [ 'uint32v', 'SizeOfHeaders',                0 ],
-	  [ 'uint32v', 'CheckSum',                     0 ],
-	  [ 'uint16v', 'Subsystem',                    0 ],
-	  [ 'uint16v', 'DllCharacteristics',           0 ],
-	  [ 'uint32v', 'SizeOfStackReserve',           0 ],
-	  [ 'uint32v', 'SizeOfStackCommit',            0 ],
-	  [ 'uint32v', 'SizeOfHeapReserve',            0 ],
-	  [ 'uint32v', 'SizeOfHeapCommit',             0 ],
-	  [ 'uint32v', 'LoaderFlags',                  0 ],
-	  [ 'uint32v', 'NumberOfRvaAndSizes',          0 ],
-	  [ 'template', 'DataDirectory', Rex::Struct2::CStructTemplate.new(
-	    [ 'template', 'DataDirectoryEntry_0', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_1', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_2', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_3', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_4', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_5', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_6', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_7', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_8', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_9', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_10', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_11', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_12', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_13', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_14', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_15', IMAGE_DATA_DIRECTORY ]
-	  )]
-	)
-
-	#
-	# typedef struct _IMAGE_OPTIONAL_HEADER64 {
-	# 	 USHORT      Magic;
-	# 	 UCHAR       MajorLinkerVersion;
-	# 	 UCHAR       MinorLinkerVersion;
-	# 	 ULONG       SizeOfCode;
-	# 	 ULONG       SizeOfInitializedData;
-	# 	 ULONG       SizeOfUninitializedData;
-	# 	 ULONG       AddressOfEntryPoint;
-	# 	 ULONG       BaseOfCode;
-	# 	 ULONGLONG   ImageBase;
-	# 	 ULONG       SectionAlignment;
-	# 	 ULONG       FileAlignment;
-	# 	 USHORT      MajorOperatingSystemVersion;
-	# 	 USHORT      MinorOperatingSystemVersion;
-	# 	 USHORT      MajorImageVersion;
-	# 	 USHORT      MinorImageVersion;
-	# 	 USHORT      MajorSubsystemVersion;
-	# 	 USHORT      MinorSubsystemVersion;
-	# 	 ULONG       Win32VersionValue;
-	# 	 ULONG       SizeOfImage;
-	# 	 ULONG       SizeOfHeaders;
-	# 	 ULONG       CheckSum;
-	# 	 USHORT      Subsystem;
-	# 	 USHORT      DllCharacteristics;
-	# 	 ULONGLONG   SizeOfStackReserve;
-	# 	 ULONGLONG   SizeOfStackCommit;
-	# 	 ULONGLONG   SizeOfHeapReserve;
-	# 	 ULONGLONG   SizeOfHeapCommit;
-	# 	 ULONG       LoaderFlags;
-	# 	 ULONG       NumberOfRvaAndSizes;
-	# 	 IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
-	# } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
-	#
-	# #define IMAGE_NT_OPTIONAL_HDR64_MAGIC      0x20b
-	# #define IMAGE_SIZEOF_NT_OPTIONAL64_HEADER    240
-	#
-
-	IMAGE_NT_OPTIONAL_HDR64_MAGIC     = 0x20b
-	IMAGE_SIZEOF_NT_OPTIONAL64_HEADER = 240
-	IMAGE_OPTIONAL_HEADER64 = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint16v', 'Magic',                        0 ],
-	  [ 'uint8',   'MajorLinkerVersion',           0 ],
-	  [ 'uint8',   'MinorLinkerVersion',           0 ],
-	  [ 'uint32v', 'SizeOfCode',                   0 ],
-	  [ 'uint32v', 'SizeOfInitializeData',         0 ],
-	  [ 'uint32v', 'SizeOfUninitializeData',       0 ],
-	  [ 'uint32v', 'AddressOfEntryPoint',          0 ],
-	  [ 'uint32v', 'BaseOfCode',                   0 ],
-	  [ 'uint64v', 'ImageBase',                    0 ],
-	  [ 'uint32v', 'SectionAlignment',             0 ],
-	  [ 'uint32v', 'FileAlignment',                0 ],
-	  [ 'uint16v', 'MajorOperatingsystemVersion',  0 ],
-	  [ 'uint16v', 'MinorOperatingsystemVersion',  0 ],
-	  [ 'uint16v', 'MajorImageVersion',            0 ],
-	  [ 'uint16v', 'MinorImageVersion',            0 ],
-	  [ 'uint16v', 'MajorSubsystemVersion',        0 ],
-	  [ 'uint16v', 'MinorSubsystemVersion',        0 ],
-	  [ 'uint32v', 'Win32VersionValue',            0 ],
-	  [ 'uint32v', 'SizeOfImage',                  0 ],
-	  [ 'uint32v', 'SizeOfHeaders',                0 ],
-	  [ 'uint32v', 'CheckSum',                     0 ],
-	  [ 'uint16v', 'Subsystem',                    0 ],
-	  [ 'uint16v', 'DllCharacteristics',           0 ],
-	  [ 'uint64v', 'SizeOfStackReserve',           0 ],
-	  [ 'uint64v', 'SizeOfStackCommit',            0 ],
-	  [ 'uint64v', 'SizeOfHeapReserve',            0 ],
-	  [ 'uint64v', 'SizeOfHeapCommit',             0 ],
-	  [ 'uint32v', 'LoaderFlags',                  0 ],
-	  [ 'uint32v', 'NumberOfRvaAndSizes',          0 ],
-	  [ 'template', 'DataDirectory', Rex::Struct2::CStructTemplate.new(
-	    [ 'template', 'DataDirectoryEntry_0', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_1', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_2', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_3', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_4', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_5', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_6', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_7', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_8', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_9', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_10', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_11', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_12', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_13', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_14', IMAGE_DATA_DIRECTORY ],
