pedump 0.4.8 → 0.4.9

data/README.md

@@ -3,12 +3,20 @@ pedump
 
 Description
 -----------
-A pure ruby implementation of win32 PE binary files dumper, including:
+A pure ruby implementation of win32 PE binary files dumper.
 
- * MZ Header
+Supported formats:
+
+ * DOS MZ EXE
+ * win16 NE
+ * win32 PE
+ * win64 PE
+
+Can dump:
+
+ * MZ/NE/PE Header
  * DOS stub
  * ['Rich' Header](http://ntcore.com/files/richsign.htm)
- * PE Header
  * Data Directory
  * Sections
  * Resources
@@ -41,9 +49,11 @@ Usage
             --dos-stub
             --rich
             --pe
+            --ne
             --data-directory
         -S, --sections
             --tls
+            --security
         -s, --strings
         -R, --resources
             --resource-directory
@@ -289,26 +299,7 @@ Usage
     KERNEL32.dll      21f        TlsAlloc
     KERNEL32.dll      220        TlsFree
     KERNEL32.dll      1fd        SetLastError
-    KERNEL32.dll      221        TlsGetValue
-    KERNEL32.dll       62        ExitProcess
-    KERNEL32.dll      1b8        ReadFile
-    KERNEL32.dll       16        CloseHandle
-    KERNEL32.dll      24f        WriteFile
-    KERNEL32.dll       83        FlushFileBuffers
-    KERNEL32.dll       e9        GetModuleFileNameA
-    KERNEL32.dll       98        GetCPInfo
-    KERNEL32.dll       92        GetACP
-    KERNEL32.dll       f6        GetOEMCP
-    KERNEL32.dll       8b        FreeEnvironmentStringsA
-    KERNEL32.dll       d0        GetEnvironmentStrings
-    KERNEL32.dll       8c        FreeEnvironmentStringsW
-    KERNEL32.dll       d2        GetEnvironmentStringsW
-    KERNEL32.dll      242        WideCharToMultiByte
-    KERNEL32.dll       2b        CreateFileA
-    KERNEL32.dll      1f8        SetFilePointer
-    KERNEL32.dll      206        SetStdHandle
-    KERNEL32.dll      178        LoadLibraryA
-    KERNEL32.dll      1ef        SetEndOfFile
+    ...
 
 ### Exports
 

data/VERSION

@@ -1 +1 @@
-0.4.8
+0.4.9

data/lib/pedump.rb

@@ -7,6 +7,8 @@ require 'pedump/version_info'
 require 'pedump/tls'
 require 'pedump/security'
 require 'pedump/packer'
+require 'pedump/ne'
+require 'pedump/ne/version_info'
 
 # pedump.rb by zed_0xff
 #
@@ -363,23 +365,6 @@ class PEdump
   alias :rich_header :rich_hdr
   alias :rich        :rich_hdr
 
-  def pe f=@io
-    @pe ||=
-      begin
-        pe_offset = mz(f) && mz(f).lfanew
-        if pe_offset.nil?
-          logger.fatal "[!] NULL PE offset (e_lfanew). cannot continue."
-          nil
-        elsif pe_offset > f.size
-          logger.fatal "[!] PE offset beyond EOF. cannot continue."
-          nil
-        else
-          f.seek pe_offset
-          PE.read f, :force => @force
-        end
-      end
-  end
-
   def va2file va, h={}
     return nil if va.nil?
 
