pedump 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (29) hide show
  1. data/.document +5 -0
  2. data/.rspec +1 -0
  3. data/Gemfile +16 -0
  4. data/Gemfile.lock +34 -0
  5. data/LICENSE.txt +20 -0
  6. data/README.md +398 -0
  7. data/README.md.tpl +90 -0
  8. data/Rakefile +179 -0
  9. data/VERSION +1 -0
  10. data/bin/pedump +7 -0
  11. data/data/fs.txt +1595 -0
  12. data/data/sig.bin +0 -0
  13. data/data/signatures.txt +678 -0
  14. data/data/userdb.txt +14083 -0
  15. data/lib/pedump.rb +1105 -0
  16. data/lib/pedump/cli.rb +703 -0
  17. data/lib/pedump/packer.rb +125 -0
  18. data/lib/pedump/sig_parser.rb +386 -0
  19. data/lib/pedump/version.rb +10 -0
  20. data/lib/pedump/version_info.rb +166 -0
  21. data/pedump.gemspec +87 -0
  22. data/samples/calc.7z +0 -0
  23. data/samples/zlib.dll +0 -0
  24. data/spec/pedump_spec.rb +7 -0
  25. data/spec/resource_spec.rb +13 -0
  26. data/spec/sig_all_packers_spec.rb +14 -0
  27. data/spec/sig_spec.rb +63 -0
  28. data/spec/spec_helper.rb +12 -0
  29. metadata +157 -0
data/.document ADDED
@@ -0,0 +1,5 @@
1
+ lib/**/*.rb
2
+ bin/*
3
+ -
4
+ features/**/*.feature
5
+ LICENSE.txt
data/.rspec ADDED
@@ -0,0 +1 @@
1
+ --color
data/Gemfile ADDED
@@ -0,0 +1,16 @@
1
+ source "http://rubygems.org"
2
+ # Add dependencies required to use your gem here.
3
+ # Example:
4
+ # gem "activesupport", ">= 2.3.5"
5
+ gem "multipart-post", "~> 1.1.4"
6
+ gem "progressbar", "~> 0.9.2"
7
+
8
+ # Add dependencies to develop your gem here.
9
+ # Include everything needed to run rake, tests, features, etc.
10
+ group :development do
11
+ gem "rspec", "~> 2.3.0"
12
+ gem "bundler", "~> 1.0.0"
13
+ gem "jeweler", "~> 1.6.4"
14
+ gem "rcov", ">= 0"
15
+ gem "awesome_print"
16
+ end
data/Gemfile.lock ADDED
@@ -0,0 +1,34 @@
1
+ GEM
2
+ remote: http://rubygems.org/
3
+ specs:
4
+ awesome_print (0.4.0)
5
+ diff-lcs (1.1.3)
6
+ git (1.2.5)
7
+ jeweler (1.6.4)
8
+ bundler (~> 1.0)
9
+ git (>= 1.2.5)
10
+ rake
11
+ multipart-post (1.1.4)
12
+ progressbar (0.9.2)
13
+ rake (0.9.2.2)
14
+ rcov (0.9.11)
15
+ rspec (2.3.0)
16
+ rspec-core (~> 2.3.0)
17
+ rspec-expectations (~> 2.3.0)
18
+ rspec-mocks (~> 2.3.0)
19
+ rspec-core (2.3.1)
20
+ rspec-expectations (2.3.0)
21
+ diff-lcs (~> 1.1.2)
22
+ rspec-mocks (2.3.0)
23
+
24
+ PLATFORMS
25
+ ruby
26
+
27
+ DEPENDENCIES
28
+ awesome_print
29
+ bundler (~> 1.0.0)
30
+ jeweler (~> 1.6.4)
31
+ multipart-post (~> 1.1.4)
32
+ progressbar (~> 0.9.2)
33
+ rcov
34
+ rspec (~> 2.3.0)
data/LICENSE.txt ADDED
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2011 Andrey "Zed" Zaikin
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,398 @@
1
+ pedump
2
+ ======
3
+
4
+ Description
5
+ -----------
6
+ A pure ruby implementation of win32 PE binary files dumper, including:
7
+
8
+ * MZ Header
9
+ * DOS stub
10
+ * ['Rich' Header](http://ntcore.com/files/richsign.htm)
11
+ * PE Header
12
+ * Data Directory
13
+ * Sections
14
+ * Resources
15
+ * Strings
16
+ * Imports & Exports
17
+ * VS_VERSIONINFO parsing
18
+ * PE Packer/Compiler detection
19
+ * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
20
+
21
