The pictures below show how this is parsed/visualized for my PropEdit.exe (but the solution is generic and works with any 32-bit PE file). ![]() ImageNtHeaders32: IMAGE_NT_HEADERS32 :ImageDosHeader._lfanew OriginalFirstThunk_ImportLookupTable_RVA: UInt32 įirstThunk_ImportAddressTable_RVA: UInt32 Misc_PhysicalAddressOrVirtualSize: UInt32 In the next post I'll show what I have currently.ĭataDirectory: IMAGE_DATA_DIRECTORY These are options for the future, currently I will focus on making a read only structure viewer. It would also allow to check for file consistency, and to annotate so that files could be changed/resized while staying valid and consistent. The other advantage is that it would allow to automatically generate parsers, based on the declarative syntax, so you could for example quickly define the file structure, then automatically get a file parser in your preferred language as a class/library to include.Ī bit like a compiler, but for making structured file readers/modifiers. The main advantage is that this allows for declaring the intent, and optimizing the implementation independently of that (always to a degree of course). MS-PPT.pdf Attachments: MS-PPT.pdf MS-OSHARED (1).pdf MS-OLEPS.pdf MS-DOC.pdf Word97-2007BinaryFileFormat (doc)Specification.pdf MS-CFB. Also, attached are specification documents regarding the file format specification and other office file format specifications. Unless of course they are essentially a full programming language.īut people should be able to write translators. Attached is the binary template to be used with 010 editor. It will also likely be more expressive/powerful than most structure definition languages I saw so far. I think a datatype, which (file) structure definitions are, should be described as declaratively as possible, even if it has dynamic aspects. Pull requests are also always welcome.Over time I looked at many different syntaxes, and decided to go against the common choice of using imperative like inspired languages. If/when you have a problem with pfp, please submit an issue on github. There are currently 110 test cases for the features in pfp. I am making a strong effort to have pfp be as stable and reliable as possible. :PfpParse - parses the current buffer using the template that you choose.:PfpInit - creates ~/.pfp with info about where your templates are stored.Since vim is my editor of choice (and probably what hackerman uses), I wrote a vim plugin ( pfp-vim) to visualize data formats using pfp: See the debugger documentation for more details. You can drop into the interactive debugger by calling Int3() anywhere in a template script. ![]() So I wrote a template debugger using one of my favorite python modules, the cmd module (one of my other recent-favorites is the sh module): See the functions documentation for more specifics.Īs I moved from simple template scripts to more complicated ones, it became increasingly difficult to debug errors in my interpreter without an 010 template debugger. The sum_numbers python function will be callable from templates as the Sum function. The main differences are that it allows control-flow statements within struct declarations, and that metadata attributes can be declared as part of a declaration:įrom pfp.fields import ret=64)ĭef sum_numbers(params, ctxt, scope, stream, coord): ![]() I have done my static markup and it all works fine but I am having trouble looping over the menus to generate the correct code in the dropdowns. Read more about metadata in pfp in the metadata documentation.Ġ10 template scripts use a modified C syntax. There are the possible menu options 1) A top level only link 2) A Top Level Link with a dropdown (two levels total) 3) a top level link with a mega menu drop down (3 levels total). Metadata extensions also exist in PFP to pack/unpack structures within compressed or encoded data. PFP has added some extensions to the standard 010 Editor special attributes (what I call metadata in pfp) to allow fields to auto-update their value based on the values of other fields. I used to think that 010 editor was only available on Windows, but I have recently found out it is available on Mac and Linux as well. The 010 editor GUI is great to do simple modifications, but it does not expose an api and does not have a way (that I know of) to auto-update length calculations, checksums, or parse compressed/encoded data. My main motivation for writing pfp was to be able to use the large number of already-existing 010 templates from python. declaring a four-byte character array will parse four bytes from the input stream and display it as a character array. Every variable that is declared (unless prefixed with const or local) parses that amount of data from the input stream. The above example will use the simple PNG template to parse a png image and change the comment, while keeping length and checksum values correct.įor those who are completely unfamiliar with 010 editor templates, 010 templates parse data by declaring variables.
0 Comments
Leave a Reply. |