-	    [ 'template', 'DataDirectoryEntry_15', IMAGE_DATA_DIRECTORY ]
-	  )]
-	)
-
-	class OptionalHeader < GenericHeader
-		def ImageBase
-			v['ImageBase']
-		end
-		def FileAlignment
-			v['FileAlignment']
-		end
-	end
-
-	class OptionalHeader32 < OptionalHeader
-		def initialize(rawdata)
-			optional_header = IMAGE_OPTIONAL_HEADER32.make_struct
-
-			if !optional_header.from_s(rawdata)
-				raise OptionalHeaderError, "Couldn't parse IMAGE_OPTIONAL_HEADER32", caller
-			end
-
-			if optional_header.v['Magic'] != IMAGE_NT_OPTIONAL_HDR32_MAGIC
-				raise OptionalHeaderError, "Magic did not match!", caller()
-			end
-
-			self.struct = optional_header
-		end
-	end
-
-	class OptionalHeader64 < OptionalHeader
-		def initialize(rawdata)
-			optional_header = IMAGE_OPTIONAL_HEADER64.make_struct
-
-			if !optional_header.from_s(rawdata)
-				raise OptionalHeaderError, "Couldn't parse IMAGE_OPTIONAL_HEADER64", caller
-			end
-
-			if optional_header.v['Magic'] != IMAGE_NT_OPTIONAL_HDR64_MAGIC
-				raise OptionalHeaderError, "Magic did not match!", caller()
-			end
-
-			self.struct = optional_header
-		end
-	end
-
-	def self._parse_optional_header(rawdata)
-		case rawdata.length
-			# no optional header
-			when 0
-				return nil
-
-			# good, good
-			when IMAGE_SIZEOF_NT_OPTIONAL32_HEADER
-				return OptionalHeader32.new(rawdata)
-
-			when IMAGE_SIZEOF_NT_OPTIONAL64_HEADER
-				return OptionalHeader64.new(rawdata)
-
-			# bad, bad
-			else
-				raise OptionalHeaderError, "I don't know this header size, #{rawdata.length}", caller
-		end
-
-	end
-
-	#
-	# typedef struct _IMAGE_SECTION_HEADER {
-	#     BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];
-	#     union {
-	#             DWORD   PhysicalAddress;
-	#             DWORD   VirtualSize;
-	#     } Misc;
-	#     DWORD   VirtualAddress;
-	#     DWORD   SizeOfRawData;
-	#     DWORD   PointerToRawData;
-	#     DWORD   PointerToRelocations;
-	#     DWORD   PointerToLinenumbers;
-	#     WORD    NumberOfRelocations;
-	#     WORD    NumberOfLinenumbers;
-	#     DWORD   Characteristics;
-	# } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
-	#
-	# #define IMAGE_SIZEOF_SECTION_HEADER          40
-	#
-
-	IMAGE_SIZEOF_SECTION_HEADER = 40
-	IMAGE_SECTION_HEADER = Rex::Struct2::CStructTemplate.new(
-	  [ 'string',  'Name', 8,               '' ],
-	  [ 'uint32v', 'Misc',                   0 ],
-	  [ 'uint32v', 'VirtualAddress',         0 ],
-	  [ 'uint32v', 'SizeOfRawData',          0 ],
-	  [ 'uint32v', 'PointerToRawData',       0 ],
-	  [ 'uint32v', 'PointerToRelocations',   0 ],
-	  [ 'uint32v', 'NumberOfRelocations',    0 ],
-	  [ 'uint32v', 'NumberOfLineNumbers',    0 ],
-	  [ 'uint32v', 'Characteristics',        0 ]
-	)
-
-	class SectionHeader < GenericHeader
-		def initialize(rawdata)
-			section_header = IMAGE_SECTION_HEADER.make_struct
-
-			if !section_header.from_s(rawdata)
-				raise SectionHeaderError, "Could not parse header", caller
-			end
-
-			self.struct = section_header
-		end
-
-		def VirtualAddress
-			v['VirtualAddress']
-		end
-		def SizeOfRawData
-			v['SizeOfRawData']
-		end
-		def PointerToRawData
-			v['PointerToRawData']
-		end
-	end
-
-	def self._parse_section_headers(rawdata)
-		section_headers = [ ]
-		size = IMAGE_SIZEOF_SECTION_HEADER
-		numsections = rawdata.length / size
-
-		numsections.times do |i|
-			data = rawdata[i * size, size]
-			section_headers << SectionHeader.new(data)
-		end
-
-		return section_headers
-	end
-
-	#
-	# typedef struct _IMAGE_BASE_RELOCATION {
-	#     DWORD   VirtualAddress;
-	#     DWORD   SizeOfBlock;
-	# //  WORD    TypeOffset[1];
-	# } IMAGE_BASE_RELOCATION;
-	# typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;
-	#
-	# #define IMAGE_SIZEOF_BASE_RELOCATION         8
-	#
-	IMAGE_SIZEOF_BASE_RELOCATION = 8
-	IMAGE_BASE_RELOCATION = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint32v', 'VirtualAddress',         0 ],
-	  [ 'uint32v', 'SizeOfBlock',            0 ]
-	)
-	IMAGE_BASE_RELOCATION_TYPE_OFFSET = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint16v', 'TypeOffset',             0 ]
-	)
-
-	class RelocationDirectory
-		attr_accessor :entries, :rva
-
-		def initialize(rva, entries)
-			self.rva     = rva
-			self.entries = entries
-			self.name    = name
-			self.characteristics = chars
-			self.timedate = timedate
-			self.version = version
-			self.entries = []
-		end
-	end
-
-	class RelocationEntry
-		attr_accessor :rva, :reltype
-
-		def initialize(_rva, _type)
-			self.rva     = _rva
-			self.reltype = _type
-		end
-	end
-
-
-	class ResourceDirectory
-		attr_accessor :entries, :name
-
-		def initialize(name, entries)
-			self.name   = name
-			self.entries = entries
-		end
-	end
-
-	class ResourceEntry
-		attr_accessor :path, :lang, :code, :rva, :size, :pe, :file
-
-		def initialize(pe, path, lang, code, rva, size, file)
-			self.pe    = pe