@@ -439,10 +424,22 @@ class PEdump
   end
 
   def sections f=@io
-    pe(f) && pe.section_table
+    if pe(f)
+      pe.section_table
+    elsif ne(f)
+      ne.segments
+    end
   end
   alias :section_table :sections
 
+  def ne?
+    @pe ? false : (@ne ? true : (pe ? false : (ne ? true : false)))
+  end
+
+  def pe?
+    @pe ? true  : (@ne ? false : (pe ? true : false ))
+  end
+
   ##############################################################################
   # imports
   ##############################################################################
@@ -460,7 +457,7 @@ class PEdump
     :original_first_thunk,
     :first_thunk
 
-  class ImportedFunction < Struct.new(:hint, :name, :ordinal, :va)
+  class ImportedFunction < Struct.new(:hint, :name, :ordinal, :va, :module_name)
 #    def == x
 #      self.hint == x.hint && self.name == x.name && self.ordinal == x.ordinal
 #    end
@@ -479,6 +476,14 @@ class PEdump
   end
 
   def imports f=@io
+    if pe(f)
+      pe_imports(f)
+    elsif ne(f)
+      ne(f).imports
+    end
+  end
+
+  def pe_imports f=@io
     return @imports if @imports
     return nil unless pe(f) && pe(f).ioh && f
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT]
@@ -594,9 +599,20 @@ class PEdump
     :AddressOfNames,
     :AddressOfNameOrdinals,
     # manual:
-    :name, :entry_points, :names, :name_ordinals
+    :name, :entry_points, :names, :name_ordinals, :functions,
+    :description # NE only
+
+  ExportedFunction = Struct.new :name, :ord, :va, :file_offset
 
   def exports f=@io
+    if pe(f)
+      pe_exports(f)
+    elsif ne(f)
+      ne(f).exports
+    end
+  end
+
+  def pe_exports f=@io
     return @exports if @exports
     return nil unless pe(f) && pe(f).ioh && f
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT]
@@ -661,6 +677,21 @@ class PEdump
           f.gets("\x00").to_s.chomp("\x00")
         end
       end
+
+      ord2name = {}
+      if x.names && x.names.any?
+        x.NumberOfNames.times do |i|
+          ord2name[x.name_ordinals[i]] ||= []
+          ord2name[x.name_ordinals[i]] << x.names[i]
+        end
+      end
+
+      x.functions = []
+      x.entry_points.each_with_index do |ep,i|
+        names = ord2name[i+x.Base].try(:join,', ')
+        next if ep.to_i == 0 && names.nil?
+        x.functions << ExportedFunction.new(names, i+x.Base, ep)
+      end
     end
   end
 
@@ -696,7 +727,12 @@ class PEdump
   ##############################################################################
 
   def resources f=@io
-    @resources ||= _scan_resources(f)
+    @resources ||=
+      if pe(f)
+        _scan_pe_resources(f)
+      elsif ne(f)
+        ne(f).resources(f)
+      end
   end
 
   def version_info f=@io

data/lib/pedump/cli.rb

@@ -41,7 +41,7 @@ class PEdump::CLI
   attr_accessor :data, :argv
 
   KNOWN_ACTIONS = (
-    %w'mz dos_stub rich pe data_directory sections tls security' +
+    %w'mz dos_stub rich pe ne data_directory sections tls security' +
     %w'strings resources resource_directory imports exports version_info packer web packer_only'
   ).map(&:to_sym)
 
@@ -431,16 +431,18 @@ class PEdump::CLI
         dump_resources data
       when PEdump::STRING
         dump_strings data
-      when PEdump::IMAGE_IMPORT_DESCRIPTOR
+      when PEdump::IMAGE_IMPORT_DESCRIPTOR, PEdump::ImportedFunction
         dump_imports data
       when PEdump::Packer::Match
         dump_packers data
-      when PEdump::VS_VERSIONINFO
+      when PEdump::VS_VERSIONINFO, PEdump::NE::VS_VERSIONINFO
         dump_version_info data
       when PEdump::IMAGE_TLS_DIRECTORY32, PEdump::IMAGE_TLS_DIRECTORY64
         dump_tls data
       when PEdump::WIN_CERTIFICATE
         dump_security data
+      when PEdump::NE::Segment
+        dump_ne_segments data
       else
         puts "[?] don't know how to dump: #{data.inspect[0,50]}" unless data.empty?
       end
@@ -498,38 +500,38 @@ class PEdump::CLI
       puts "# VS_FIXEDFILEINFO:"
 
