pedump 0.5.3

data/lib/pedump/packer.rb

@@ -0,0 +1,173 @@
+require 'pedump/sig_parser'
+
+class PEdump
+  class Packer < Struct.new(:name, :re, :ep_only, :size)
+
+    DATA_ROOT      = File.dirname(File.dirname(File.dirname(__FILE__)))
+    BIN_SIGS_FILE  = File.join(DATA_ROOT, "data", "sig.bin")
+
+    class Match < Struct.new(:offset, :packer)
+      def name
+        packer.name
+      end
+    end
+
+    class Guess < Match
+      def initialize name
+        self.offset = 0
+        self.packer = Packer.new(name, nil, nil, 0)
+      end
+    end
+
+    class << self
+      def all
+        @@all ||=
+          begin
+            r = unmarshal
+            unless r
+              msg = "[?] #{self}: unmarshal failed, using slow text parsing instead"
+              if PEdump.respond_to?(:logger) && PEdump.logger
+                PEdump.logger.warn msg
+              else
+                STDERR.puts msg
+              end
+              r = SigParser.parse
+            end
+            r
+          end
+      end
+      alias :load :all
+
+      # default deep-scan flag
+      @@deep = false
+
+      def default_deep
+        @@deep
+      end
+
+      def default_deep= value
+        @@deep = value
+      end
+
+      def max_size
+        @@max_size ||= all.map(&:size).max
+      end
+
+      def of data, h = {}
+        if data.respond_to?(:read) && data.respond_to?(:seek) && h[:pedump]
+          of_pedump data, h
+        elsif data.respond_to?(:read) && data.respond_to?(:seek) && h[:ep_offset]
+          of_pe_file data, h
+        else
+          of_data data
+        end
+      end
+
+      # try to determine packer of FILE f, h[:pedump] is a PEdump instance
+      def of_pedump f, h
+        pedump = h[:pedump]
+        pe = pedump.pe
+        if !(va=pe.ioh.AddressOfEntryPoint)
+          pedump.logger.error "[?] can't find EntryPoint RVA"
+          nil
+        elsif va == 0 && pe.dll?
+          pedump.logger.debug "[.] it's a DLL with no EntryPoint"
+          nil
+        elsif !(ofs = pedump.va2file(va))
+          pedump.logger.error "[?] can't find EntryPoint RVA (0x#{va.to_s(16)}) file offset"
+          nil
+        else
+          r = of_pe_file(f, h.merge({:ep_offset => ofs}))
+          return r if r && r.any?
+
+          # nothing found, try to guess by pe section names
+          if pedump.sections
+            if pedump.sections.any?{ |s| s.Name.to_s =~ /upx/i }
+              return [Guess.new('UPX?')]
+            end
+            if pedump.sections.any?{ |s| s.Name.to_s =~ /aspack/i }
+              return [Guess.new('ASPack?')]
