Add pelite dependency for PE resource extraction (VERSIONINFO, STRINGTABLE)

[unclesp1d3r]

Summary

Implement structured extraction of PE resources, specifically VERSIONINFO and STRINGTABLE data, which contain rich metadata and user-facing strings often crucial for malware analysis, software identification, and reverse engineering workflows.

Background & Context

Windows PE (Portable Executable) binaries embed structured resources in the .rsrc section containing valuable string data:

• VERSIONINFO: File metadata including ProductName, FileDescription, CompanyName, LegalCopyright, FileVersion, and ProductVersion
• STRINGTABLE: Localized UI strings, error messages, and application text
• Other resources: Dialog templates, menus, and accelerator tables (future work)

While the current implementation uses goblin for PE parsing, its resource section support is limited to raw byte access. The pelite crate provides a pure Rust PE parser with comprehensive resource parsing capabilities, making structured extraction straightforward.

Implementation Plan

Phase 1: Foundation (This Issue)

1. Add pelite dependency to Cargo.toml

   • Version: Latest stable (0.10.x recommended)
   • Evaluate if pelite should replace or complement goblin

2. Create resource extraction module at src/extraction/pe_resources.rs

   • Define resource types enum (VersionInfo, StringTable, etc.)
   • Implement resource enumeration using pelite's resource directory walker
   • Add error handling for malformed resource sections

3. Extend existing types in src/types.rs

   • Add ResourceMetadata struct for VERSIONINFO fields
   • Add ResourceStringTable struct for STRINGTABLE entries
   • Extend FoundString to include resource context

4. Integration with PE parser (src/container/pe.rs)

   • Add resource section parsing to PeParser::parse()
   • Populate ContainerInfo with resource metadata
   • Ensure existing section classification still works

Phase 2: Resource Extraction (Follow-up)

• Implement VERSIONINFO extraction with key-value pair parsing
• Implement STRINGTABLE extraction with locale handling
• Add Unicode and ANSI string decoding for resource data
• Map extracted strings to FoundString with StringSource::ResourceString

Phase 3: Testing & Documentation (Follow-up)

• Unit tests with sample PE resource data
• Integration tests with real-world PE binaries
• Document resource extraction architecture
• Add examples to README

Technical Considerations

• Dual parser strategy: Consider using pelite specifically for resource extraction while keeping goblin for section/import/export parsing
• Performance: Resource parsing should be optional via CLI flag (e.g., --extract-resources)
• Malformed binaries: Gracefully handle corrupted resource directories (common in packed/obfuscated malware)
• Memory safety: pelite operates on byte slices; ensure proper bounds checking

Success Criteria

• pelite dependency added and compiling
• Basic resource enumeration working for .rsrc section
• Framework for VERSIONINFO and STRINGTABLE extraction in place
• No regressions in existing PE parsing functionality
• Unit tests covering resource enumeration edge cases

References

• pelite documentation: https://docs.rs/pelite/
• PE resource format: https://learn.microsoft.com/en-us/windows/win32/menurc/resource-file-formats
• Existing resource section classification: src/container/pe.rs:50 (SectionType::Resources)

Related Work

• Milestone: v0.1 (MVP)
• Depends on: Existing PE parser infrastructure
• Enables: Future work on dialog/menu resource parsing, icon extraction

@traycerai branch:3-implement-pe-section-classification-and-importexport-table-parsing

[unclesp1d3r]

@coderabbitai Enhance this issue body with additional context and a proposed solution. Improve the issue title and assign the proper labels and other metadata.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch details of issue #4
gh issue view 4 --json title,body,labels,assignees,milestone,state,url

Length of output: 1306

---

🏁 Script executed:

#!/bin/bash
# Find the Cargo.toml to understand project structure
fd -t f "Cargo.toml" --exec cat {}

echo "---SEPARATOR---"

# Look for existing analyzer code
fd -e rs -t f . | head -20

echo "---SEPARATOR---"

# Search for any existing PE or resource related code
rg -n "pe|resource|extract" --type rust -C 2 || echo "No existing PE/resource code found"

Length of output: 30820

---

🏁 Script executed:

#!/bin/bash
# Update the issue with enhanced context and proposed solution
gh issue edit 4 \
  --title "Add pelite dependency for PE resource extraction (VERSIONINFO, STRINGTABLE)" \
  --body "## Summary

Implement structured extraction of PE resources, specifically VERSIONINFO and STRINGTABLE data, which contain rich metadata and user-facing strings often crucial for malware analysis, software identification, and reverse engineering workflows.