-			self.path  = path
-			self.lang  = lang
-			self.code  = code
-			self.rva   = rva
-			self.size  = size
-			self.file  = file.to_s
-		end
-
-		def data
-			pe._isource.read(pe.rva_to_file_offset(rva), size)
-		end
-	end
-
-	#
-	# typedef struct {
-	#     DWORD   Size;
-	#     DWORD   TimeDateStamp;
-	#     WORD    MajorVersion;
-	#     WORD    MinorVersion;
-	#     DWORD   GlobalFlagsClear;
-	#     DWORD   GlobalFlagsSet;
-	#     DWORD   CriticalSectionDefaultTimeout;
-	#     DWORD   DeCommitFreeBlockThreshold;
-	#     DWORD   DeCommitTotalFreeThreshold;
-	#     DWORD   LockPrefixTable;            // VA
-	#     DWORD   MaximumAllocationSize;
-	#     DWORD   VirtualMemoryThreshold;
-	#     DWORD   ProcessHeapFlags;
-	#     DWORD   ProcessAffinityMask;
-	#     WORD    CSDVersion;
-	#     WORD    Reserved1;
-	#     DWORD   EditList;                   // VA
-	#     DWORD   SecurityCookie;             // VA
-	#     DWORD   SEHandlerTable;             // VA
-	#     DWORD   SEHandlerCount;
-	# } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;
-	#
-	IMAGE_LOAD_CONFIG_DIRECTORY32 = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint32v', 'Size',                          0 ],
-	  [ 'uint32v', 'TimeDateStamp',                 0 ],
-	  [ 'uint16v', 'MajorVersion',                  0 ],
-	  [ 'uint16v', 'MinorVersion',                  0 ],
-	  [ 'uint32v', 'GlobalFlagsClear',              0 ],
-	  [ 'uint32v', 'GlobalFlagsSet',                0 ],
-	  [ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ],
-	  [ 'uint32v', 'DeCommitFreeBlockThreshold',    0 ],
-	  [ 'uint32v', 'DeCommitTotalFreeThreshold',    0 ],
-	  [ 'uint32v', 'LockPrefixTable',               0 ],
-	  [ 'uint32v', 'MaximumAllocationSize',         0 ],
-	  [ 'uint32v', 'VirtualMemoryThreshold',        0 ],
-	  [ 'uint32v', 'ProcessHeapFlags',              0 ],
-	  [ 'uint32v', 'ProcessAffinityMask',           0 ],
-	  [ 'uint16v', 'CSDVersion',                    0 ],
-	  [ 'uint16v', 'Reserved1',                     0 ],
-	  [ 'uint32v', 'EditList',                      0 ],
-	  [ 'uint32v', 'SecurityCookie',                0 ],
-	  [ 'uint32v', 'SEHandlerTable',                0 ],
-	  [ 'uint32v', 'SEHandlerCount',                0 ]
-	)
-
-	#
-	# typedef struct {
-	# 	 ULONG      Size;
-	# 	 ULONG      TimeDateStamp;
-	# 	 USHORT     MajorVersion;
-	# 	 USHORT     MinorVersion;
-	# 	 ULONG      GlobalFlagsClear;
-	# 	 ULONG      GlobalFlagsSet;
-	# 	 ULONG      CriticalSectionDefaultTimeout;
-	# 	 ULONGLONG  DeCommitFreeBlockThreshold;
-	# 	 ULONGLONG  DeCommitTotalFreeThreshold;
-	# 	 ULONGLONG  LockPrefixTable;         // VA
-	# 	 ULONGLONG  MaximumAllocationSize;
-	# 	 ULONGLONG  VirtualMemoryThreshold;
-	# 	 ULONGLONG  ProcessAffinityMask;
-	# 	 ULONG      ProcessHeapFlags;
-	# 	 USHORT     CSDVersion;
-	# 	 USHORT     Reserved1;
-	# 	 ULONGLONG  EditList;                // VA
-	# 	 ULONGLONG  SecurityCookie;          // VA
-	# 	 ULONGLONG  SEHandlerTable;          // VA
-	# 	 ULONGLONG  SEHandlerCount;
-	# } IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64;
-	#
-	IMAGE_LOAD_CONFIG_DIRECTORY64 = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint32v', 'Size',                          0 ],
-	  [ 'uint32v', 'TimeDateStamp',                 0 ],
-	  [ 'uint16v', 'MajorVersion',                  0 ],
-	  [ 'uint16v', 'MinorVersion',                  0 ],
-	  [ 'uint32v', 'GlobalFlagsClear',              0 ],
-	  [ 'uint32v', 'GlobalFlagsSet',                0 ],
-	  [ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ],
-	  [ 'uint64v', 'DeCommitFreeBlockThreshold',    0 ],
-	  [ 'uint64v', 'DeCommitTotalFreeThreshold',    0 ],
-	  [ 'uint64v', 'LockPrefixTable',               0 ],
-	  [ 'uint64v', 'MaximumAllocationSize',         0 ],
-	  [ 'uint64v', 'VirtualMemoryThreshold',        0 ],
-	  [ 'uint64v', 'ProcessAffinityMask',           0 ],
-	  [ 'uint32v', 'ProcessHeapFlags',              0 ],
-	  [ 'uint16v', 'CSDVersion',                    0 ],
-	  [ 'uint16v', 'Reserved1',                     0 ],
-	  [ 'uint64v', 'EditList',                      0 ],
-	  [ 'uint64v', 'SecurityCookie',                0 ],
-	  [ 'uint64v', 'SEHandlerTable',                0 ],
-	  [ 'uint64v', 'SEHandlerCount',                0 ]
-	)
-
-
-	class ConfigHeader < GenericHeader
-
-	end
-
-	# doesn't seem to be used -- not compatible with 64-bit
-	#def self._parse_config_header(rawdata)
-	#	header = IMAGE_LOAD_CONFIG_DIRECTORY32.make_struct
-	#	header.from_s(rawdata)
-	#	ConfigHeader.new(header)
-	#end
-
-	def _parse_config_header
-
-		#
-		# Get the data directory entry, size, etc
-		#
-		exports_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
-		rva           = exports_entry.v['VirtualAddress']
-		size          = exports_entry.v['Size']
-
-		return nil if size == 0
-
-		#
-		# Ok, so we have the data directory, now lets parse it
-		#
-
-		dirdata = _isource.read(rva_to_file_offset(rva), size)
-		klass   = (ptr_64?) ? IMAGE_LOAD_CONFIG_DIRECTORY64 : IMAGE_LOAD_CONFIG_DIRECTORY32
-		header  = klass.make_struct
-
-		header.from_s(dirdata)
-
-		@config = ConfigHeader.new(header)
-	end
-
-
-	def config
-		_parse_config_header if @config.nil?
