richprint-pe 1.0.0__tar.gz

richprint_pe-1.0.0/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2015-2024 dishather (https://github.com/dishather)
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+   this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
+OF SUCH DAMAGE.

richprint_pe-1.0.0/PKG-INFO

@@ -0,0 +1,119 @@
+Metadata-Version: 2.4
+Name: richprint-pe
+Version: 1.0.0
+Summary: Decode and print Rich headers from Windows PE executables
+Project-URL: Homepage, https://github.com/dishather/richprint
+Project-URL: Repository, https://github.com/dishather/richprint
+Author-email: dishather <noreply@github.com>
+License-Expression: BSD-2-Clause
+License-File: LICENSE
+Keywords: compiler,executable,forensics,pe,rich-header,windows
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: BSD License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Software Development :: Build Tools
+Classifier: Topic :: System :: Systems Administration
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+
+# richprint
+
+A Python tool to decode and print compiler information stored in the Rich Header of Windows PE executables.
+
+## Installation
+
+```bash
+pip install richprint-pe
+```
+
+## What is the Rich Header?
+
+The Rich Header is a section of binary data created by Microsoft's linker, located between the DOS stub and PE header in Windows executables. It contains a list of compiler/tool IDs (@comp.id) used to build the executable, allowing identification of exact compiler versions down to build numbers.
+
+The data is XOR-encoded, with "Rich" being the only readable marker. Files created by non-Microsoft linkers will not have this header.
+
+For technical details, see [Daniel Pistelli's article](http://www.ntcore.com/files/richsign.htm).
+
+## Usage
+
+### Command Line
+
+```bash
+# Analyze one or more files
+richprint notepad.exe
+richprint file1.exe file2.dll file3.sys
+
+# JSON output
+richprint --json notepad.exe
+
+# Use custom compiler ID database
+richprint --database /path/to/comp_id.txt notepad.exe
+```
+
+### Python API
+
+```python
+from richprint import parse_file, load_database
+
+# Load the bundled compiler ID database
+db = load_database()
+
+# Parse a PE file
+result = parse_file("notepad.exe", db)
+
+if result.success:
+    print(f"Machine: {result.pe_info.machine_name}")
+    print(f"XOR Key: 0x{result.rich_header.xor_key:08x}")
+    for entry in result.rich_header.entries:
+        print(f"  {entry.comp_id:08x} {entry.description}")
+else:
+    print(f"Error: {result.error}")
+```
+
+## Output Format
+
+```
+Processing notepad.exe
+Target machine: x64
+@comp.id   id version count   description
+00e1520d   e1  21005    10   [C++] VS2013 build 21005
+00df520d   df  21005     1   [ASM] VS2013 build 21005
+00de520d   de  21005     1   [LNK] VS2013 build 21005
+```
+
+## Compiler ID Database
+
+The bundled `comp_id.txt` database maps compiler IDs to human-readable descriptions. The format supports:
+
+- `[ C ]` - C compiler
+- `[C++]` - C++ compiler
+- `[ASM]` - Assembler
+- `[LNK]` - Linker
+- `[RES]` - Resource converter
+- `[IMP]` / `[EXP]` - DLL import/export records
+- And many more...
+
+## Suppressing Rich Headers
+
+To prevent Microsoft tools from emitting this header, use the undocumented linker option:
+```
+/emittoolversioninfo:no
+```
+
+Available since VS2019 Update 11.
+
+## License
+
+BSD 2-Clause License. See [LICENSE](LICENSE) for details.
+
+## Credits
+
+Original C++ implementation and compiler ID database by [dishather](https://github.com/dishather/richprint).