       if @options[:verbose] > 0 || vi.Value.dwSignature != 0xfeef04bd
-        printf(fmt, "Signature", "0x#{vi.Value.dwSignature.to_s(16)}")
+        printf(fmt, "Signature", "0x#{vi.Value.dwSignature.to_i.to_s(16)}")
       end
 
       printf fmt, 'FileVersion', [
-        vi.Value.dwFileVersionMS >> 16,
-        vi.Value.dwFileVersionMS &  0xffff,
-        vi.Value.dwFileVersionLS >> 16,
-        vi.Value.dwFileVersionLS &  0xffff
+        vi.Value.dwFileVersionMS.to_i >> 16,
+        vi.Value.dwFileVersionMS.to_i &  0xffff,
+        vi.Value.dwFileVersionLS.to_i >> 16,
+        vi.Value.dwFileVersionLS.to_i &  0xffff
       ].join('.')
 
       printf fmt, 'ProductVersion', [
-        vi.Value.dwProductVersionMS >> 16,
-        vi.Value.dwProductVersionMS &  0xffff,
-        vi.Value.dwProductVersionLS >> 16,
-        vi.Value.dwProductVersionLS &  0xffff
+        vi.Value.dwProductVersionMS.to_i >> 16,
+        vi.Value.dwProductVersionMS.to_i &  0xffff,
+        vi.Value.dwProductVersionLS.to_i >> 16,
+        vi.Value.dwProductVersionLS.to_i &  0xffff
       ].join('.')
 
       vi.Value.each_pair do |k,v|
         next if k[/[ML]S$/] || k == :valid || k == :dwSignature
-        printf fmt, k.to_s.sub(/^dw/,''), v > 9 ? "0x#{v.to_s(16)}" : v
+        printf fmt, k.to_s.sub(/^dw/,''), v.to_i > 9 ? "0x#{v.to_s(16)}" : v
       end
 
       vi.Children.each do |file_info|
         case file_info
-        when PEdump::StringFileInfo
+        when PEdump::StringFileInfo, PEdump::NE::StringFileInfo
           file_info.Children.each do |string_table|
             puts "\n# StringTable #{string_table.szKey}:"
             string_table.Children.each do |string|
               printf fmt, string.szKey, string.Value.inspect
             end
           end
-        when PEdump::VarFileInfo
+        when PEdump::VarFileInfo, PEdump::NE::VarFileInfo
           puts
           printf fmt, "VarFileInfo", '[ 0x' + file_info.Children.Value.map{|v| v.to_s(16)}.join(", 0x") + ' ]'
         else
@@ -551,58 +553,68 @@ class PEdump::CLI
   end
 
   def dump_exports data
-    printf "# module %s\n# flags=0x%x  ts=%s  version=%d.%d  ord_base=%d\n",
-      data.name.inspect,
-      data.Characteristics.to_i,
-      Time.at(data.TimeDateStamp.to_i).utc.strftime('"%Y-%m-%d %H:%M:%S"'),
-      data.MajorVersion.to_i, data.MinorVersion.to_i,
-      data.Base.to_i
+    printf "# module %s\n", data.name.inspect
+    printf "# description %s\n", data.description.inspect if data.description
+
+    if data.Characteristics || data.TimeDateStamp || data.MajorVersion || data.MinorVersion || data.Base
+      printf "# flags=0x%x  ts=%s  version=%d.%d  ord_base=%d\n",
+        data.Characteristics.to_i,
+        Time.at(data.TimeDateStamp.to_i).utc.strftime('"%Y-%m-%d %H:%M:%S"'),
+        data.MajorVersion.to_i, data.MinorVersion.to_i,
+        data.Base.to_i
+    end
 
     if @options[:verbose] > 0
       [%w'Names', %w'EntryPoints Functions', %w'Ordinals NameOrdinals'].each do |x|
         va  = data["AddressOf"+x.last]
         ofs = @pedump.va2file(va) || '?'
-        printf "# %-12s rva=0x%08x  file_offset=%8s\n", x.first, va, ofs
+        printf("# %-12s rva=0x%08x  file_offset=%8s\n", x.first, va, ofs) if va
       end
     end
 