-		@config
-	end
-
-	#
-	# TLS Directory
-	#
-
-	#
-	# typedef struct {
-	#     DWORD   Size;
-	#     DWORD   TimeDateStamp;
-	#     WORD    MajorVersion;
-	#     WORD    MinorVersion;
-	#     DWORD   GlobalFlagsClear;
-	#     DWORD   GlobalFlagsSet;
-	#     DWORD   CriticalSectionDefaultTimeout;
-	#     DWORD   DeCommitFreeBlockThreshold;
-	#     DWORD   DeCommitTotalFreeThreshold;
-	#     DWORD   LockPrefixTable;            // VA
-	#     DWORD   MaximumAllocationSize;
-	#     DWORD   VirtualMemoryThreshold;
-	#     DWORD   ProcessHeapFlags;
-	#     DWORD   ProcessAffinityMask;
-	#     WORD    CSDVersion;
-	#     WORD    Reserved1;
-	#     DWORD   EditList;                   // VA
-	#     DWORD   SecurityCookie;             // VA
-	#     DWORD   SEHandlerTable;             // VA
-	#     DWORD   SEHandlerCount;
-	# } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;
-	#
-	IMAGE_LOAD_TLS_DIRECTORY32 = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint32v', 'Size',                          0 ],
-	  [ 'uint32v', 'TimeDateStamp',                 0 ],
-	  [ 'uint16v', 'MajorVersion',                  0 ],
-	  [ 'uint16v', 'MinorVersion',                  0 ],
-	  [ 'uint32v', 'GlobalFlagsClear',              0 ],
-	  [ 'uint32v', 'GlobalFlagsSet',                0 ],
-	  [ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ],
-	  [ 'uint32v', 'DeCommitFreeBlockThreshold',    0 ],
-	  [ 'uint32v', 'DeCommitTotalFreeThreshold',    0 ],
-	  [ 'uint32v', 'LockPrefixTable',               0 ],
-	  [ 'uint32v', 'MaximumAllocationSize',         0 ],
-	  [ 'uint32v', 'VirtualMemoryThreshold',        0 ],
-	  [ 'uint32v', 'ProcessHeapFlags',              0 ],
-	  [ 'uint32v', 'ProcessAffinityMask',           0 ],
-	  [ 'uint16v', 'CSDVersion',                    0 ],
-	  [ 'uint16v', 'Reserved1',                     0 ],
-	  [ 'uint32v', 'EditList',                      0 ],
-	  [ 'uint32v', 'SecurityCookie',                0 ],
-	  [ 'uint32v', 'SEHandlerTable',                0 ],
-	  [ 'uint32v', 'SEHandlerCount',                0 ]
-	)
-
-	#
-	# typedef struct {
-	# 	 ULONG      Size;
-	# 	 ULONG      TimeDateStamp;
-	# 	 USHORT     MajorVersion;
-	# 	 USHORT     MinorVersion;
-	# 	 ULONG      GlobalFlagsClear;
-	# 	 ULONG      GlobalFlagsSet;
-	# 	 ULONG      CriticalSectionDefaultTimeout;
-	# 	 ULONGLONG  DeCommitFreeBlockThreshold;
-	# 	 ULONGLONG  DeCommitTotalFreeThreshold;
-	# 	 ULONGLONG  LockPrefixTable;         // VA
-	# 	 ULONGLONG  MaximumAllocationSize;
-	# 	 ULONGLONG  VirtualMemoryThreshold;
-	# 	 ULONGLONG  ProcessAffinityMask;
-	# 	 ULONG      ProcessHeapFlags;
-	# 	 USHORT     CSDVersion;
-	# 	 USHORT     Reserved1;
-	# 	 ULONGLONG  EditList;                // VA
-	# 	 ULONGLONG  SecurityCookie;          // VA
-	# 	 ULONGLONG  SEHandlerTable;          // VA
-	# 	 ULONGLONG  SEHandlerCount;
-	# } IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64;
-	#
-	IMAGE_LOAD_TLS_DIRECTORY64 = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint32v', 'Size',                          0 ],
-	  [ 'uint32v', 'TimeDateStamp',                 0 ],
-	  [ 'uint16v', 'MajorVersion',                  0 ],
-	  [ 'uint16v', 'MinorVersion',                  0 ],
-	  [ 'uint32v', 'GlobalFlagsClear',              0 ],
-	  [ 'uint32v', 'GlobalFlagsSet',                0 ],
-	  [ 'uint32v', 'CriticalSectionDefaultTimeout', 0 ],
-	  [ 'uint64v', 'DeCommitFreeBlockThreshold',    0 ],
-	  [ 'uint64v', 'DeCommitTotalFreeThreshold',    0 ],
-	  [ 'uint64v', 'LockPrefixTable',               0 ],
-	  [ 'uint64v', 'MaximumAllocationSize',         0 ],
-	  [ 'uint64v', 'VirtualMemoryThreshold',        0 ],
-	  [ 'uint64v', 'ProcessAffinityMask',           0 ],
-	  [ 'uint32v', 'ProcessHeapFlags',              0 ],
-	  [ 'uint16v', 'CSDVersion',                    0 ],
-	  [ 'uint16v', 'Reserved1',                     0 ],
-	  [ 'uint64v', 'EditList',                      0 ],
-	  [ 'uint64v', 'SecurityCookie',                0 ],
-	  [ 'uint64v', 'SEHandlerTable',                0 ],
-	  [ 'uint64v', 'SEHandlerCount',                0 ]
-	)
-
-
-	class TLSHeader < GenericHeader
-
-	end
-
-	def _parse_tls_header
-
-		#
-		# Get the data directory entry, size, etc
-		#