+ Installation
22
+ ------------
23
+ gem install pedump
24
+
25
+ Usage
26
+ -----
27
+
28
+ # pedump -h
29
+
30
+ Usage: pedump [options]
31
+ --version Print version information and exit
32
+ -v, --verbose Run verbosely
33
+ (can be used multiple times)
34
+ -q, --quiet Silent any warnings
35
+ (can be used multiple times)
36
+ -F, --force Try to dump by all means
37
+ (can cause exceptions & heavy wounds)
38
+ -f, --format FORMAT Output format: bin,c,dump,hex,inspect,table
39
+ (default: table)
40
+ --mz
41
+ --dos-stub
42
+ --rich
43
+ --pe
44
+ --data-directory
45
+ -S, --sections
46
+ -s, --strings
47
+ -R, --resources
48
+ --resource-directory
49
+ -I, --imports
50
+ -E, --exports
51
+ -V, --version-info
52
+ --packer
53
+ --deep packer deep scan, significantly slower
54
+ -P, --packer-only packer/compiler detect only,
55
+ mimics 'file' command output
56
+ --all Dump all but resource-directory (default)
57
+ --va2file VA Convert RVA to file offset
58
+ -W, --web Uploads files to a http://pedump.me
59
+ for a nice HTML tables with image previews,
60
+ candies & stuff
61
+
62
+ ### MZ Header
63
+
64
+ # pedump --mz calc.exe
65
+
66
+ === MZ Header ===
67
+
68
+ signature: "MZ"
69
+ bytes_in_last_block: 144 0x90
70
+ blocks_in_file: 3 3
71
+ num_relocs: 0 0
72
+ header_paragraphs: 4 4
73
+ min_extra_paragraphs: 0 0
74
+ max_extra_paragraphs: 65535 0xffff
75
+ ss: 0 0
76
+ sp: 184 0xb8
77
+ checksum: 0 0
78
+ ip: 0 0
79
+ cs: 0 0
80
+ reloc_table_offset: 64 0x40
81
+ overlay_number: 0 0
82
+ reserved0: 0 0
83
+ oem_id: 0 0
84
+ oem_info: 0 0
85
+ reserved2: 0 0
86
+ reserved3: 0 0
87
+ reserved4: 0 0
88
+ reserved5: 0 0
89
+ reserved6: 0 0
90
+ lfanew: 232 0xe8
91
+
92
+ ### DOS stub
93
+
94
+ # pedump --dos-stub calc.exe
95
+
96
+ === DOS STUB ===
97
+
98
+ 00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
99
+ 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
100
+ 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
101
+ 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
102
+
103
+ ### 'Rich' Header
104
+
105
+ # pedump --rich calc.exe
106
+
107
+ === RICH Header ===
108
+
109
+ LIB_ID VERSION TIMES_USED
110
+ 149 95 21022 521e 9 9
111
+ 1 1 0 0 367 16f
112
+ 147 93 21022 521e 29 1d
113
+ 132 84 21022 521e 129 81
114
+ 131 83 21022 521e 25 19
115
+ 148 94 21022 521e 1 1
116
+ 145 91 21022 521e 1 1
117
+
118
+ ### PE Header
119
+
120
+ # pedump --pe calc.exe
121
+
122
+ === PE Header ===
123
+
124
+ signature: "PE\x00\x00"
125
+
126
+ # IMAGE_FILE_HEADER:
127
+ Machine: 332 0x14c x86
128
+ NumberOfSections: 4 4
129
+ TimeDateStamp: "2008-09-14 11:28:52"
130
+ PointerToSymbolTable: 0 0
131
+ NumberOfSymbols: 0 0
132
+ SizeOfOptionalHeader: 224 0xe0
133
+ Characteristics: 258 0x102 EXECUTABLE_IMAGE, 32BIT_MACHINE
134
+
135
+ # IMAGE_OPTIONAL_HEADER32:
136
+ Magic: 267 0x10b 32-bit executable
137
+ LinkerVersion: 9.0
138
+ SizeOfCode: 305664 0x4aa00
139
+ SizeOfInitializedData: 340480 0x53200
140
+ SizeOfUninitializedData: 0 0
141
+ AddressOfEntryPoint: 230155 0x3830b
142
+ BaseOfCode: 4096 0x1000
143
+ BaseOfData: 311296 0x4c000
144
+ ImageBase: 16777216 0x1000000