+            end
+          end
+          nil
+        end
+      end
+
+      # try to determine packer of FILE f, ep_offset - offset to entrypoint from start of file
+      def of_pe_file f, h
+        h[:deep] = @@deep unless h.key?(:deep)
+        h[:deep] = 1 if h[:deep] == true
+        h[:deep] = 0 if h[:deep] == false
+
+        begin
+          f.seek(h[:ep_offset])             # offset of PE EntryPoint from start of file
+        rescue
+          if h[:pedump] && h[:pedump].logger
+            h[:pedump].logger.warn "[?] failed to seek to EP at #{h[:ep_offset]}, skipping packer detect"
+          end
+          return
+        end
+
+        r = Array(of_data(f.read(max_size)))
+        return r if r && r.any? && h[:deep] < 2
+        r += scan_whole_file(f,
+                             :limit => (h[:deep] > 0 ? nil : 1048576),
+                             :deep  => h[:deep]
+                            ) # scan only 1st mb unless :deep
+      end
+
+      BLOCK_SIZE = 0x10000
+
+      def scan_whole_file f, h = {}
+        h[:limit] ||= f.size
+        f.seek( pos = 0 )
+        buf = ''.force_encoding('binary')
+        sigs =
+          if h[:deep].is_a?(Numeric) && h[:deep] > 1
+            self.all
+          else
+            self.find_all{ |sig| !sig.ep_only }
+          end
+        r = []
+        while true
+          f.read BLOCK_SIZE, buf
+          pos += buf.size
+          sigs.each do |sig|
+            if idx = buf.index(sig.re)
+              r << Match.new(f.tell-buf.size+idx, sig)
+            end
+          end
+          break if f.eof? || pos >= h[:limit]
+          # overlap the read for the case when read buffer boundary breaks signature
+          f.seek -max_size-2, IO::SEEK_CUR
+          pos -= (max_size+2)
+        end
+        r
+      end
+
+      def of_data data
+        r = []
+        return r unless data
+        each do |packer|
+          if (idx=data.index(packer.re)) == 0
+            r << Match.new(idx, packer)
+          end
+        end
+        r.any? ? r.sort_by{ |x| -x.packer.size } : nil
+      end
+
+      def method_missing *args, &block
+        all.respond_to?(args.first) ? all.send(*args,&block) : super
+      end
+
+      def unmarshal
+        File.open(BIN_SIGS_FILE,"rb") do |f|
+          Marshal.load(f)
+        end
+      rescue
+        nil
+      end
+
+    end
+  end
+end

data/lib/pedump/pe.rb

@@ -0,0 +1,121 @@
+require 'pedump/composite_io'
+
+class PEdump
+  class PE < Struct.new(
+    :signature,             # "PE\x00\x00"
+    :image_file_header,
+    :image_optional_header, # includes data directory
+    :section_table
+  )
+    alias :ifh       :image_file_header
+    alias :ifh=      :image_file_header=
+    alias :ioh       :image_optional_header
+    alias :ioh=      :image_optional_header=
+    alias :sections  :section_table
+    alias :sections= :section_table=
+    def x64?
+      ifh && ifh.Machine == 0x8664
+    end
+    def dll?
+      ifh && ifh.flags.include?('DLL')
+    end
+
+    def pack
+      signature + ifh.pack + ioh.pack
+    end
+
+    def self.read f, args = {}
+      force = args[:force]
+
+      pe_offset = f.tell
+      pe_sig = f.read 4
+      #logger.error "[!] 'NE' format is not supported!" if pe_sig == "NE\x00\x00"
+      if pe_sig != "PE\x00\x00"
+        if force
+          logger.warn  "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect})"
+        else
+          logger.debug "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect}). (not forced)"
+          return nil
+        end
+      end
+      PE.new(pe_sig).tap do |pe|
+        pe.image_file_header = IMAGE_FILE_HEADER.read(f)
+        ioh_offset = f.tell # offset to IMAGE_OPTIONAL_HEADER
+        if pe.ifh.SizeOfOptionalHeader.to_i > 0
+          if pe.x64?
+            pe.image_optional_header = IMAGE_OPTIONAL_HEADER64.read(f, pe.ifh.SizeOfOptionalHeader)
+          else
+            pe.image_optional_header = IMAGE_OPTIONAL_HEADER32.read(f, pe.ifh.SizeOfOptionalHeader)
+          end
+        end
+
+        if (nToRead=pe.ifh.NumberOfSections.to_i) > 0xffff
+          if force.is_a?(Numeric) && force > 1
+            logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). forced. reading all"
+          else
+            logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). not forced, reading first 65535"
+            nToRead = 65535
+          end
+        end
+
+        # The Windows loader expects to find the PE section headers after the optional header. It calculates the address of the first section header by adding SizeOfOptionalHeader to the beginning of the optional header.