richprint_pe-1.0.0/README.md

@@ -0,0 +1,93 @@
+# richprint
+
+A Python tool to decode and print compiler information stored in the Rich Header of Windows PE executables.
+
+## Installation
+
+```bash
+pip install richprint-pe
+```
+
+## What is the Rich Header?
+
+The Rich Header is a section of binary data created by Microsoft's linker, located between the DOS stub and PE header in Windows executables. It contains a list of compiler/tool IDs (@comp.id) used to build the executable, allowing identification of exact compiler versions down to build numbers.
+
+The data is XOR-encoded, with "Rich" being the only readable marker. Files created by non-Microsoft linkers will not have this header.
+
+For technical details, see [Daniel Pistelli's article](http://www.ntcore.com/files/richsign.htm).
+
+## Usage
+
+### Command Line
+
+```bash
+# Analyze one or more files
+richprint notepad.exe
+richprint file1.exe file2.dll file3.sys
+
+# JSON output
+richprint --json notepad.exe
+
+# Use custom compiler ID database
+richprint --database /path/to/comp_id.txt notepad.exe
+```
+
+### Python API
+
+```python
+from richprint import parse_file, load_database
+
+# Load the bundled compiler ID database
+db = load_database()
+
+# Parse a PE file
+result = parse_file("notepad.exe", db)
+
+if result.success:
+    print(f"Machine: {result.pe_info.machine_name}")
+    print(f"XOR Key: 0x{result.rich_header.xor_key:08x}")
+    for entry in result.rich_header.entries:
+        print(f"  {entry.comp_id:08x} {entry.description}")
+else:
+    print(f"Error: {result.error}")
+```
+
+## Output Format
+
+```
+Processing notepad.exe
+Target machine: x64
+@comp.id   id version count   description
+00e1520d   e1  21005    10   [C++] VS2013 build 21005
+00df520d   df  21005     1   [ASM] VS2013 build 21005
+00de520d   de  21005     1   [LNK] VS2013 build 21005
+```
+
+## Compiler ID Database
+
+The bundled `comp_id.txt` database maps compiler IDs to human-readable descriptions. The format supports:
+
+- `[ C ]` - C compiler
+- `[C++]` - C++ compiler
+- `[ASM]` - Assembler
+- `[LNK]` - Linker
+- `[RES]` - Resource converter
+- `[IMP]` / `[EXP]` - DLL import/export records
+- And many more...
+
+## Suppressing Rich Headers
+
+To prevent Microsoft tools from emitting this header, use the undocumented linker option:
+```
+/emittoolversioninfo:no
+```
+
+Available since VS2019 Update 11.
+
+## License
+
+BSD 2-Clause License. See [LICENSE](LICENSE) for details.
+
+## Credits
+
+Original C++ implementation and compiler ID database by [dishather](https://github.com/dishather/richprint).

richprint_pe-1.0.0/pyproject.toml

@@ -0,0 +1,49 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "richprint-pe"
+version = "1.0.0"
+description = "Decode and print Rich headers from Windows PE executables"
+readme = "README.md"
+license = "BSD-2-Clause"
+requires-python = ">=3.8"
+authors = [
+    { name = "dishather", email = "noreply@github.com" }
+]
+keywords = ["pe", "executable", "rich-header", "windows", "compiler", "forensics"]
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: BSD License",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.8",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Software Development :: Build Tools",
+    "Topic :: System :: Systems Administration",
+]
+dependencies = []
+
+[project.scripts]
+richprint = "richprint.cli:main"
+
+[project.urls]
+Homepage = "https://github.com/dishather/richprint"
+Repository = "https://github.com/dishather/richprint"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/richprint"]
+
+[tool.hatch.build.targets.sdist]
+include = [
+    "/src",
+    "/tests",
+    "/README.md",
+    "/LICENSE",
+]

richprint_pe-1.0.0/src/richprint/__init__.py

@@ -0,0 +1,62 @@
+"""
+richprint - Decode and print Rich headers from Windows PE executables.
+
+The Rich header is metadata embedded by Microsoft's linker containing
+compiler version information (@comp.id records).
+"""
+
+from .parser import parse_file, parse_bytes
+from .database import load_database, lookup_description, CompilerDatabase
+from .models import CompilerEntry, RichHeader, PEInfo, ParseResult
+from .constants import (
+    MZ_SIGNATURE,
+    PE_SIGNATURE,
+    RICH_SIGNATURE,
+    DANS_SIGNATURE,
+    MACHINE_TYPES,
+    get_machine_type,
+)
+from .exceptions import (
+    RichPrintError,
+    FileOpenError,
+    NoMZHeaderError,
+    NoPEHeaderError,
+    InvalidDOSHeaderError,
+    NoRichHeaderError,
+    NoDanSTokenError,
+    InvalidRichHeaderError,
+)
+
+__version__ = "1.0.0"
+
+__all__ = [
+    # Main API
+    "parse_file",
+    "parse_bytes",
+    "load_database",
+    "lookup_description",
+    # Models
+    "CompilerEntry",
+    "RichHeader",
+    "PEInfo",
+    "ParseResult",
+    "CompilerDatabase",
+    # Constants
+    "MZ_SIGNATURE",
+    "PE_SIGNATURE",
+    "RICH_SIGNATURE",
+    "DANS_SIGNATURE",
+    "MACHINE_TYPES",
+    "get_machine_type",
+    # Exceptions
+    "RichPrintError",
+    "FileOpenError",
+    "NoMZHeaderError",
+    "NoPEHeaderError",
+    "InvalidDOSHeaderError",
+    "NoRichHeaderError",
+    "NoDanSTokenError",
+    "InvalidRichHeaderError",
+    # Version
+    "__version__",
+]

richprint_pe-1.0.0/src/richprint/__main__.py

@@ -0,0 +1,7 @@
+"""Enable running as: python -m richprint"""
+
+import sys
+from .cli import main
+
+if __name__ == "__main__":
+    sys.exit(main())

