petriage 0.5.0

Cross-platform PE file surface analysis tool for malware analysts
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176

use egui::{Color32, TextureHandle, Ui, Vec2};

use crate::analysis::AnalysisResult;

const ACCENT: Color32 = Color32::from_rgb(0, 210, 255);
const ACCENT_DIM: Color32 = Color32::from_rgb(0, 120, 150);
const LABEL: Color32 = Color32::from_rgb(120, 130, 150);
const BG_DARK: Color32 = Color32::from_rgb(12, 12, 24);
const BORDER: Color32 = Color32::from_rgb(40, 45, 65);

pub fn show(ui: &mut Ui, result: &AnalysisResult, icon_groups: &[(String, Vec<(String, TextureHandle)>)]) {
    let resources = match result.resources {
        Some(ref r) => r,
        None => {
            ui.colored_label(LABEL, "No resource data available. Enable 'Resources' in options and re-analyze.");
            return;
        }
    };

    ui.colored_label(ACCENT, egui::RichText::new(format!("RESOURCES ({} entries)", resources.total_entries)).size(14.0));
    ui.add_space(6.0);

    // Icons
    if !icon_groups.is_empty() {
        let id = ui.make_persistent_id("icons_header");
        egui::collapsing_header::CollapsingState::load_with_default_open(ui.ctx(), id, true)
            .show_header(ui, |ui| {
                ui.colored_label(ACCENT_DIM, egui::RichText::new("Icons").strong());
            })
            .body(|ui| {
                egui::Frame::new()
                    .fill(BG_DARK)
                    .corner_radius(egui::CornerRadius::same(4))
                    .stroke(egui::Stroke::new(0.5, BORDER))
                    .inner_margin(egui::Margin::same(8))
                    .show(ui, |ui| {
                        for (group_name, textures) in icon_groups {
                            ui.colored_label(LABEL, format!("Group {group_name}"));
                            ui.add_space(4.0);
                            ui.horizontal_wrapped(|ui| {
                                for (size_label, tex) in textures {
                                    ui.vertical(|ui| {
                                        ui.image(egui::load::SizedTexture::new(
                                            tex.id(),
                                            Vec2::new(48.0, 48.0),
                                        ));
                                        ui.colored_label(LABEL, size_label);
                                    });
                                }
                            });
                            ui.add_space(4.0);
                        }
                    });
            });
        ui.add_space(8.0);
    }

    // Version Info
    if let Some(ref ver) = resources.version_info {
        let id = ui.make_persistent_id("version_info_header");
        egui::collapsing_header::CollapsingState::load_with_default_open(ui.ctx(), id, true)
            .show_header(ui, |ui| {
                ui.colored_label(ACCENT_DIM, egui::RichText::new("Version Info").strong());
            })
            .body(|ui| {
                egui::Frame::new()
                    .fill(BG_DARK)
                    .corner_radius(egui::CornerRadius::same(4))
                    .stroke(egui::Stroke::new(0.5, BORDER))
                    .inner_margin(egui::Margin::same(8))
                    .show(ui, |ui| {
                        if let Some(ref fixed) = ver.fixed {
                            egui::Grid::new("fixed_file_info_grid")
                                .num_columns(2)
                                .spacing([16.0, 4.0])
                                .show(ui, |ui| {
                                    ui.colored_label(LABEL, "FileVersion:");
                                    ui.monospace(&fixed.file_version);
                                    ui.end_row();

                                    ui.colored_label(LABEL, "ProductVersion:");
                                    ui.monospace(&fixed.product_version);
                                    ui.end_row();

                                    ui.colored_label(LABEL, "FileType:");
                                    ui.monospace(format!("{} ({})", fixed.file_type_str, fixed.file_type));
                                    ui.end_row();

                                    ui.colored_label(LABEL, "FileOS:");
                                    ui.monospace(format!("{:#x}", fixed.file_os));
                                    ui.end_row();

                                    ui.colored_label(LABEL, "FileFlags:");
                                    ui.monospace(format!("{:#x}", fixed.file_flags));
                                    ui.end_row();
                                });
                            ui.add_space(8.0);
                        }

                        if !ver.string_info.is_empty() {
                            ui.colored_label(ACCENT_DIM, "String Info");
                            ui.add_space(4.0);
                            egui::Grid::new("string_file_info_grid")
                                .num_columns(2)
                                .spacing([16.0, 4.0])
                                .show(ui, |ui| {
                                    for s in &ver.string_info {
                                        ui.colored_label(LABEL, format!("{}:", s.key));
                                        ui.monospace(&s.value);
                                        ui.end_row();
                                    }
                                });
                        }
                    });
            });
        ui.add_space(8.0);
    }

    // Manifest
    if let Some(ref manifest) = resources.manifest {
        let id = ui.make_persistent_id("manifest_header");
        egui::collapsing_header::CollapsingState::load_with_default_open(ui.ctx(), id, false)
            .show_header(ui, |ui| {
                ui.colored_label(ACCENT_DIM, egui::RichText::new("Manifest").strong());
            })
            .body(|ui| {
                egui::Frame::new()
                    .fill(BG_DARK)
                    .corner_radius(egui::CornerRadius::same(4))
                    .stroke(egui::Stroke::new(0.5, BORDER))
                    .inner_margin(egui::Margin::same(8))
                    .show(ui, |ui| {
                        ui.monospace(manifest);
                    });
            });
        ui.add_space(8.0);
    }

    // All Entries table
    if !resources.entries.is_empty() {
        let id = ui.make_persistent_id("resource_entries_header");
        egui::collapsing_header::CollapsingState::load_with_default_open(ui.ctx(), id, true)
            .show_header(ui, |ui| {
                ui.colored_label(ACCENT_DIM, egui::RichText::new("All Entries").strong());
            })
            .body(|ui| {
                use egui_extras::{TableBuilder, Column};
                TableBuilder::new(ui)
                    .striped(true)
                    .resizable(true)
                    .cell_layout(egui::Layout::left_to_right(egui::Align::Center))
                    .column(Column::auto().at_least(120.0))  // Type
                    .column(Column::auto().at_least(100.0))  // Name
                    .column(Column::auto().at_least(80.0))   // Language
                    .column(Column::auto().at_least(70.0))   // Size
                    .column(Column::auto().at_least(100.0))  // RVA
                    .header(20.0, |mut header| {
                        header.col(|ui| { ui.colored_label(ACCENT_DIM, "Type"); });
                        header.col(|ui| { ui.colored_label(ACCENT_DIM, "Name"); });
                        header.col(|ui| { ui.colored_label(ACCENT_DIM, "Language"); });
                        header.col(|ui| { ui.colored_label(ACCENT_DIM, "Size"); });
                        header.col(|ui| { ui.colored_label(ACCENT_DIM, "RVA"); });
                    })
                    .body(|body| {
                        body.rows(18.0, resources.entries.len(), |mut row| {
                            let entry = &resources.entries[row.index()];
                            row.col(|ui| { ui.monospace(&entry.resource_type); });
                            row.col(|ui| { ui.monospace(&entry.name); });
                            row.col(|ui| { ui.monospace(&entry.language_str); });
                            row.col(|ui| { ui.monospace(format!("{}", entry.size)); });
                            row.col(|ui| { ui.monospace(format!("{:#x}", entry.rva)); });
                        });
                    });
            });
    }
}