+        # // http://www.phreedom.org/research/tinype/
+        f.seek( ioh_offset + pe.ifh.SizeOfOptionalHeader.to_i )
+        pe.sections = []
+        nToRead.times do
+          break if f.eof?
+          pe.sections << IMAGE_SECTION_HEADER.read(f)
+        end
+
+        if pe.sections.any?
+          # zero all missing values of last section
+          pe.sections.last.tap do |last_section|
+            last_section.each_pair do |k,v|
+              last_section[k] = 0 if v.nil?
+            end
+          end
+        end
+
+        pe_end = f.tell
+        if s=pe.sections.find{ |s| (pe_offset...pe_end).include?(s.va) }
+          if args[:pass2]
+            # already called with CompositeIO ?
+            logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! 2nd time?!"
+
+          elsif pe_end-pe_offset < 0x100_000
+            logger.warn "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! trying to rebuild..."
+            f.seek pe_offset
+            data = f.read(s.va-pe_offset)
+            f.seek s.PointerToRawData
+            io = CompositeIO.new(StringIO.new(data), f)
+            args1 = args.dup
+            args1[:pass2] = true
+            return PE.read(io, args1)
+          else
+            logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! too big to rebuild!"
+          end
+        end
+      end
+    end
+
+    def self.logger; PEdump.logger; end
+  end
+
+  def pe f=@io
+    @pe ||=
+      begin
+        pe_offset = mz(f) && mz(f).lfanew
+        if pe_offset.nil?
+          logger.fatal "[!] NULL PE offset (e_lfanew). cannot continue."
+          nil
+        elsif pe_offset > f.size
+          logger.fatal "[!] PE offset beyond EOF. cannot continue."
+          nil
+        else
+          f.seek pe_offset
+          PE.read f, :force => @force
+        end
+      end
+  end
+
+end

data/lib/pedump/resources.rb

@@ -0,0 +1,436 @@
+class PEdump
+
+  def resource_directory f=@io
+    @resource_directory ||=
+      if pe(f)
+        _read_resource_directory_tree(f)
+      elsif ne(f)
+        ne(f).resource_directory(f)
+      end
+  end
+
+  def _read_resource_directory_tree f
+    return nil unless pe(f) && pe(f).ioh && f
+    res_dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE]
+    return [] if !res_dir || (res_dir.va == 0 && res_dir.size == 0)
+    res_va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE].va
+    res_section = @pe.section_table.find{ |t| t.VirtualAddress == res_va }
+    unless res_section
+      logger.warn "[?] can't find resource section for va=0x#{res_va.to_s(16)}"
+      return []
+    end
+    f.seek res_section.PointerToRawData
+    IMAGE_RESOURCE_DIRECTORY.base = res_section.PointerToRawData
+    #@resource_data_base = res_section.PointerToRawData - res_section.VirtualAddress
+    IMAGE_RESOURCE_DIRECTORY.read(f)
+  end
+
+  class Resource < Struct.new(:type, :name, :id, :lang, :file_offset, :size, :cp, :reserved, :data, :valid)
+    def bitmap_hdr
+      bmp_info_hdr = data.find{ |x| x.is_a?(BITMAPINFOHEADER) }
+      raise "no BITMAPINFOHEADER for #{self.type} #{self.name}" unless bmp_info_hdr
+
+      bmp_info_hdr.biHeight/=2 if %w'ICON CURSOR'.include?(type)
+
+      colors_used = bmp_info_hdr.biClrUsed
+      colors_used = 2**bmp_info_hdr.biBitCount if colors_used == 0 && bmp_info_hdr.biBitCount < 16
+
+      # XXX: one byte in each color is unused!
+      @palette_size = colors_used * 4 # each color takes 4 bytes
+
+      # scanlines are DWORD-aligned and padded to DWORD-align with zeroes
+      # XXX: some data may be hidden in padding bytes!