-		exports_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_TLS]
-		rva           = exports_entry.v['VirtualAddress']
-		size          = exports_entry.v['Size']
-
-		return nil if size == 0
-
-		#
-		# Ok, so we have the data directory, now lets parse it
-		#
-
-		dirdata = _isource.read(rva_to_file_offset(rva), size)
-		klass   = (ptr_64?) ? IMAGE_LOAD_TLS_DIRECTORY64 : IMAGE_LOAD_TLS_DIRECTORY32
-		header  = klass.make_struct
-
-		header.from_s(dirdata)
-
-		@tls = TLSHeader.new(header)
-	end
-
-
-	def tls
-		_parse_config_header if @tls.nil?
-		@tls
-	end
-
-	##
-	#
-	# Exception directory
-	#
-	##
-
-	#
-	# typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY {
-	#     DWORD BeginAddress;
-	#     DWORD EndAddress;
-	#     DWORD UnwindInfoAddress;
-	# } _IMAGE_RUNTIME_FUNCTION_ENTRY, *_PIMAGE_RUNTIME_FUNCTION_ENTRY;
-	#
-	IMAGE_RUNTIME_FUNCTION_ENTRY_SZ = 12
-	IMAGE_RUNTIME_FUNCTION_ENTRY = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint32v', 'BeginAddress',                  0 ],
-	  [ 'uint32v', 'EndAddress',                    0 ],
-	  [ 'uint32v', 'UnwindInfoAddress',             0 ]
-	)
-
-	UNWIND_INFO_HEADER_SZ = 4
-	UNWIND_INFO_HEADER = Rex::Struct2::CStructTemplate.new(
-	  [ 'uint8', 'VersionFlags',                  0 ],
-	  [ 'uint8', 'SizeOfProlog',                  0 ],
-	  [ 'uint8', 'CountOfCodes',                  0 ],
-	  [ 'uint8', 'FrameRegisterAndOffset',        0 ]
-	)
-
-	UWOP_PUSH_NONVOL     = 0  # 1 node
-	UWOP_ALLOC_LARGE     = 1  # 2 or 3 nodes
-	UWOP_ALLOC_SMALL     = 2  # 1 node
-	UWOP_SET_FPREG       = 3  # 1 node
-	UWOP_SAVE_NONVOL     = 4  # 2 nodes
-	UWOP_SAVE_NONVOL_FAR = 5  # 3 nodes
-	UWOP_SAVE_XMM128     = 8  # 2 nodes
-	UWOP_SAVE_XMM128_FAR = 9  # 3 nodes
-	UWOP_PUSH_MACHFRAME  = 10 # 1 node
-
-	UNW_FLAG_EHANDLER  = 1
-	UNW_FLAG_UHANDLER  = 2
-	UNW_FLAG_CHAININFO = 4
-
-	class UnwindCode
-		def initialize(data)
-
-			self.code_offset  = data[0].to_i
-			self.unwind_op    = data[1].to_i & 0xf
-			self.op_info      = data[1].to_i >> 4
-			self.frame_offset = data[2..3].unpack("v")[0]
-
-			data.slice!(0, 4)
-		end
-
-		attr_reader :code_offset, :unwind_op, :op_info, :frame_offset
-		attr_writer :code_offset, :unwind_op, :op_info, :frame_offset
-
-	end
-
-	class UnwindInfo
-		def initialize(pe, unwind_rva)
-			data = pe.read_rva(unwind_rva, UNWIND_INFO_HEADER_SZ)
-		
-			unwind  = UNWIND_INFO_HEADER.make_struct
-			unwind.from_s(data)
-
-			@version               = unwind.v['VersionFlags'] & 0x7
-			@flags                 = unwind.v['VersionFlags'] >> 3
-			@size_of_prolog        = unwind.v['SizeOfProlog']
-			@count_of_codes        = unwind.v['CountOfCodes']
-			@frame_register        = unwind.v['FrameRegisterAndOffset'] & 0xf
-			@frame_register_offset = unwind.v['FrameRegisterAndOffset'] >> 4
-
-			# Parse unwind codes
-			clist = pe.read_rva(unwind_rva + UNWIND_INFO_HEADER_SZ, count_of_codes * 4)
-
-			@unwind_codes = []
-
-			while clist.length > 0
-				@unwind_codes << UnwindCode.new(clist)
-			end
-		end
-
-		attr_reader :version, :flags, :size_of_prolog, :count_of_codes
-		attr_reader :frame_register, :frame_register_offset
-
-		def unwind_codes
-			@unwind_codes
-		end
-
-	end
-
-	class RuntimeFunctionEntry
-
-		def initialize(pe, data)
-			@pe = pe
-			@begin_address, @end_address, @unwind_info_address = data.unpack("VVV");
-			self.unwind_info = UnwindInfo.new(pe, unwind_info_address)
-		end
-
-		attr_reader :begin_address, :end_address, :unwind_info_address
-		attr_reader :unwind_info
-		attr_writer :unwind_info
-
-	end
-
-	def _load_exception_directory
-		@exception   = []
-		
-		exception_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_EXCEPTION]
-		rva             = exception_entry.v['VirtualAddress']
-		size            = exception_entry.v['Size']
-		
-		return if (rva == 0)
-		
-		data = _isource.read(rva_to_file_offset(rva), size)
-		
-		case hdr.file.Machine
-			when IMAGE_FILE_MACHINE_AMD64
-				count = data.length / IMAGE_RUNTIME_FUNCTION_ENTRY_SZ
-				
-				count.times { |current|
-					@exception << RuntimeFunctionEntry.new(self,
-						data.slice!(0, IMAGE_RUNTIME_FUNCTION_ENTRY_SZ))
-				}
-			else
-		end
-		
-		return @exception
-	end
-
-
-	def exception
-		_load_exception_directory if @exception.nil?
