Epic: v0.2 - PE Resources, Symbol Demangling & Import/Export Enhancement

[unclesp1d3r]

Overview

Version 0.2 aims to significantly enhance Stringy's capability to extract meaningful strings from binaries by adding three critical features that complement the existing format detection and section parsing infrastructure.

Goals

This epic tracks the implementation of three interconnected features that will make Stringy more effective at extracting actionable intelligence from binaries:

1. PE Resources Extraction

Context: Windows PE executables contain resource sections with rich metadata including version info, manifests, dialog boxes, menus, and embedded strings that are currently not being extracted.

Proposed Solution:

• Extend the PE container parser (src/container/pe.rs) to parse resource directories
• Extract strings from:
  • Version information (product name, company, file description)
  • Manifest files (embedded XML)
  • String tables (STRINGTABLE resources)
  • Dialog and menu definitions
• Tag extracted strings with pe-resource, version-info, manifest semantic tags
• Assign high scores to version/manifest strings (they're highly relevant)

Acceptance Criteria:

• Parse PE resource directory structure
• Extract version info fields (FileDescription, ProductName, CompanyName, etc.)
• Extract manifest XML strings
• Handle STRINGTABLE resources
• Add appropriate semantic tagging
• Include resource strings in scoring/ranking system

---

2. Rust Symbol Demangling

Context: The project already has rustc-demangle as a dependency and mentions Rust demangling in the README, but full integration into the extraction pipeline is needed.

Proposed Solution:

• Integrate rustc-demangle into the symbol processing pipeline
• Demangle Rust symbols found in:
  • Import/export tables
  • Symbol tables (.symtab, .dynsym for ELF)
  • Debug sections (if present)
• Store both mangled and demangled versions for context
• Add rust-symbol semantic tag
• Prioritize demangled symbols in ranking (more human-readable = more useful)

Acceptance Criteria:

• Detect Rust mangled symbols (_ZN prefix pattern)
• Apply rustc-demangle to detected symbols
• Include demangled names in output alongside mangled versions
• Add semantic tagging for Rust symbols
• Update scoring to favor demangled symbols
• Handle demangle failures gracefully

---

3. Import/Export Names Enhancement

Context: The container parsers already extract import/export symbols (foundation exists), but they need to be fully integrated into the string extraction and ranking pipeline.

Proposed Solution:

• Complete integration of import/export extraction across all formats:
  • ELF: .dynsym, .symtab sections
  • PE: Import Directory Table, Export Address Table
  • Mach-O: LC_DYLD_INFO_ONLY, symbol table
• Add semantic classification:
  • Tag with import, export, symbol-name
  • Detect API categories (crypto, network, file I/O)
  • Identify suspicious or high-value API calls
• Integrate into ranking system with adjustable scores
• Support filtering by import/export in CLI

Acceptance Criteria:

• Extract import names from all three binary formats
• Extract export names from all three binary formats
• Add semantic tags for symbol types and API categories
• Integrate into main string extraction pipeline
• Include in scoring/ranking algorithm
• Add CLI flags: --imports, --exports, --symbols
• Test with real-world binaries (ELF, PE, Mach-O)

---

Dependencies

• goblin: Already in use for binary format parsing
• rustc-demangle: Already in dependencies
• No new external dependencies required

Implementation Order

Recommended sequence to minimize integration complexity:

1. Import/Export Enhancement (foundational) - builds on existing container parsers
2. Rust Symbol Demangling (depends on Implement Intelligent ELF Section Classification for Targeted String Extraction #1) - enhances symbol processing
3. PE Resources (independent) - can be developed in parallel

Testing Strategy

• Unit tests for each parser component
• Integration tests with real-world binaries:
  • Windows executables with resources (e.g., notepad.exe, calc.exe)
  • Rust binaries (cargo-built executables)
  • Stripped and unstripped ELF/Mach-O binaries
• Regression tests to ensure existing functionality remains intact

Success Metrics

• PE resource strings successfully extracted from Windows executables
• Rust symbols properly demangled and categorized
• Import/export tables fully integrated across all formats
• No performance degradation on large binaries
• Improved signal-to-noise ratio in output

Related Documentation

• Binary Formats
• Architecture
• String Extraction

[unclesp1d3r]

@coderabbitai Enhance this issue body with additional context and a proposed solution. Improve the issue title and assign the proper labels and other metadata.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch details of issue #40
gh issue view 40 --json title,body,labels,assignees,state,number,url

Length of output: 206

---

🏁 Script executed:

#!/bin/bash
# Read README to understand the project
cat README.md

# Check if there's any existing documentation about these features
fd -e md . | head -20

# Look for any existing code related to these features
rg -l "demangl|PE|import|export" --type rust | head -10

Length of output: 6511

---

🏁 Script executed:

#!/bin/bash
# Update issue #40 with enhanced content

gh issue edit 40 \
  --title "Epic: v0.2 - PE Resources, Symbol Demangling & Import/Export Enhancement" \
  --body "## Overview

Version 0.2 aims to significantly enhance Stringy's capability to extract meaningful strings from binaries by adding three critical features that complement the existing format detection and section parsing infrastructure.

## Goals

This epic tracks the implementation of three interconnected features that will make Stringy more effective at extracting actionable intelligence from binaries:

### 1. PE Resources Extraction

**Context**: Windows PE executables contain resource sections with rich metadata including version info, manifests, dialog boxes, menus, and embedded strings that are currently not being extracted.