+      scanline_size = bmp_info_hdr.biWidth * bmp_info_hdr.biBitCount / 8
+      scanline_size += (4-scanline_size%4) if scanline_size % 4 > 0
+
+      @imgdata_size = scanline_size * bmp_info_hdr.biHeight
+      "BM" + [
+        BITMAPINFOHEADER::SIZE + 14 + @palette_size + @imgdata_size,
+        0,
+        BITMAPINFOHEADER::SIZE + 14 + @palette_size
+      ].pack("V3") + bmp_info_hdr.pack
+    ensure
+      bmp_info_hdr.biHeight*=2 if %w'ICON CURSOR'.include?(type)
+    end
+
+    # only valid for types BITMAP, ICON & CURSOR
+    def restore_bitmap src_fname
+      File.open(src_fname, "rb") do |f|
+        parse f
+        if data.first == "PNG"
+          "\x89PNG" +f.read(self.size-4)
+        else
+          bitmap_hdr + f.read(@palette_size + @imgdata_size)
+        end
+      end
+    end
+
+    # only valid for types BITMAP, ICON & CURSOR
+    def restore_icon src_fname
+      File.open(src_fname, "rb") do |f|
+        parse f
+        if data.first == "PNG"
+          "\x89PNG" +f.read(self.size-4)
+        else
+          icondir = [
+            0,        # Reserved. Must always be 0.
+            1,        # image type: 1 for icon (.ICO), 2 for cursor (.CUR). Other values are invalid
+            1,        # number of images in the file
+          ].pack("v3")
+          bitmap_hdr = data.first # BITMAPINFOHEADER
+          icondirentry = ICODIRENTRY.new(
+            bitmap_hdr.biWidth,
+            bitmap_hdr.biHeight / (%w'ICON CURSOR'.include?(type) ? 2 : 1),
+            0,   # XXX: bColors: may be wrong here
+            0,
+            1,
+            bitmap_hdr.biBitCount,
+            bitmap_hdr.biSizeImage,
+            icondir.size + 2 + ICODIRENTRY::SIZE # offset of BMP data from the beginning of ICO file
+          )
+          # ICONDIRENTRY is 2 bytes larger than ICODIRENTRY
+          icondir + icondirentry.pack + "\x00\x00" + bitmap_hdr.pack + f.read(self.size)
+        end
+      end
+    end
+
+    # only valid for types BITMAP, ICON & CURSOR
+    def bitmap_mask src_fname
+      File.open(src_fname, "rb") do |f|
+        parse f
+        bmp_info_hdr = bitmap_hdr
+        bitmap_size = BITMAPINFOHEADER::SIZE + @palette_size + @imgdata_size
+        return nil if bitmap_size >= self.size
+
+        mask_size = self.size - bitmap_size
+        f.seek file_offset + bitmap_size
+
+        bmp_info_hdr = BITMAPINFOHEADER.new(*bmp_info_hdr[14..-1].unpack(BITMAPINFOHEADER::FORMAT))
+        bmp_info_hdr.biBitCount = 1
+        bmp_info_hdr.biCompression = bmp_info_hdr.biSizeImage = 0
+        bmp_info_hdr.biClrUsed = bmp_info_hdr.biClrImportant = 2
+
+        palette = [0,0xffffff].pack('V2')
+        @palette_size = palette.size
+
+        "BM" + [
+          BITMAPINFOHEADER::SIZE + 14 + @palette_size + mask_size,
+          0,
+          BITMAPINFOHEADER::SIZE + 14 + @palette_size
+        ].pack("V3") + bmp_info_hdr.pack + palette + f.read(mask_size)
+      end
+    end
+
+    # also sets the file position for restore_bitmap next call
+    def parse f
+      raise "called parse with type not set" unless self.type
+      #return if self.data
+
+      self.data = []
+      return nil unless file_offset
+
+      case type
+      when 'BITMAP','ICON'
+        f.seek file_offset
+        if f.read(4) == "\x89PNG"
+          data << 'PNG'
+        else
+          f.seek file_offset
+          data << BITMAPINFOHEADER.read(f)
+        end
+      when 'CURSOR'
+        f.seek file_offset