-		@exception
-	end
-
-	#
-	# Just a stupid routine to round an offset up to it's alignment.
-	#
-	# For example, you're going to want this for FileAlignment and
-	# SectionAlignment, etc...
-	#
-	def self._align_offset(offset, alignment)
-		offset += alignment - 1
-		offset -= offset % alignment
-		return offset
-	end
-
-	#
-	# instance stuff
-	#
-
-	attr_accessor :_isource
-	attr_accessor :_dos_header, :_file_header, :_optional_header,
-	              :_section_headers, :_config_header, :_tls_header, :_exception_header
-
-	attr_accessor :sections, :header_section, :image_base
-
-	attr_accessor :_imports_cache, :_imports_cached
-	attr_accessor :_exports_cache, :_exports_cached
-	attr_accessor :_relocations_cache, :_relocations_cached
-	attr_accessor :_resources_cache, :_resources_cached
-
-	attr_accessor :hdr
-
-	def self.new_from_file(filename, disk_backed = false)
-
-		file = ::File.new(filename)
-		file.binmode # windows... :\
-
-		if disk_backed
-			return self.new(ImageSource::Disk.new(file))
-		else
-			obj = new_from_string(file.read)
-			file.close
-			return obj
-		end
-	end
-
-	def self.new_from_string(data)
-		return self.new(ImageSource::Memory.new(data))
-	end
-
-	def close
-		_isource.close
-	end
-
-	#
-	#
-	# Random rva, vma, file offset, section offset, etc
-	# conversion routines...
-	#
-	#
-	def rva_to_vma(rva)
-		return rva + image_base
-	end
-
-	def vma_to_rva(vma)
-		return vma - image_base
-	end
-
-	def rva_to_file_offset(rva)
-		all_sections.each do |section|
-			if section.contains_rva?(rva)
-				return section.rva_to_file_offset(rva)
-			end
-		end
-		raise WtfError, "wtf!", caller
-	end
-
-	def vma_to_file_offset(vma)
-		return rva_to_file_offset(vma_to_rva(vma))
-	end
-
-	def file_offset_to_rva(foffset)
-		if foffset < 0
-			raise WtfError, "lame", caller
-		end
-
-		all_sections.each do |section|
-			if section.contains_file_offset?(foffset)
-				return section.file_offset_to_rva(foffset)
-			end
-		end
-
-		raise WtfError, "wtf! #{foffset}", caller
-	end
-
-	def file_offset_to_vma(foffset)
-		return rva_to_vma(file_offset_to_rva(foffset))
-	end
-
-	#
-	#
-	# Some routines to find which section something belongs
-	# to.  These will search all_sections (so including
-	# our fake header section, etc...
-	#
-	#
-
-	#
-	# Find a section by an RVA
-	#
-	def _find_section_by_rva(rva)
-		all_sections.each do |section|
-			if section.contains_rva?(rva)
-				return section
-			end
-		end
-
-		return nil
-	end
-	def find_section_by_rva(rva)
-		section = _find_section_by_rva(rva)
-
-		if !section
-			raise WtfError, "Cannot find rva! #{rva}", caller
-		end
-
-		return section
-	end
-
-	#
-	# Find a section by a VMA
-	#
-	def find_section_by_vma(vma)
-		return find_section_by_rva(vma_to_rva(vma))
-	end
-
-	def valid_rva?(rva)
-		_find_section_by_rva(rva) != nil
-	end
-	def valid_vma?(vma)
-		_find_section_by_rva(vma_to_rva(vma)) != nil
-	end
-
-	#
-	#
-	# Some convenient methods to read a vma/rva without having
-	# the section... (inefficent though I suppose...)
-	#
-	#
-
-	def read_rva(rva, length)
-		return find_section_by_rva(rva).read_rva(rva, length)
-	end
-
-	def read_vma(vma, length)
-		return read_rva(vma_to_rva(vma), length)
-	end
-
-	def read_asciiz_rva(rva)
-		return find_section_by_rva(rva).read_asciiz_rva(rva)
-	end
-
-	def read_asciiz_vma(vma)
-		return read_asciiz_rva(vma_to_rva(vma))
-	end
-
-	#
-	#
-	# Imports, exports, and other stuff!