-    printf "# nFuncs=%d  nNames=%d\n",
-      data.NumberOfFunctions.to_i,
-      data.NumberOfNames.to_i
-
-    return unless data.name_ordinals.any? || data.entry_points.any? || data.names.any?
-
-    puts
-
-    ord2name = {}
-    if data.names && data.names.any?
-      data.NumberOfNames.times do |i|
-        ord2name[data.name_ordinals[i]] ||= []
-        ord2name[data.name_ordinals[i]] << data.names[i]
-      end
+    if data.NumberOfFunctions || data.NumberOfNames
+      printf "# nFuncs=%d  nNames=%d\n", data.NumberOfFunctions.to_i, data.NumberOfNames.to_i
     end
 
-    printf "%5s %8s  %s\n", "ORD", "ENTRY_VA", "NAME"
-    data.entry_points.each_with_index do |ep,i|
-      names = ord2name[i+data.Base].try(:join,', ')
-      next if ep.to_i == 0 && names.nil?
-      printf "%5x %8x  %s\n", i + data.Base, ep, names
+    if data.functions && data.functions.any?
+      puts
+      if @pedump.ne?
+        printf "%5s %9s  %s\n", "ORD", "SEG:OFFS", "NAME"
+        data.functions.each do |f|
+          printf "%5x %4x:%04x  %s\n", f.ord, f.va>>16, f.va&0xffff, f.name
+        end
+      else
+        printf "%5s %8s  %s\n", "ORD", "ENTRY_VA", "NAME"
+        data.functions.each do |f|
+          printf "%5x %8x  %s\n", f.ord, f.va, f.name
+        end
+      end
     end
   end
 
   def dump_imports data
     fmt = "%-15s %5s %5s  %s\n"
     printf fmt, "MODULE_NAME", "HINT", "ORD", "FUNCTION_NAME"
-    data.each do |iid|
-      # image import descriptor
-      (Array(iid.original_first_thunk) + Array(iid.first_thunk)).uniq.each do |f|
-        next unless f
-        # imported function
+    data.each do |x|
+      case x
+      when PEdump::IMAGE_IMPORT_DESCRIPTOR
+        (Array(x.original_first_thunk) + Array(x.first_thunk)).uniq.each do |f|
+          next unless f
+          # imported function
+          printf fmt,
+            x.module_name,
+            f.hint ? f.hint.to_s(16) : '',
+            f.ordinal ? f.ordinal.to_s(16) : '',
+            f.name
+        end
+      when PEdump::ImportedFunction
         printf fmt,
-          iid.module_name,
-          f.hint ? f.hint.to_s(16) : '',
-          f.ordinal ? f.ordinal.to_s(16) : '',
-          f.name
+          x.module_name,
+          x.hint ? x.hint.to_s(16) : '',
+          x.ordinal ? x.ordinal.to_s(16) : '',
+          x.name
+      else
+        raise "invalid #{x.inspect}"
       end
     end
   end
@@ -612,7 +624,7 @@ class PEdump::CLI
     prev_lang = nil
     data.sort_by{|s| [s.lang, s.id] }.each do |s|
       #puts if prev_lang && prev_lang != s.lang
-      printf "%5d %5x  %4x  %s\n", s.id, s.id, s.lang, s.value.inspect
+      printf "%5d %5x  %4s  %s\n", s.id, s.id, s.lang && s.lang.to_s(16), s.value.inspect
       prev_lang = s.lang
     end
   end
@@ -699,11 +711,15 @@ class PEdump::CLI
     printf fmt.join.tr('dx','s'), *keys.map(&:to_s).map(&:upcase)
     data.each do |res|
       fmt.each_with_index do |f,i|
-        v = res.send(keys[i])
-        if f['x']
-          printf f.tr('x','s'), v.to_i < 10 ? v.to_s : "0x#{v.to_s(16)}"
+        if v = res.send(keys[i])
+          if f['x']
+            printf f.tr('x','s'), v.to_i < 10 ? v.to_s : "0x#{v.to_s(16)}"
+          else
+            printf f, v
+          end
         else
-          printf f, v
+          # NULL value
+          printf f.tr('xd','s'), ''
         end
       end
     end
@@ -724,6 +740,16 @@ class PEdump::CLI
     end
   end
 