+        data << CURSOR_HOTSPOT.read(f)
+        data << BITMAPINFOHEADER.read(f)
+      when 'GROUP_CURSOR'
+        f.seek file_offset
+        data << CUR_ICO_HEADER.read(f)
+        nRead = CUR_ICO_HEADER::SIZE
+        data.last.wNumImages.to_i.times do
+          if nRead >= self.size
+            PEdump.logger.error "[!] refusing to read CURDIRENTRY beyond resource size"
+            break
+          end
+          data  << CURDIRENTRY.read(f)
+          nRead += CURDIRENTRY::SIZE
+        end
+      when 'GROUP_ICON'
+        f.seek file_offset
+        data << CUR_ICO_HEADER.read(f)
+        nRead = CUR_ICO_HEADER::SIZE
+        data.last.wNumImages.to_i.times do
+          if nRead >= self.size
+            PEdump.logger.error "[!] refusing to read ICODIRENTRY beyond resource size"
+            break
+          end
+          data  << ICODIRENTRY.read(f)
+          nRead += ICODIRENTRY::SIZE
+        end
+      when 'STRING'
+        f.seek file_offset
+        16.times do
+          break if f.tell >= file_offset+self.size
+          nChars = f.read(2).to_s.unpack('v').first.to_i
+          t =
+            if nChars*2 + 1 > self.size
+              # TODO: if it's not 1st string in table then truncated size must be less
+              PEdump.logger.error "[!] string size(#{nChars*2}) > stringtable size(#{self.size}). truncated to #{self.size-2}"
+              f.read(self.size-2)
+            else
+              f.read(nChars*2)
+            end
+          data <<
+            begin
+              t.force_encoding('UTF-16LE').encode!('UTF-8')
+            rescue
+              t.force_encoding('ASCII')
+              tt = t.size > 0x10 ? t[0,0x10].inspect+'...' : t.inspect
+              PEdump.logger.error "[!] cannot convert #{tt} to UTF-16"
+              [nChars,t].pack('va*')
+            end
+        end
+        # XXX: check if readed strings summary length is less than resource data length
+      when 'VERSION'
+        f.seek file_offset
+        data << PEdump::VS_VERSIONINFO.read(f)
+      end
+
+      data.delete_if do |x|
+        valid = !x.respond_to?(:valid?) || x.valid?
+        PEdump.logger.warn "[?] ignoring invalid #{x.class}" unless valid
+        !valid
+      end
+    ensure
+      validate
+    end
+
+    def validate
+      self.valid = self.file_offset &&
+        case type
+        when 'BITMAP','ICON','CURSOR'
+          data.any?{ |x| x.is_a?(BITMAPINFOHEADER) && x.valid? } || data.first == 'PNG'
+        when 'GROUP_ICON'
+          # rough validation
+          data.first.is_a?(CUR_ICO_HEADER) && data.size == data.first.wNumImages.to_i+1
+        else
+          true
+        end
+    end
+
+    def valid?
+      valid
+    end
+  end
+
+  STRING = Struct.new(:id, :lang, :value)
+
+  def strings f=@io
+    r = []
+    Array(resources(f)).find_all{ |x| x.type == 'STRING'}.each do |res|
+      res.data.each_with_index do |string,idx|
+        r << STRING.new( ((res.id.to_i-1)<<4) + idx, res.lang, string ) unless string.empty?
+      end
+    end
+    r
+  end
+
+  # see also http://www.informit.com/articles/article.aspx?p=1186882 about icons format
+
+  class BITMAPINFOHEADER < IOStruct.new 'V3v2V6',
+    :biSize,          # BITMAPINFOHEADER::SIZE
+    :biWidth,
+    :biHeight,
+    :biPlanes,
+    :biBitCount,
+    :biCompression,
+    :biSizeImage,
+    :biXPelsPerMeter,
+    :biYPelsPerMeter,
+    :biClrUsed,
+    :biClrImportant
+
+    def valid?
