       grokevt-ripdll - A tool for extracting message resources from a PE-formatted file.


       grokevt-ripdll input-dll output-db


       grokevt-ripdll  parses  a  PE-formatted  file (modern .exe and .dll files are examples PE-
       formatted files) and extracts all message resources. These resources are then stored in  a
       Berkeley-style  database file, which maps relative virtual addresses (RVAs) to the message
       resources themselves. These RVAs are what can be found in a windows event log  file  (.evt
       extension)  to  reference the proper message resource.  This utility is not intended to be
       used directly by end-users.  It is used by grokevt-builddb(1) to  extract  resources  from
       all DLL/EXEs referenced in the registry.


              This is the PE formatted file to extract resources from. (It doesn't need to have a
              .dll extension, but it is most commonly used on DLLs.)

              The database file to store the  RVA->message  mapping  in.  If  this  file  already
              exists,  it  will  be overwritten.  To extract the entries stored in this database,
              see grokevt-dumpmsgs(1).


       Probably a few. This script has not been extensively tested with some guest  platforms  or
       with non-english systems.

       The  documentation  used  as  a  reference  for PE formatted files was not complete or not
       completely accurate in places. Much guess-and-check took place.


       Original PE header code borrowed from the pymavis project.  For more information, see:


       Message resource parsing added by Timothy D. Morgan.


