This repository has been archived by the owner on Aug 24, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathdumpext.conf
172 lines (142 loc) · 6.83 KB
/
dumpext.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
[optional_header]
; Entry point rva
;AddressOfEntryPoint
; Base of code rva
;BaseOfCode
; Base of data rva (PE32 files only)
;BaseOfData
; Parameters in this section enable setting of PE directories rvas and sizes.
; Each parameter has a form of <DirName>.rva or <DirName>.size where DirName
; name specifies PE directory to be modified. The following names are recognized:
; ExportTab, ImportTab, ResourceTab, ExceptionTab, CertificateTab, BaseRelocTab,
; Debug, Architecture, GlobalPtr, TLSTab, LoadConfigTab, BoundImportTab, IAT,
; DelayImportDesc, CLRRuntimeHeader.
[directories]
; Determines destination rva of the fixed IDT table patch. "after_iat" string
; has a special meaning - IDT shall be located just after the IAT table. If not
; specified the fixed IDT's rva is taken from the PE header.
;ImportTab.rva
; Determines destination rva of the fixed resources. If not specified the fixed
; resources rva is taken from the PE header. Shall be used only if the fixed
; resources need to be located in other place than the original one.
;ResourceTab.rva
; IAT.rva and IAT.size may be set to 0 to prevent the import patching routine
; from updating the IAT directory with the calculated values and set zeros -
; it's often the case in PE files.
;IAT.rva = 0
;IAT.size = 0
[sections]
; There is possible to trim some sections from a tail of the section table by
; setting this parameter to the number of sections to remove. This is especially
; useful for discarding unnecessary sections used by a PE packer.
;RemoveTrailingSections
; Global configuration (related to all sections)
;SizeOfRawData = vsize|auto
; Changed name of the section number n (n: 1-based decimal)
;<n>.Name
; Changed characteristics of the section number n
;<n>.Characteristics
; Section's virtual size
;<n>.VirtualSize
; Section's rva. Use with care only for newly added sections!
;<n>.VirtualAddress
; Raw file size. Special values are:
; "vsize": the same size as for VirtualSize
; "auto": raw size auto detection by truncating trailing zeros at the end of
; section's memory. May be used only for sections dumped from memory.
; Use with care for section being moved or extended!
; To remove a given section set its raw and virtual size to 0.
;<n>.SizeOfRawData
; Specifies content of the section number n in the dumped output file. One of:
; "memory": Section will be dumped from memory (default)
; "zeros": Zero filled
; "file: content_file_path": Specifies a file with a section's content. For this
; type of sections, if VirtualSize and SizeOfRawData are not specified
; they are deduced from the file's length.
;<n>.DumpedContent
[dump_pe]
; Output dump file name (default: dump.out)
;OutFile
; Control PE CRC update
; "no": don't set crc (zero will be written)
; "as_original": crc is set only if the original file has also it set (default)
; "always": always set PE checksum
;SetCrc
; If 1: the dump will save original content between PE headers and the beginning
; of PE file content (sections data). In most cases the space is not used (except
; the bound imports description, which is handled in other way - see BindImports
; option) and is filled with zeroes to the upper round of FileAlignment value.
; If 0: the space is not saved (filled with zeroes) - the default.
;SaveHeaderSpace
; Control bound imports update
; "no": don't bind imports
; "as_original": bind if the original file has also bound imports (default)
; "always": always bind imports
;BindImports
; The section contains parameters controlling imports recovery process (imports
; to recover are specified in the [imports] section).
[imports_fix]
; If 1: names of modules and imported procs are not padded by zeros to the even
; length. The PE specification states always to pad, but some compilers do not
; follow the rule. Default: 0.
;NoPaddNames
; If 1: ILTs will not be set for restored imports directory. Only the IATs will
; be written. Some compilers (e.g. Delphi) never sets ILTs in their binaries.
; Default: 0.
;NoILTs
; If the parameter is provided, the IDT table (pointed by the ImportTab directory
; entry) will be followed during imports recovery. The Hint/Name table will be
; stored at the place provided by the parameter. Fixed modules names will also
; be part of the H/N table unless the FollowIDT.NameTab.rva states otherwise.
; NOTE: The parameter must be used only if a packer doesn't destroy the IDT.
; The "dump_search idt" command should be used to check these circumstances.
; The command provides suggestions for settings of FollowIDT.HintNameTab.rva,
; FollowIDT.NameTab.rva, NoPaddNames and NoILTs parameters.
;FollowIDT.HintNameTab.rva
; Provides a place for storing fixed modules names other than in the Hint/Name
; table. The parameter is valid only if FollowIDT.HintNameTab.rva is also
; provided. Use "dump_search idt" command to get proper value for this parameter.
;FollowIDT.NameTab.rva
; The section provides hints for the resolving routine how to resolve importing
; modules in (rather rare) case, when the routine cannot do it by itself, due to
; some weird imports forwarding issues.
[mod_conflicts_reslv]
; assume than n'th importing module is 'lib.dll'
;<n> = lib.dll
; Imports specification describing imports to be patched in the recovered file
[imports]
; n'th module name (file name + extension)
;<n> = lib.dll
; IAT rva of n'th module.
;<n>.iat_rva
; m'th imported proc of n'th module
;<n>.<m> = proc_name
;<n>.<m> = #ord_num
[rsrc_fix]
; Specifies if the recovery process will be performed on the resources during
; the dumping process. The recovery process should be performed only for packers
; modifying the resources by scattering them into many memory locations. The
; "dump_pe_info rsrc -C" command may be used to detect this situation. The
; remaining parameters in this sections are read, only if recovery process is
; performed.
; "no": no resources recovery (default)
; "yes": resources recovery
; "detect": resources recovery only if resources scattering is detected
;RecoverRsrc
; Specifies rva of the resources directory to be read as the source during the
; fixing process. If not specified the source and destination of the fixed
; resources are the same (which is the most common use case). The parameter
; shall be used only if the fixed resources need to be located in other place
; than the original one.
;ResourceTab.rva
; Padding of resources elements. One of:
; "no": no padding
; "word": 2-bytes padding
; "dword": 4-bytes padding
; "auto": select from above to fit in resource directory size (default).
;PaddRsrc
; File used during resource fixing for temporarily storing recovered resources
; (default: "TMP_DIR/$rsrc.tmp").
;TmpRsrcFile
; If 1: keep temporary file after resource recovery process (default: 0).
;KeepTmpRsrcFile