Support extended PE section names

[not-wlan]

An issue I see with a lot of PE parsers is that section names that go beyond 8 characters aren't supported. Both LLVM and MinGW make use of this feature. What it boils down to is that the section name references an entry in the string table.

Comparison of the same file in IDA Pro, CFF Explorer and pe_tree. You'll notice that while IDA Pro doesn't detect all sections, pe_tree doesn't decode the section name of .eh_frame

You can generate a sample file to test on by simply compiling a demo C application with MinGW:

#include <stdio.h>

int main(int argc, char** argv) {
	printf("This program received %d argument(s): \n", argc);

	for(int i = 0; i < argc; i++) {
		printf(" - %s\n", argv[i]);
	}
	
	return 0;
}

The relevant implementation of the encoding can be found here:

https://github.com/llvm-mirror/llvm/blob/af7b1832a03ab6486c42a40d21695b2c03b2d8a3/lib/Object/COFFObjectFile.cpp#L1054

A sample implementation of the decoding process can be found in the goblin library:

https://github.com/m4b/goblin/blob/master/src/pe/section_table.rs#L82

[tombonner]

I will get that implemented, thanks for reporting!

[blaquee]

Ah yea, this is common for mingw compiled PE files, the string table is used to store names of sections (usually the names prepended with '/' character and a number. Also an implementation here:
blaquee/x64dbg@e1c45f1#diff-02407744a9b0b7d0b579cf4edeceb5f9R81

But @not-wlan has provided enough info, I just happened to notice this also. Good work btw @tombonner !

[tombonner]

@blaquee Thanks!

Quick update...

It seems there is a similar request open for pefile (which pe_tree leverages to parse PE files):

erocarrera/pefile#290

I will have a think about how best to handle PE files with DWARF sections, as it would be great to dump more of the internal structures as well as fully resolving section names.