+  def dump_ne_segments data
+    fmt = "%2x %6x %6x %9x %9x %6x  %s\n"
+    printf fmt.tr('x','s'), *%w'# OFFSET SIZE MIN_ALLOC FILE_OFFS FLAGS', ''
+    data.each_with_index do |seg,idx|
+      printf fmt, idx+1, seg.offset, seg.size, seg.min_alloc_size, seg.file_offset, seg.flags,
+        seg.flags_desc
+    end
+  end
+
+
   def dump_data_dir data
     data.each do |row|
       printf "  %-12s  rva:0x%8x   size:0x %8x\n", row.type, row.va.to_i, row.size.to_i

data/lib/pedump/ne.rb

@@ -0,0 +1,425 @@
+class PEdump
+  # from wine's winnt.h
+  class NE < PEdump.create_struct 'a2CCvvVv4VVv8Vv3CCv4',
+    :ne_magic,             # 00 NE signature 'NE'
+    :ne_ver,               # 02 Linker version number
+    :ne_rev,               # 03 Linker revision number
+    :ne_enttab,            # 04 Offset to entry table relative to NE
+    :ne_cbenttab,          # 06 Length of entry table in bytes
+    :ne_crc,               # 08 Checksum
+    :ne_flags,             # 0c Flags about segments in this file
+    :ne_autodata,          # 0e Automatic data segment number
+    :ne_heap,              # 10 Initial size of local heap
+    :ne_stack,             # 12 Initial size of stack
+    :ne_csip,              # 14 Initial CS:IP
+    :ne_sssp,              # 18 Initial SS:SP
+    :ne_cseg,              # 1c # of entries in segment table
+    :ne_cmod,              # 1e # of entries in module reference tab.
+    :ne_cbnrestab,         # 20 Length of nonresident-name table
+    :ne_segtab,            # 22 Offset to segment table
+    :ne_rsrctab,           # 24 Offset to resource table
+    :ne_restab,            # 26 Offset to resident-name table
+    :ne_modtab,            # 28 Offset to module reference table
+    :ne_imptab,            # 2a Offset to imported name table
+    :ne_nrestab,           # 2c Offset to nonresident-name table
+    :ne_cmovent,           # 30 # of movable entry points
+    :ne_align,             # 32 Logical sector alignment shift count
+    :ne_cres,              # 34 # of resource segments
+    :ne_exetyp,            # 36 Flags indicating target OS
+    :ne_flagsothers,       # 37 Additional information flags
+    :ne_pretthunks,        # 38 Offset to return thunks
+    :ne_psegrefbytes,      # 3a Offset to segment ref. bytes
+    :ne_swaparea,          # 3c Reserved by Microsoft
+    :ne_expver             # 3e Expected Windows version number
+
+    attr_accessor :io, :offset
+
+    DEFAULT_CP = 1252
+
+    def self.cp
+      @@cp || DEFAULT_CP
+    end
+
+    def self.cp= cp
+      @@cp = cp
+    end
+
+    def self.read io, *args
+      self.cp = DEFAULT_CP
+      offset = io.tell
+      super.tap do |x|
+        x.io, x.offset = io, offset
+      end
+    end
+
+    class Segment < PEdump.create_struct 'v4',
+      :offset, :size, :flags, :min_alloc_size,
+      # manual:
+      :file_offset, :relocs
+
+      FLAG_RELOCINFO = 0x100
+
+      def data?
+        flags & 1 == 1
+      end
+
+      def code?
+        !data?
+      end
+
+      def flags_desc
+        r = code? ? 'CODE' : 'DATA'
+        r << ' ALLOC' if flags & 2 != 0
+        r << ' LOADED' if flags & 4 != 0
+        r << ((flags & 0x10 != 0) ? ' MOVABLE' : ' FIXED')
+        r << ((flags & 0x20 != 0) ? ' PURE' : '')
+        r << ((flags & 0x40 != 0) ? ' PRELOAD' : '')
+        if code?
+          r << ((flags & 0x80 != 0) ? ' EXECUTEONLY' : '')
+        else
+          r << ((flags & 0x80 != 0) ? ' READONLY' : '')
+        end
+        r << ((flags & FLAG_RELOCINFO != 0) ? ' RELOCINFO' : '')