-	#
-	#
-
-	#
-	# We lazily parse the imports, and then cache it
-	#
-	def imports
-		if !_imports_cached
-			self._imports_cache  = _load_imports
-			self._imports_cached = true
-		end
-		return _imports_cache
-	end
-
-	def _load_imports
-		#
-		# Get the data directory entry, size, etc
-		#
-		imports_entry = _optional_header['DataDirectory'][1]
-		rva           = imports_entry.v['VirtualAddress']
-		size          = imports_entry.v['Size']
-
-		return nil if size == 0
-
-		#
-		# Ok, so we have the data directory, now lets parse it
-		#
-
-		imports = [ ]
-
-		descriptors_data = _isource.read(rva_to_file_offset(rva), size)
-
-		while descriptors_data.length >= IMAGE_IMPORT_DESCRIPTOR_SIZE
-			descriptor = IMAGE_IMPORT_DESCRIPTOR.make_struct
-			descriptor.from_s(descriptors_data)
-			descriptors_data = descriptor.leftover
-
-			othunk = descriptor.v['OriginalFirstThunk']
-			fthunk = descriptor.v['FirstThunk']
-
-			break if fthunk == 0
-
-			dllname = _isource.read_asciiz(rva_to_file_offset(descriptor.v['Name']))
-
-			import = ImportDescriptor.new(dllname, [ ])
-
-			# we prefer the Characteristics/OriginalFirstThunk...
-			thunk_off = rva_to_file_offset(othunk == 0 ? fthunk : othunk)
-
-			while (orgrva = _isource.read(thunk_off, 4).unpack('V')[0]) != 0
-				hint = nil
-				name = nil
-
-				if (orgrva & IMAGE_ORDINAL_FLAG32) != 0
-					hint = orgrva & 0xffff
-				else
-					foff = rva_to_file_offset(orgrva)
-					hint = _isource.read(foff, 2).unpack('v')[0]
-					name = _isource.read_asciiz(foff + 2)
-				end
-
-				import.entries << ImportEntry.new(name, hint)
-
-				thunk_off += 4
-			end
-
-			imports << import
-		end
-
-		return imports
-	end
-
-
-
-	#
-	# We lazily parse the exports, and then cache it
-	#
-	def exports
-		if !_exports_cached
-			self._exports_cache  = _load_exports
-			self._exports_cached = true
-		end
-		return _exports_cache
-	end
-
-	def _load_exports
-
-		#
-		# Get the data directory entry, size, etc
-		#
-		exports_entry = _optional_header['DataDirectory'][0]
-		rva           = exports_entry.v['VirtualAddress']
-		size          = exports_entry.v['Size']
-
-		return nil if size == 0
-
-		#
-		# Ok, so we have the data directory, now lets parse it
-		#
-
-		directory = IMAGE_EXPORT_DESCRIPTOR.make_struct
-		directory.from_s(_isource.read(rva_to_file_offset(rva), IMAGE_EXPORT_DESCRIPTOR_SIZE))
-
-		#
-		# We can have nameless exports, so we need to do the whole
-		# NumberOfFunctions NumberOfNames foo
-		#
-		num_functions = directory.v['NumberOfFunctions']
-		num_names     = directory.v['NumberOfNames']
-
-		dllname_rva   = directory.v['Name']
-		dllname       = _isource.read_asciiz(rva_to_file_offset(dllname_rva))
-
-		# FIXME Base, etc
-		fun_off       = rva_to_file_offset(directory.v['AddressOfFunctions'])
-		name_off      = rva_to_file_offset(directory.v['AddressOfNames'])
-		ord_off       = rva_to_file_offset(directory.v['AddressOfNameOrdinals'])
-		base          = directory.v['Base']
-
-		# Allocate the list of names
-		names = Array.new(num_functions)
-
-		#
-		# Iterate the names and name/ordinal list, getting the names
-		# and storing them in the name list...
-		#
-		num_names.times do |i|
-			name_rva = _isource.read(name_off + (i * 4), 4).unpack('V')[0]
-			ordinal  = _isource.read(ord_off + (i * 2), 2).unpack('v')[0]
-			name     = _isource.read_asciiz(rva_to_file_offset(name_rva))
-
-			# store the exported name in the name list
-			names[ordinal] = name
-		end
-
-		exports = ExportDirectory.new(dllname, [ ], base)
-
-		#
-		# Now just iterate the functions (rvas) list..
