Provided by: grokevt_0.5.0-4_all 
NAME
grokevt-ripdll - A tool for extracting message resources from a PE-formatted file.
SYNOPSIS
grokevt-ripdll input-dll output-db
DESCRIPTION
grokevt-ripdll parses a PE-formatted file (modern .exe and .dll files are examples PE-formatted files)
and extracts all message resources. These resources are then stored in a Berkeley-style database file,
which maps relative virtual addresses (RVAs) to the message resources themselves. These RVAs are what can
be found in a windows event log file (.evt extension) to reference the proper message resource. This
utility is not intended to be used directly by end-users. It is used by grokevt-builddb(1) to extract
resources from all DLL/EXEs referenced in the registry.
ARGUMENTS
input-dll
This is the PE formatted file to extract resources from. (It doesn't need to have a .dll
extension, but it is most commonly used on DLLs.)
output-db
The database file to store the RVA->message mapping in. If this file already exists, it will be
overwritten. To extract the entries stored in this database, see grokevt-dumpmsgs(1).
BUGS
Probably a few. This script has not been extensively tested with some guest platforms or with non-english
systems.
The documentation used as a reference for PE formatted files was not complete or not completely accurate
in places. Much guess-and-check took place.
CREDITS
Original PE header code borrowed from the pymavis project. For more information, see:
http://www.mplayerhq.hu/~arpi/pymavis/
Message resource parsing added by Timothy D. Morgan.
LICENSE
Please see the file "LICENSE" included with this software distribution.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License version 3 for more details.
SEE ALSO
grokevt(7) grokevt-addlog(1) grokevt-builddb(1) grokevt-dumpmsgs(1) grokevt-findlogs(1) grokevt-
parselog(1)