+        r << ((flags & 0x200 != 0) ? ' DBGINFO' : '')
+        r << ((flags & 0x1000 != 0) ? ' DISCARD' : '')
+        r
+      end
+    end
+
+    class Reloc < PEdump.create_struct 'CCvvv',
+      :source, :type,
+      :offset,           # offset of the relocation item within the segment
+
+      # If the relocation type is imported ordinal,
+      # the fifth and sixth bytes specify an index to a module's reference table and
+      # the seventh and eighth bytes specify a function ordinal value.
+
+      # If the relocation type is imported name,
+      # the fifth and sixth bytes specify an index to a module's reference table and
+      # the seventh and eighth bytes specify an offset to an imported-name table.
+
+      :module_idx,
+      :func_idx
+
+      TYPE_IMPORTORDINAL = 1
+      TYPE_IMPORTNAME    = 2
+    end
+
+    def segments io=@io
+      @segments ||= io &&
+        begin
+          io.seek ne_segtab+@offset
+          ne_cseg.times.map{ Segment.read(io) }.each do |seg|
+            seg.file_offset = seg.offset << ne_align
+            seg.relocs = []
+            if (seg.flags & Segment::FLAG_RELOCINFO) != 0
+              io.seek seg.file_offset + seg.size
+              nRelocs = io.read(2).unpack('v').first
+              seg.relocs = nRelocs.times.map{ Reloc.read(io) }
+            end
+          end
+        end
+    end
+
+    class ResourceGroup < PEdump.create_struct 'vvV',
+      :type_id, :count, :reserved,
+      # manual:
+      :type, :children
+
+      def self.read io
+        super.tap do |g|
+          if g.type_id.to_i == 0
+            # type_id = 0 means end of resource groups
+            return nil
+          else
+            # read only if type_id is non-zero,
+            g.children = []
+            g.count.times do
+              break if io.eof?
+              g.children << ResourceInfo.read(io)
+            end
+          end
+        end
+      end
+    end
+
+    class ResourceInfo < PEdump.create_struct 'v4V',
+      :offset, :size, :flags, :name_offset, :reserved,
+      # manual:
+      :name
+    end
+
+    class Resource < PEdump::Resource
+      # NE strings use 8-bit characters
+      def parse f, h={}
+        self.data = []
+        case type
+        when 'STRING'
+          f.seek file_offset
+          16.times do
+            break if f.tell >= file_offset+self.size
+            nChars = f.getc.ord
+            t =
+              if nChars + 1 > self.size
+                # TODO: if it's not 1st string in table then truncated size must be less
+                PEdump.logger.error "[!] string size(#{nChars*2}) > stringtable size(#{self.size}). truncated to #{self.size-2}"
+                f.read(self.size-1)
+              else
+                f.read(nChars)
+              end
+            data <<
+              begin
+                t.force_encoding("CP#{h[:cp]}").encode!('UTF-8')
+              rescue
+                t.force_encoding('ASCII')
+              end
+          end
+        when 'VERSION'
+          f.seek file_offset
+          data << PEdump::NE::VS_VERSIONINFO.read(f)
+        else
+          super(f)
+        end
+      end
+    end
+
+    def _id2string id, io, res_base
+      if id & 0x8000 == 0
+        # offset to name
+        io.seek id + res_base
+        namesize = (io.getc || 0.chr).ord
+        io.read(namesize)
+      else
+        # numerical id
+        "##{id & 0x7fff}"
+      end
+    end
+
+    def resource_directory io=@io
+      @resource_directory ||=