+      self.biSize == 40
+    end
+  end
+
+  # http://www.devsource.com/c/a/Architecture/Resources-From-PE-I/2/
+  CUR_ICO_HEADER = IOStruct.new('v3',
+    :wReserved, # always 0
+    :wResID,    # always 2
+    :wNumImages # Number of cursor images/directory entries
+  )
+
+  CURDIRENTRY = IOStruct.new 'v4Vv',
+    :wWidth,
+    :wHeight, # Divide by 2 to get the actual height.
+    :wPlanes,
+    :wBitCount,
+    :dwBytesInImage,
+    :wID
+
+  CURSOR_HOTSPOT = IOStruct.new 'v2', :x, :y
+
+  ICODIRENTRY = IOStruct.new 'C4v2Vv',
+    :bWidth,
+    :bHeight,
+    :bColors,
+    :bReserved,
+    :wPlanes,
+    :wBitCount,
+    :dwBytesInImage,
+    :wID
+
+  ROOT_RES_NAMES = [nil] + # numeration is started from 1
+    %w'CURSOR BITMAP ICON MENU DIALOG STRING FONTDIR FONT ACCELERATORS RCDATA' +
+    %w'MESSAGETABLE GROUP_CURSOR' + [nil] + %w'GROUP_ICON' + [nil] +
+    %w'VERSION DLGINCLUDE' + [nil] + %w'PLUGPLAY VXD ANICURSOR ANIICON HTML MANIFEST'
+
+  IMAGE_RESOURCE_DIRECTORY_ENTRY = IOStruct.new 'V2',
+    :Name, :OffsetToData,
+    :name, :data
+
+  IMAGE_RESOURCE_DATA_ENTRY = IOStruct.new 'V4',
+    :OffsetToData, :Size, :CodePage, :Reserved
+
+  IMAGE_RESOURCE_DIRECTORY = IOStruct.new 'V2v4',
+    :Characteristics, :TimeDateStamp, # 2dw
+    :MajorVersion, :MinorVersion, :NumberOfNamedEntries, :NumberOfIdEntries, # 4w
+    :entries # manual
+  class IMAGE_RESOURCE_DIRECTORY
+    class << self
+      attr_accessor :base
+      alias :read_without_children :read
+      def read f, root=true
+        if root
+          @@loopchk1 = Hash.new(0)
+          @@loopchk2 = Hash.new(0)
+          @@loopchk3 = Hash.new(0)
+          @@nErrors1 = 0
+          @@nErrors2 = 0
+        elsif (@@loopchk1[f.tell] += 1) > 1
+          PEdump.logger.error "[!] #{self}: loop1 detected at file pos #{f.tell}" if @@loopchk1[f.tell] < 2
+          return nil
+        end
+        read_without_children(f).tap do |r|
+          nToRead = r.NumberOfNamedEntries.to_i + r.NumberOfIdEntries.to_i
+          r.entries = []
+          nToRead.times do |i|
+            if f.eof?
+              PEdump.logger.error "[!] #{self}: #{nToRead} entries in directory, but got EOF on #{i}-th."
+              break
+            end
+            if (@@loopchk2[f.tell] += 1) > 1
+              PEdump.logger.error "[!] #{self}: loop2 detected at file pos #{f.tell}" if @@loopchk2[f.tell] < 2
+              next
+            end
+            r.entries << IMAGE_RESOURCE_DIRECTORY_ENTRY.read(f)
+          end
+          #r.entries.uniq!