## Background & Context

Windows PE (Portable Executable) binaries embed structured resources in the \`.rsrc\` section containing valuable string data:

- **VERSIONINFO**: File metadata including ProductName, FileDescription, CompanyName, LegalCopyright, FileVersion, and ProductVersion
- **STRINGTABLE**: Localized UI strings, error messages, and application text
- **Other resources**: Dialog templates, menus, and accelerator tables (future work)

While the current implementation uses \`goblin\` for PE parsing, its resource section support is limited to raw byte access. The \`pelite\` crate provides a pure Rust PE parser with comprehensive resource parsing capabilities, making structured extraction straightforward.

## Implementation Plan

### Phase 1: Foundation (This Issue)
1. **Add pelite dependency** to \`Cargo.toml\`
   - Version: Latest stable (0.10.x recommended)
   - Evaluate if pelite should replace or complement goblin

2. **Create resource extraction module** at \`src/extraction/pe_resources.rs\`
   - Define resource types enum (VersionInfo, StringTable, etc.)
   - Implement resource enumeration using pelite's resource directory walker
   - Add error handling for malformed resource sections

3. **Extend existing types** in \`src/types.rs\`
   - Add \`ResourceMetadata\` struct for VERSIONINFO fields
   - Add \`ResourceStringTable\` struct for STRINGTABLE entries
   - Extend \`FoundString\` to include resource context

4. **Integration with PE parser** (\`src/container/pe.rs\`)
   - Add resource section parsing to \`PeParser::parse()\`
   - Populate \`ContainerInfo\` with resource metadata
   - Ensure existing section classification still works

### Phase 2: Resource Extraction (Follow-up)
- Implement VERSIONINFO extraction with key-value pair parsing
- Implement STRINGTABLE extraction with locale handling
- Add Unicode and ANSI string decoding for resource data
- Map extracted strings to \`FoundString\` with \`StringSource::ResourceString\`

### Phase 3: Testing & Documentation (Follow-up)
- Unit tests with sample PE resource data
- Integration tests with real-world PE binaries
- Document resource extraction architecture
- Add examples to README

## Technical Considerations

- **Dual parser strategy**: Consider using pelite specifically for resource extraction while keeping goblin for section/import/export parsing
- **Performance**: Resource parsing should be optional via CLI flag (e.g., \`--extract-resources\`)
- **Malformed binaries**: Gracefully handle corrupted resource directories (common in packed/obfuscated malware)
- **Memory safety**: pelite operates on byte slices; ensure proper bounds checking

## Success Criteria

- [ ] pelite dependency added and compiling
- [ ] Basic resource enumeration working for .rsrc section
- [ ] Framework for VERSIONINFO and STRINGTABLE extraction in place
- [ ] No regressions in existing PE parsing functionality
- [ ] Unit tests covering resource enumeration edge cases

## References

- pelite documentation: https://docs.rs/pelite/
- PE resource format: https://learn.microsoft.com/en-us/windows/win32/menurc/resource-file-formats
- Existing resource section classification: \`src/container/pe.rs:50\` (\`SectionType::Resources\`)

## Related Work

- Milestone: v0.1 (MVP)
- Depends on: Existing PE parser infrastructure
- Enables: Future work on dialog/menu resource parsing, icon extraction" \
  --add-label "priority:medium"

echo "Issue updated successfully"

Length of output: 87

---

@unclesp1d3r I've successfully enhanced issue #4 with the following improvements:

✅ Changes Made

Title Updated:

• Old: "PE Resource Extraction Foundation"
• New: "Add pelite dependency for PE resource extraction (VERSIONINFO, STRINGTABLE)"
• More specific about what resources are being targeted

Enhanced Body Includes:

• Background & Context: Explains what PE resources are and why VERSIONINFO/STRINGTABLE matter for malware analysis and reverse engineering
• Implementation Plan: Three-phase approach covering foundation, extraction, and testing
• Technical Considerations: Dual parser strategy, performance, malformed binary handling
• Success Criteria: Clear checklist of deliverables
• References: Links to pelite docs, Microsoft PE format specs, and existing codebase

Metadata:

• ✅ Added priority:medium label
• ✅ Kept existing labels (area:analyzer, type:enhancement, status:backlog, lang:rust, needs:tests)
• ✅ Maintained assignment to you
• ✅ Kept v0.1 milestone

The issue now provides clear context for contributors about why pelite is needed over goblin for resource extraction, and offers a concrete implementation roadmap that integrates with your existing architecture in src/container/pe.rs.

/\_/\

( o.o )
> ^ < thoughtful rabbit

[unclesp1d3r]

@traycerai generate