+        begin
+          res_base = ne_rsrctab+@offset
+          io.seek res_base
+          res_shift = io.read(2).unpack('v').first
+          unless (0..16).include?(res_shift)
+            PEdump.logger.error "[!] invalid res_shift = %d" % res_shift
+            return []
+          end
+          PEdump.logger.info "[.] res_shift = %d" % res_shift
+          r = []
+          while !io.eof? && (g = ResourceGroup.read(io))
+            r << g
+          end
+          r.each do |g|
+            g.type = (g.type_id & 0x8000 != 0) && PEdump::ROOT_RES_NAMES[g.type_id & 0x7fff]
+            g.type ||= _id2string( g.type_id, io, res_base)
+            g.children.each do |res|
+              res.name = _id2string(res.name_offset, io, res_base)
+              res.offset ||= 0
+              res.offset <<= res_shift
+              res.size   ||= 0
+              res.size   <<= res_shift
+            end
+          end
+          r
+        end
+    end
+
+    def _detect_codepage a, io=@io
+      a.find_all{ |res| res.type == 'VERSION' }.each do |res|
+        res.parse(io)
+        res.data.each do |vi|
+          if vi.respond_to?(:Children) && vi.Children.respond_to?(:each)
+            # vi is PEdump::NE::VS_VERSIONINFO
+            vi.Children.each do |vfi|
+              if vfi.is_a?(PEdump::NE::VarFileInfo) && vfi.Children.is_a?(PEdump::NE::Var)
+                var = vfi.Children
+                # var is PEdump::NE::Var
+                if var.respond_to?(:Value) && var.Value.is_a?(Array) && var.Value.size == 2
+                  return var.Value.last
+                end
+              end
+            end
+          end
+        end
+      end
+      nil
+    end
+
+    def resources io=@io
+      a = []
+      resource_directory(io).each do |grp|
+        grp.children.each do |res|
+          a << (r = Resource.new)
+          r.id   = (res.name_offset & 0x7fff) if (res.name_offset & 0x8000) != 0
+          r.type = grp.type
+          r.size = res.size
+          r.name = res.name
+          r.file_offset = res.offset
+          r.reserved = res.reserved
+        end
+      end
+
+      # try to detect codepage
+      cp = _detect_codepage(a, io)
+      if cp
+        PEdump::NE.cp = cp # XXX HACK
+        PEdump.logger.info "[.] detect_codepage: #{cp.inspect}"
+      else
+        cp = DEFAULT_CP
+        PEdump.logger.info "[.] detect_codepage failed, using default #{cp}"
+      end
+
+      a.each{ |r| r.parse(io, :cp => cp) }
+      a
+    end
+
+    def imports io=@io
+      @imports ||=
+        begin
+          io.seek @offset+ne_modtab
+          modules = io.read(2*ne_cmod).unpack('v*')
+          modules.map! do |ofs|
+            io.seek @offset+ne_imptab+ofs
+            namelen = io.getc.ord
+            io.read(namelen)
+          end
+
+          r = []
+          segments(io).each do |seg|
+            seg.relocs.each do |rel|
+              if rel.type == Reloc::TYPE_IMPORTORDINAL
+                r << (f = PEdump::ImportedFunction.new)
+                f.module_name = modules[rel.module_idx-1]
+                f.ordinal = rel.func_idx
+              elsif rel.type == Reloc::TYPE_IMPORTNAME
+                r << (f = PEdump::ImportedFunction.new)
+                f.module_name = modules[rel.module_idx-1]
+                io.seek @offset+ne_imptab+rel.func_idx
+                namelen = io.getc.ord
+                f.name = io.read(namelen)
+              end
+            end
+          end
+          r
+        end
+    end
