add ability to parse OriginalFilename

[theflakes]

MS doc: https://learn.microsoft.com/en-us/windows/win32/menurc/string-str?redirectedfrom=MSDN
Yara rule support for field: https://yara.readthedocs.io/en/v3.2.0/modules/pe.html

This is a useful field in threat hunting and forensics in general.

thanks

[m4b]

Seems reasonable to me, would you like to make a PR adding this? (ideally backwards compatible/non breaking) :)

[theflakes]

I can try at some point but its beyond my capabilities unfortunately. When I get some more time, I'll keep digging into it. Thanks

[kkent030315]

FYI I'm working on this feature as a part of resource parser. The work is almost done and PR should be submitted in a few days I guess.

DEBUG - Found in section .rsrc(4), remapped into offset 0x7ffb0
DEBUG - resource_data data: Some(
    VersionInfo {
        data: [78, 03, 34, 00, 00, 00, 56, 00, 53, 00, 5f, 00, 56, 00, 45, 00, 52, 00, 53, 00, 49, 00, 4f, 00, 4e, 00, 5f, 00, 49, 00, 4e, 00, 46, 00, 4f, 00, 00, 00, 00, 00, bd, 04, ef, fe, 00, 00, 01, 00, 0b, 00, 03, 00, 00, 00, 4e, 0c, 0b, 00, 03, 00, 00, 00, 4e, 0c, 3f, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, d8, 02, 00, 00, 00, 00, 53, 00, 74, 00, 72, 00, 69, 00, 6e, 00, 67, 00, 46, 00, 69, 00, 6c, 00, 65, 00, 49, 00, 6e, 00, 66, 00, 6f, 00, 00, 00, b4, 02, 00, 00, 00, 00, 30, 00, 34, 00, 30, 00, 39, 00, 30, 00, 34, 00, 45, 00, 34, 00, 00, 00, 58, 00, 36, 00, 00, 00, 43, 00, 6f, 00, 6d, 00, 70, 00, 61, 00, 6e, 00, 79, 00, 4e, 00, 61, 00, 6d, 00, 65, 00, 00, 00, 00, 00, 50, 00, 79, 00, 74, 00, 68, 00, 6f, 00, 6e, 00, 20, 00, 53, 00, 6f, 00, 66, 00, 74, 00, 77, 00, 61, 00, 72, 00, 65, 00, 20, 00, 46, 00, 6f, 00, 75, 00, 6e, 00, 64, 00, 61, 00, 74, 00, 69, 00, 6f, 00, 6e, 00, 00, 00, 00, 00, 58, 00, 2e, 00, 00, 00, 46, 00, 69, 00, 6c, 00, 65, 00, 44, 00, 65, 00, 73, 00, 63, 00, 72, 00, 69, 00, 70, 00, 74, 00, 69, 00, 6f, 00, 6e, 00, 00, 00, 00, 00, 50, 00, 79, 00, 74, 00, 68, 00, 6f, 00, 6e, 00, 20, 00, 33, 00, 2e, 00, 31, 00, 31, 00, 2e, 00, 33, 00, 20, 00, 28, 00, 36, 00, 34, 00, 2d, 00, 62, 00, 69, 00, 74, 00, 29, 00, 00, 00, 00, 00, 38, 00, 18, 00, 00, 00, 46, 00, 69, 00, 6c, 00, 65, 00, 56, 00, 65, 00, 72, 00, 73, 00, 69, 00, 6f, 00, 6e, 00, 00, 00, 00, 00, 33, 00, 2e, 00, 31, 00, 31, 00, 2e, 00, 33, 00, 31, 00, 35, 00, 30, 00, 2e, 00, 30, 00, 00, 00, 2c, 00, 06, 00, 01, 00, 49, 00, 6e, 00, 74, 00, 65, 00, 72, 00, 6e, 00, 61, 00, 6c, 00, 4e, 00, 61, 00, 6d, 00, 65, 00, 00, 00, 73, 00, 65, 00, 74, 00, 75, 00, 70, 00, 00, 00, a4, 00, 7e, 00, 00, 00, 4c, 00, 65, 00, 67, 00, 61, 00, 6c, 00, 43, 00, 6f, 00, 70, 00, 79, 00, 72, 00, 69, 00, 67, 00, 68, 00, 74, 00, 00, 00, 43, 00, 6f, 00, 70, 00, 79, 00, 72, 00, 69, 00, 67, 00, 68, 00, 74, 00, 20, 00, 28, 00, 63, 00, 29, 00, 20, 00, 50, 00, 79, 00, 74, 00, 68, 00, 6f, 00, 6e, 