-		#
-		num_functions.times do |i|
-			rva      = _isource.read(fun_off + (i * 4), 4).unpack('V')[0]
-
-			# ExportEntry.new(name, ordinal, rva)
-			exports.entries << ExportEntry.new(names[i], i + base, rva)
-		end
-
-		return exports
-	end
-
-	#
-	# Base relocations in the hizzy
-	#
-	def relocations
-		if !_relocations_cached
-			self._relocations_cache  = _load_relocations
-			self._relocations_cached = true
-		end
-		return _relocations_cache
-	end
-
-	def _load_relocations
-
-		#
-		# Get the data directory entry, size, etc
-		#
-		exports_entry = _optional_header['DataDirectory'][5]
-		rva           = exports_entry.v['VirtualAddress']
-		size          = exports_entry.v['Size']
-
-		return nil if size == 0
-
-		#
-		# Ok, so we have the data directory, now lets parse it
-		#
-
-		dirdata = _isource.read(rva_to_file_offset(rva), size)
-
-		relocdirs = [ ]
-
-		while dirdata.length >= IMAGE_SIZEOF_BASE_RELOCATION
-			header = IMAGE_BASE_RELOCATION.make_struct
-			header.from_s(dirdata)
-			dirdata = header.leftover
-
-			numrelocs = (header.v['SizeOfBlock'] - IMAGE_SIZEOF_BASE_RELOCATION) / 2
-
-			relocbase = header.v['VirtualAddress']
-
-			relocdir = RelocationDirectory.new(relocbase, [ ])
-
-			numrelocs.times do
-				reloc = IMAGE_BASE_RELOCATION_TYPE_OFFSET.make_struct
-				reloc.from_s(dirdata)
-				dirdata = reloc.leftover
-
-				typeoffset = reloc.v['TypeOffset']
-
-				relocrva  = relocbase + (typeoffset & 0xfff)
-				reloctype = (typeoffset >> 12) & 0xf
-
-				relocdir.entries << RelocationEntry.new(relocrva, reloctype)
-			end
-
-			relocdirs << relocdir
-		end
-
-		return relocdirs
-	end
-
-
-	#
-	# We lazily parse the resources, and then cache them
-	#
-	def resources
-		if !_resources_cached
-			_load_resources
-			self._resources_cached = true
-		end
-
-		return self._resources_cache
-	end
-
-	def _load_resources
-		#
-		# Get the data directory entry, size, etc
-		#
-		rsrc_entry = _optional_header['DataDirectory'][IMAGE_DIRECTORY_ENTRY_RESOURCE]
-		rva        = rsrc_entry.v['VirtualAddress']
-		size       = rsrc_entry.v['Size']
-
-		return nil if size == 0
-
-		#
-		# Ok, so we have the data directory, now lets parse it
-		#
-		data = _isource.read(rva_to_file_offset(rva), size)
-
-		self._resources_cache = {}
-		_parse_resource_directory(data)
-	end
-
-	def _parse_resource_directory(data, rname=0, rvalue=0x80000000, path='0', pname=nil)
-
-		pname = _parse_resource_name(data, rname)
-		if (path.scan('/').length == 1)
-			if (pname !~ /^\d+/)
-				path = "/" + pname
-			else
-				path = "/" + _resource_lookup( (rname & ~0x80000000).to_s)
-			end
-		end
-
-
-		rvalue &= ~0x80000000
-		vals  = data[rvalue, 16].unpack('VVvvvv')
-
-		chars = vals[0]
-		tdate = vals[1]
-		vers  = "#{vals[2]}#{vals[3]}"
-		count = vals[4] + vals[5]
-
-		0.upto(count-1) do |i|
-
-			ename, evalue = data[rvalue + 16 + ( i * 8), 8].unpack('VV')
-			epath = path + '/' + i.to_s
-
-			if (ename & 0x80000000 != 0)
-				pname = _parse_resource_name(data, ename)
-			end
-
-			if (evalue & 0x80000000 != 0)
-				# This is a subdirectory
-				_parse_resource_directory(data, ename, evalue, epath, pname)
-			else
-				# This is an entry
-				_parse_resource_entry(data, ename, evalue, epath, pname)
-			end
-		end
-
-	end
-
-	def _resource_lookup(i)
-		tbl = {
-			'1'      => 'RT_CURSOR',
-			'2'      => 'RT_BITMAP',
-			'3'      => 'RT_ICON',
-			'4'      => 'RT_MENU',
-			'5'      => 'RT_DIALOG',
-			'6'      => 'RT_STRING',
-			'7'      => 'RT_FONTDIR',
-			'8'      => 'RT_FONT',
-			'9'      => 'RT_ACCELERATORS',
-			'10'     => 'RT_RCDATA',
-			'11'     => 'RT_MESSAGETABLE',
-			'12'     => 'RT_GROUP_CURSOR',
-			'14'     => 'RT_GROUP_ICON',
-			'16'     => 'RT_VERSION',
-			'17'     => 'RT_DLGINCLUDE',
-			'19'     => 'RT_PLUGPLAY',
-			'20'     => 'RT_VXD',
-			'21'     => 'RT_ANICURSOR',
-			'22'     => 'RT_ANIICON',
-			'23'     => 'RT_HTML',
-			'24'     => 'RT_MANIFEST',
-			'32767'  => 'RT_ERROR',
-			'8192'   => 'RT_NEWRESOURCE',
-			'8194'   => 'RT_NEWBITMAP',
-			'8196'   => 'RT_NEWMENU',
-			'8197'   => 'RT_NEWDIALOG'
-		}
-		tbl[i] || i
-	end
-
-	def _parse_resource_entry(data, rname, rvalue, path, pname)
-
-		rva, size, code = data[rvalue, 12].unpack('VVV')
-		lang = _parse_resource_name(data, rname)
-
-		ent = ResourceEntry.new(
-			self,
-			path,
-			lang,
-			code,
-			rva,
-			size,
-			pname
-		)
-		self._resources_cache[path] = ent
-	end
-
-	def _parse_resource_name(data, rname)
-		if (rname & 0x80000000 != 0)
-			rname &= ~0x80000000
-			unistr = data[rname+2, 2 * data[rname,2].unpack('v')[0] ]
-			unistr, trash = unistr.split(/\x00\x00/, 2)
-			return unistr ? unistr.gsub(/\x00/, '') : nil
-		end
-
-		rname.to_s
-	end
-	
-	def update_checksum
-		off = _dos_header.e_lfanew + IMAGE_FILE_HEADER_SIZE + 0x40
-		_isource.rawdata[off, 4] = [0].pack('V')
-
-		rem = _isource.size % 4
-		sum_me = ''
-		sum_me << _isource.rawdata
-		sum_me << "\x00" * (4 - rem) if rem > 0
-
-		cksum = 0
-		sum_me.unpack('V*').each { |el|
-			cksum = (cksum & 0xffffffff) + (cksum >> 32) + el
-			if cksum > 2**32
-				cksum = (cksum & 0xffffffff) + (cksum >> 32)
-			end
-		}
-
-		cksum = (cksum & 0xffff) + (cksum >> 16)
-		cksum += (cksum >> 16)
-		cksum &= 0xffff
-
-		cksum += _isource.size
-
-		_isource.rawdata[off, 4] = [cksum].pack('V')
-	end
-
-end end end