+
+    # first string with ordinal 0 is a module name
+    def exports io=@io
+      exp_dir = IMAGE_EXPORT_DIRECTORY.new
+      exp_dir.functions = []
+
+      io.seek @offset+ne_restab
+      while !io.eof && (namelen = io.getc.ord) > 0
+        exp_dir.functions << ExportedFunction.new( io.read(namelen), io.read(2).unpack('v').first, 0 )
+      end
+      exp_dir.name = exp_dir.functions.shift.name if exp_dir.functions.any?
+
+      a = []
+      io.seek ne_nrestab
+      while !io.eof && (namelen = io.getc.ord) > 0
+        a << ExportedFunction.new( io.read(namelen), io.read(2).unpack('v').first, 0 )
+      end
+      exp_dir.description = a.shift.name if a.any?
+      exp_dir.functions += a
+
+      exp_dir.functions.each do |f|
+        f.va = entrypoints[f.ord]
+      end
+
+      exp_dir
+    end
+
+    # The entry-table data is organized by bundle, each of which begins with a 2-byte header.
+    # The first byte of the header specifies the number of entries in the bundle ( 0 = end of the table).
+    # The second byte specifies whether the corresponding segment is movable or fixed.
+    #   0xFF = the segment is movable.
+    #   0xFE = the entry does not refer to a segment but refers to a constant defined within the module.
+    #   else it is a segment index.
+
+    class Bundle < PEdump.create_struct 'CC', :num_entries, :seg_idx,
+      :entries # manual
+
+      FixedEntry   = PEdump.create_struct 'Cv',   :flag, :offset
+      MovableEntry = PEdump.create_struct 'CvCv', :flag, :int3F, :seg_idx, :offset
+
+      def movable?
+        seg_idx == 0xff
+      end
+
+      def self.read io
+        super.tap do |bundle|
+          return nil if bundle.num_entries == 0
+          if bundle.num_entries == 0
+            @@eob ||= 0
+            @@eob += 1
+            return nil if @@eob == 2
+          end
+          bundle.entries = bundle.seg_idx == 0 ? [] :
+            if bundle.movable?
+              bundle.num_entries.times.map{ MovableEntry.read(io) }
+            else
+              bundle.num_entries.times.map{ FixedEntry.read(io) }
+            end
+        end
+      end
+    end
+
+    def bundles io=@io
+      io.seek @offset+ne_enttab
+      bundles = []
+      while bundle = Bundle.read(io)
+        bundles << bundle
+      end
+      bundles
+    end
+
+    def entrypoints io=@io
+      @entrypoints ||=
+        begin
+          r = [0] # entrypoint indexes are 1-based
+          bundles(io).each do |b|
+            if b.entries.empty?
+              b.num_entries.times{ r<<0 }
+            else
+              b.entries.each do |e|
+                if e.is_a?(Bundle::MovableEntry)
+                  r << (e.seg_idx<<16) + e.offset
+                elsif e.is_a?(Bundle::FixedEntry)
+                  r << (b.seg_idx<<16) + e.offset
+                else
+                  raise "invalid ep #{e.inspect}"
+                end
+              end
+            end
+          end
+          r
+        end
+    end
+  end
+
+  def ne f=@io
+    return @ne if defined?(@ne)
+    @ne ||=
+      begin
+        ne_offset = mz(f) && mz(f).lfanew
+        if ne_offset.nil?
+          logger.fatal "[!] NULL NE offset (e_lfanew)."
+          nil
+        elsif ne_offset > f.size
+          logger.fatal "[!] NE offset beyond EOF."
+          nil
+        else
+          f.seek ne_offset
+          if f.read(2) == 'NE'
+            f.seek ne_offset
+            NE.read f
+          else
+            nil
+          end
+        end
+      end
+  end
+
+end