+          r.entries.each_with_index do |entry,idx|
+            entry.name =
+              if (entry.Name.to_i & 0x8000_0000 > 0) && f.checked_seek(base + entry.Name & 0x7fff_ffff)
+                # Name is an address of unicode string
+                nChars = f.read(2).to_s.unpack("v").first.to_i
+                begin
+                  f.read(nChars*2).force_encoding('UTF-16LE').encode!('UTF-8')
+                rescue
+                  PEdump.logger.error "[!] #{self} failed to read entry name: #{$!}"
+                  if (@@nErrors1+=1) > MAX_ERRORS
+                    PEdump.logger.warn "[?] too many errors getting resource names, stopped on #{idx} of #{r.entries.size}"
+                    r.entries = r.entries[0,idx]
+                    break
+
+                  end
+                  "???"
+                end
+              else
+                # Name is a numeric id
+                "##{entry.Name}"
+              end
+            if entry.OffsetToData
+              if (@@loopchk3[entry.OffsetToData] += 1) > 1
+                PEdump.logger.error "[!] #{self}: loop3 detected at file pos #{f.tell}" if @@loopchk3[f.tell] < 2
+                if (@@nErrors2+=1) > MAX_ERRORS
+                  PEdump.logger.warn "[?] too many errors getting resource data, stopped on #{idx} of #{r.entries.size}"
+                  r.entries = r.entries[0,idx]
+                  break
+
+                end
+                next
+              end
+              next unless f.checked_seek(base + entry.OffsetToData & 0x7fff_ffff)
+              entry.data =
+                if entry.OffsetToData & 0x8000_0000 > 0
+                  # child is a directory
+                  IMAGE_RESOURCE_DIRECTORY.read(f,false)
+                else
+                  # child is a resource
+                  IMAGE_RESOURCE_DATA_ENTRY.read(f)
+                end
+            end
+          end
+          @@loopchk1 = @@loopchk2 = @@loopchk3 = nil if root # save some memory
+        end
+      end
+    end
+  end
+
+  def _scan_pe_resources f=@io, dir=nil
+    dir ||= resource_directory(f)
+    return nil unless dir
+    @pe_res_errors ||= 0
+    r = []
+    dir.entries.each_with_index do |entry,idx|
+      case entry.data
+        when IMAGE_RESOURCE_DIRECTORY
+          if dir == @resource_directory # root resource directory
+            entry_type =
+              if entry.Name & 0x8000_0000 == 0
+                # root resource directory & entry name is a number
+                ROOT_RES_NAMES[entry.Name] || entry.name
+              else
+                entry.name
+              end
+            r += _scan_pe_resources(f,entry.data).each do |res|
+              res.type = entry_type
+              res.parse f
+            end
+          else
+            r += _scan_pe_resources(f,entry.data).each do |res|
+              res.name = res.name == "##{res.lang}" ? entry.name : "#{entry.name} / #{res.name}"
+              res.id ||= entry.Name if entry.Name.is_a?(Numeric) && entry.Name < 0x8000_0000
+            end
+          end
+        when IMAGE_RESOURCE_DATA_ENTRY
+          file_offset = va2file(entry.data.OffsetToData, :quiet => (@pe_res_errors > MAX_ERRORS))
+          unless file_offset
+            @pe_res_errors += 1
+            if @pe_res_errors > MAX_ERRORS
+              PEdump.logger.warn "[?] too many errors getting resource data, stopped on #{idx} of #{dir.entries.size}"
+              break
+            end
+          end
+          r << Resource.new(
+            nil,          # type
+            entry.name,
+            nil,          # id
+            entry.Name,   # lang
+            #entry.data.OffsetToData + @resource_data_base,
+            file_offset,
+            entry.data.Size,
+            entry.data.CodePage,
+            entry.data.Reserved
+          )
+        else
+          if entry.data
+            logger.error "[!] invalid resource entry: #{entry.data.inspect}"
+          else
+            # show NULL entries only in verbose mode
+            logger.info  "[!] invalid resource entry: #{entry.data.inspect}"
+          end
+      end
+    end
+    r.flatten.compact
+  end
+end