**Proposed Solution**:
- Extend the PE container parser (\`src/container/pe.rs\`) to parse resource directories
- Extract strings from:
  - Version information (product name, company, file description)
  - Manifest files (embedded XML)
  - String tables (STRINGTABLE resources)
  - Dialog and menu definitions
- Tag extracted strings with \`pe-resource\`, \`version-info\`, \`manifest\` semantic tags
- Assign high scores to version/manifest strings (they're highly relevant)

**Acceptance Criteria**:
- [ ] Parse PE resource directory structure
- [ ] Extract version info fields (FileDescription, ProductName, CompanyName, etc.)
- [ ] Extract manifest XML strings
- [ ] Handle STRINGTABLE resources
- [ ] Add appropriate semantic tagging
- [ ] Include resource strings in scoring/ranking system

---

### 2. Rust Symbol Demangling

**Context**: The project already has \`rustc-demangle\` as a dependency and mentions Rust demangling in the README, but full integration into the extraction pipeline is needed.

**Proposed Solution**:
- Integrate \`rustc-demangle\` into the symbol processing pipeline
- Demangle Rust symbols found in:
  - Import/export tables
  - Symbol tables (.symtab, .dynsym for ELF)
  - Debug sections (if present)
- Store both mangled and demangled versions for context
- Add \`rust-symbol\` semantic tag
- Prioritize demangled symbols in ranking (more human-readable = more useful)

**Acceptance Criteria**:
- [ ] Detect Rust mangled symbols (\_ZN prefix pattern)
- [ ] Apply rustc-demangle to detected symbols
- [ ] Include demangled names in output alongside mangled versions
- [ ] Add semantic tagging for Rust symbols
- [ ] Update scoring to favor demangled symbols
- [ ] Handle demangle failures gracefully

---

### 3. Import/Export Names Enhancement

**Context**: The container parsers already extract import/export symbols (foundation exists), but they need to be fully integrated into the string extraction and ranking pipeline.

**Proposed Solution**:
- Complete integration of import/export extraction across all formats:
  - ELF: .dynsym, .symtab sections
  - PE: Import Directory Table, Export Address Table
  - Mach-O: LC_DYLD_INFO_ONLY, symbol table
- Add semantic classification:
  - Tag with \`import\`, \`export\`, \`symbol-name\`
  - Detect API categories (crypto, network, file I/O)
  - Identify suspicious or high-value API calls
- Integrate into ranking system with adjustable scores
- Support filtering by import/export in CLI

**Acceptance Criteria**:
- [ ] Extract import names from all three binary formats
- [ ] Extract export names from all three binary formats
- [ ] Add semantic tags for symbol types and API categories
- [ ] Integrate into main string extraction pipeline
- [ ] Include in scoring/ranking algorithm
- [ ] Add CLI flags: \`--imports\`, \`--exports\`, \`--symbols\`
- [ ] Test with real-world binaries (ELF, PE, Mach-O)

---

## Dependencies

- **goblin**: Already in use for binary format parsing
- **rustc-demangle**: Already in dependencies
- **No new external dependencies required**

## Implementation Order

Recommended sequence to minimize integration complexity:

1. **Import/Export Enhancement** (foundational) - builds on existing container parsers
2. **Rust Symbol Demangling** (depends on #1) - enhances symbol processing
3. **PE Resources** (independent) - can be developed in parallel

## Testing Strategy

- Unit tests for each parser component
- Integration tests with real-world binaries:
  - Windows executables with resources (e.g., notepad.exe, calc.exe)
  - Rust binaries (cargo-built executables)
  - Stripped and unstripped ELF/Mach-O binaries
- Regression tests to ensure existing functionality remains intact

## Success Metrics

- PE resource strings successfully extracted from Windows executables
- Rust symbols properly demangled and categorized
- Import/export tables fully integrated across all formats
- No performance degradation on large binaries
- Improved signal-to-noise ratio in output

## Related Documentation

- [Binary Formats](https://github.com/EvilBit-Labs/StringyMcStringFace/blob/main/docs/src/binary-formats.md)
- [Architecture](https://github.com/EvilBit-Labs/StringyMcStringFace/blob/main/docs/src/architecture.md)
- [String Extraction](https://github.com/EvilBit-Labs/StringyMcStringFace/blob/main/docs/src/string-extraction.md)"

# Add labels
gh issue edit 40 --add-label "enhancement,epic"

# Assign to unclesp1d3r as requested
gh issue edit 40 --add-assignee "unclesp1d3r"

echo "Issue #40 has been successfully enhanced!"

Length of output: 228

---

@unclesp1d3r I've successfully enhanced issue #40! Here's what was updated:

Changes Made:

✅ Improved Title:

• From: Epic: v0.2
• To: Epic: v0.2 - PE Resources, Symbol Demangling & Import/Export Enhancement

✅ Enhanced Body with:

• Overview explaining the v0.2 goals
• Three detailed feature sections with:
  • Context explaining why each feature matters
  • Proposed solutions with technical details
  • Acceptance criteria checklists for tracking progress
• Dependencies section (no new deps needed!)
• Implementation order (Import/Export → Rust Demangling → PE Resources)
• Testing strategy with real-world binary examples
• Success metrics to measure completion
• Links to related documentation

✅ Labels Added: enhancement, epic

✅ Assigned to: unclesp1d3r

The issue now provides clear context about how these features build on StringyMcStringFace's existing infrastructure and why they're important for v0.2. Each feature has actionable acceptance criteria that can be tracked as the work progresses.

You can view the updated issue here: #40