richprint_pe-1.0.0/src/richprint/cli.py

@@ -0,0 +1,112 @@
+"""Command-line interface for richprint."""
+
+import argparse
+import json
+import sys
+from typing import List, Optional
+
+from .database import load_database
+from .parser import parse_file
+from .models import ParseResult
+
+
+def format_entry_line(entry) -> str:
+    """Format a single Rich header entry for display."""
+    return (
+        f"{entry.comp_id:08x} {entry.product_id:4x} {entry.build_version:6d} "
+        f"{entry.count:5d}"
+        + (f" {entry.description}" if entry.description else "")
+    )
+
+
+def print_result(result: ParseResult) -> None:
+    """Print parse result in human-readable format."""
+    print(f"Processing {result.filename}")
+
+    if not result.success:
+        print(result.error, file=sys.stderr)
+        return
+
+    if result.pe_info:
+        print(f"Target machine: {result.pe_info.machine_name}")
+
+    if result.rich_header and result.rich_header.entries:
+        print("@comp.id   id version count   description")
+        for entry in result.rich_header.entries:
+            print(format_entry_line(entry))
+
+
+def create_parser() -> argparse.ArgumentParser:
+    """Create argument parser."""
+    parser = argparse.ArgumentParser(
+        prog="richprint",
+        description="Decode and print Rich headers from Windows PE executables.",
+        epilog=(
+            "Rich headers contain compiler version information embedded by "
+            "Microsoft's linker."
+        ),
+    )
+
+    parser.add_argument(
+        "files",
+        nargs="*",
+        metavar="FILE",
+        help="PE executable file(s) to analyze",
+    )
+
+    parser.add_argument(
+        "--json",
+        action="store_true",
+        help="Output results as JSON",
+    )
+
+    parser.add_argument(
+        "--database", "-d",
+        metavar="PATH",
+        help="Path to custom comp_id.txt database file",
+    )
+
+    parser.add_argument(
+        "--version", "-V",
+        action="version",
+        version="%(prog)s 1.0.0",
+    )
+
+    return parser
+
+
+def main(argv: Optional[List[str]] = None) -> int:
+    """Main entry point for CLI."""
+    parser = create_parser()
+    args = parser.parse_args(argv)
+
+    if not args.files:
+        print(
+            "Rich header decoder. Usage:\n\n"
+            "  richprint file ...\n\n"
+            "Rich headers can be found in executable files, DLLs, "
+            "and other binary files\ncreated by Microsoft linker."
+        )
+        return 0
+
+    # Load database
+    db = load_database(args.database)
+
+    results = []
+    for filename in args.files:
+        result = parse_file(filename, db)
+        results.append(result)
+
+    if args.json:
+        output = [r.to_dict() for r in results]
+        print(json.dumps(output, indent=2))
+    else:
+        for result in results:
+            print_result(result)
+
+    # Return non-zero if any file failed
+    return 0 if all(r.success for r in results) else 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())

richprint_pe-1.0.0/src/richprint/constants.py

@@ -0,0 +1,47 @@
+"""Magic numbers and constants for PE/Rich header parsing."""
+
+# Signature magic values
+MZ_SIGNATURE = 0x5A4D  # "MZ" - DOS executable signature
+PE_SIGNATURE = 0x4550  # "PE\0\0" - PE header signature
+RICH_SIGNATURE = 0x68636952  # "Rich" (little-endian)
+DANS_SIGNATURE = 0x536E6144  # "DanS" (little-endian)
+
+# DOS header offsets
+DOS_NUM_RELOCS_OFFSET = 0x06  # Number of relocations
+DOS_HEADER_PARA_OFFSET = 0x08  # Size of header in paragraphs
+DOS_RELOC_OFFSET = 0x18  # File address of relocation table
+DOS_PE_OFFSET = 0x3C  # File address of PE header
+
+# PE header offsets (relative to PE signature)
+PE_MACHINE_OFFSET = 4  # Machine type field
+
+# Machine type mapping
+# From https://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx
+MACHINE_TYPES = {
+    0x8664: "x64",
+    0x14C: "x32",
+    0x1D3: "Matsushita AM33",
+    0x1C0: "ARM LE",
+    0x1C4: "ARMv7+ Thumb",
+    0xAA64: "ARMv8 64bit",
+    0xEBC: "EFI bytecode",
+    0x200: "Intel Itanium",
+    0x9041: "Mitsubishi M32R LE",
+    0x266: "MIPS16",
+    0x366: "MIPS w/FPU",
+    0x466: "MIPS16 w/FPU",
+    0x1F0: "PowerPC LE",
+    0x1F1: "PowerPC w/FPU",
+    0x166: "MIPS LE",
+    0x1A2: "Hitachi SH3",
+    0x1A3: "Hitachi SH3 DSP",
+    0x1A6: "Hitachi SH4",
+    0x1A8: "Hitachi SH5",
+    0x1C2: "ARM or Thumb",
+    0x169: "MIPS LE WCE v2",
+}
+
+
+def get_machine_type(machine_id: int) -> str:
+    """Get human-readable machine type name."""
+    return MACHINE_TYPES.get(machine_id, "Unknown")

richprint_pe-1.0.0/src/richprint/data/__init__.py

@@ -0,0 +1 @@
+# Package marker for bundled data files.