00, 20, 00, 53, 00, 6f, 00, 66, 00, 74, 00, 77, 00, 61, 00, 72, 00, 65, 00, 20, 00, 46, 00, 6f, 00, 75, 00, 6e, 00, 64, 00, 61, 00, 74, 00, 69, 00, 6f, 00, 6e, 00, 2e, 00, 20, 00, 41, 00, 6c, 00, 6c, 00, 20, 00, 72, 00, 69, 00, 67, 00, 68, 00, 74, 00, 73, 00, 20, 00, 72, 00, 65, 00, 73, 00, 65, 00, 72, 00, 76, 00, 65, 00, 64, 00, 2e, 00, 00, 00, 00, 00, 58, 00, 30, 00, 00, 00, 4f, 00, 72, 00, 69, 00, 67, 00, 69, 00, 6e, 00, 61, 00, 6c, 00, 46, 00, 69, 00, 6c, 00, 65, 00, 6e, 00, 61, 00, 6d, 00, 65, 00, 00, 00, 70, 00, 79, 00, 74, 00, 68, 00, 6f, 00, 6e, 00, 2d, 00, 33, 00, 2e, 00, 31, 00, 31, 00, 2e, 00, 33, 00, 2d, 00, 61, 00, 6d, 00, 64, 00, 36, 00, 34, 00, 2e, 00, 65, 00, 78, 00, 65, 00, 00, 00, 50, 00, 2e, 00, 00, 00, 50, 00, 72, 00, 6f, 00, 64, 00, 75, 00, 63, 00, 74, 00, 4e, 00, 61, 00, 6d, 00, 65, 00, 00, 00, 00, 00, 50, 00, 79, 00, 74, 00, 68, 00, 6f, 00, 6e, 00, 20, 00, 33, 00, 2e, 00, 31, 00, 31, 00, 2e, 00, 33, 00, 20, 00, 28, 00, 36, 00, 34, 00, 2d, 00, 62, 00, 69, 00, 74, 00, 29, 00, 00, 00, 00, 00, 3c, 00, 18, 00, 00, 00, 50, 00, 72, 00, 6f, 00, 64, 00, 75, 00, 63, 00, 74, 00, 56, 00, 65, 00, 72, 00, 73, 00, 69, 00, 6f, 00, 6e, 00, 00, 00, 33, 00, 2e, 00, 31, 00, 31, 00, 2e, 00, 33, 00, 31, 00, 35, 00, 30, 00, 2e, 00, 30, 00, 00, 00, 44, 00, 00, 00, 00, 00, 56, 00, 61, 00, 72, 00, 46, 00, 69, 00, 6c, 00, 65, 00, 49, 00, 6e, 00, 66, 00, 6f, 00, 00, 00, 00, 00, 24, 00, 04, 00, 00, 00, 54, 00, 72, 00, 61, 00, 6e, 00, 73, 00, 6c, 00, 61, 00, 74, 00, 69, 00, 6f, 00, 6e, 00, 00, 00, 00, 00, 09, 04, e4, 04] (888 bytes),
        fixed_info: Some(
            VsFixedFileInfo {
                signature: 0xfeef04bd (Valid),
                struct_version: 0x10000,
                file_version_ms: 0x3000b,
                file_version_ls: 0xc4e0000,
                product_version_ms: 0x3000b,
                product_version_ls: 0xc4e0000,
                file_flags_mask: 0x3f,
                file_flags: 0x0,
                file_os: 0x4,
                file_type: 0x1,
                file_subtype: 0x0,
                file_date_ms: 0x0,
                file_date_ls: 0x0,
            },
        ),
        string_info: StringFileInfo {
            comments: None,
            company_name: Some("Python Software Foundation"),
            file_description: Some("Python 3.11.3 (64-bit)"),
            file_version: Some("3.11.3150.0"),
            internal_name: Some("setup"),
            legal_copyright: Some("Copyright (c) Python Software Foundation. All rights reserved."),
            legal_trademarks: None,
            original_filename: Some("python-3.11.3-amd64.exe"),
            private_build: None,
            product_name: Some("Python 3.11.3 (64-bit)"),
            product_version: Some("3.11.3150.0"),
            special_build: None,
        },
    },
)