145
+ SectionAlignment: 4096 0x1000
146
+ FileAlignment: 512 0x200
147
+ OperatingSystemVersion: 5.1
148
+ ImageVersion: 5.256
149
+ SubsystemVersion: 5.1
150
+ Reserved1: 0 0
151
+ SizeOfImage: 659456 0xa1000
152
+ SizeOfHeaders: 1024 0x400
153
+ CheckSum: 690555 0xa897b
154
+ Subsystem: 2 2 WINDOWS_GUI
155
+ DllCharacteristics: 33088 0x8140 DYNAMIC_BASE, NX_COMPAT
156
+ TERMINAL_SERVER_AWARE
157
+ SizeOfStackReserve: 262144 0x40000
158
+ SizeOfStackCommit: 8192 0x2000
159
+ SizeOfHeapReserve: 1048576 0x100000
160
+ SizeOfHeapCommit: 4096 0x1000
161
+ LoaderFlags: 0 0
162
+ NumberOfRvaAndSizes: 16 0x10
163
+
164
+ ### Data Directory
165
+
166
+ # pedump --data-directory calc.exe
167
+
168
+ === DATA DIRECTORY ===
169
+
170
+ EXPORT rva:0x 0 size:0x 0
171
+ IMPORT rva:0x 49c1c size:0x 12c
172
+ RESOURCE rva:0x 51000 size:0x 4ab07
173
+ EXCEPTION rva:0x 0 size:0x 0
174
+ SECURITY rva:0x 0 size:0x 0
175
+ BASERELOC rva:0x 9c000 size:0x 3588
176
+ DEBUG rva:0x 1610 size:0x 1c
177
+ ARCHITECTURE rva:0x 0 size:0x 0
178
+ GLOBALPTR rva:0x 0 size:0x 0
179
+ TLS rva:0x 0 size:0x 0
180
+ LOAD_CONFIG rva:0x 3d78 size:0x 40
181
+ Bound_IAT rva:0x 280 size:0x 12c
182
+ IAT rva:0x 1000 size:0x 594
183
+ Delay_IAT rva:0x 49bac size:0x 40
184
+ CLR_Header rva:0x 0 size:0x 0
185
+ rva:0x 0 size:0x 0
186
+
187
+ ### Sections
188
+
189
+ # pedump --sections calc.exe
190
+
191
+ === SECTIONS ===
192
+
193
+ NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
194
+ .text 1000 4a99a 4aa00 400 0 0 0 0 60000020 R-X CODE
195
+ .data 4c000 431c 3000 4ae00 0 0 0 0 c0000040 RW- IDATA
196
+ .rsrc 51000 4ab07 4ac00 4de00 0 0 0 0 40000040 R-- IDATA
197
+ .reloc 9c000 41f6 4200 98a00 0 0 0 0 42000040 R-- IDATA DISCARDABLE
198
+
199
+ ### Resources
200
+
201
+ # pedump --resources calc.exe
202
+
203
+ === RESOURCES ===
204
+
205
+ FILE_OFFSET CP LANG SIZE TYPE NAME
206
+ 0x4ec84 0 0x409 7465 IMAGE #157
207
+ 0x509b0 0 0x409 4086 IMAGE #165
208
+ 0x519a8 0 0x409 4234 IMAGE #170
209
+ 0x52a34 0 0x409 4625 IMAGE #175
210
+ 0x53c48 0 0x409 4873 IMAGE #180
211
+ 0x54f54 0 0x409 3048 IMAGE #204
212
+ 0x55b3c 0 0x409 3052 IMAGE #208
213
+ 0x56728 0 0x409 3217 IMAGE #212
214
+ 0x573bc 0 0x409 3338 IMAGE #216
215
+ 0x580c8 0 0x409 4191 IMAGE #217
216
+ 0x59128 0 0x409 4229 IMAGE #218
217
+ 0x5a1b0 0 0x409 4110 IMAGE #219
218
+ 0x5b1c0 0 0x409 4065 IMAGE #220
219
+ 0x5c1a4 0 0x409 3235 IMAGE #961
220
+ 0x5ce48 0 0x409 470 IMAGE #981
221
+ 0x5d020 0 0x409 587 IMAGE #982
222
+ 0x5d26c 0 0x409 518 IMAGE #983
223
+ 0x5d474 0 0x409 5344 IMAGE #3000
224
+ 0x5e954 0 0x409 4154 IMAGE #3015
225
+ 0x5f990 0 0x409 4815 IMAGE #3045
226
+ 0x60c60 0 0x409 6038 IMAGE #3051
227
+ 0x623f8 0 0x409 4290 IMAGE #3060
228
+ ...
229
+
230
+ ### Strings
231
+
232
+ # pedump --strings calc.exe.mui
233
+
234
+ === STRINGS ===
235
+
236
+ ID ID LANG STRING
237
+ 0 0 409 "+/-"
238
+ 1 1 409 "C"
239
+ 2 2 409 "CE"
240
+ 3 3 409 "Backspace"
241
+ 4 4 409 "."
242
+ 6 6 409 "And"
243
+ 7 7 409 "Or"
244
+ 8 8 409 "Xor"
245
+ 9 9 409 "Lsh"
246
+ 10 a 409 "Rsh"
247
+ 11 b 409 "/"
248
+ 12 c 409 "*"
249
+ 13 d 409 "+"
250
+ 14 e 409 "-"
251
+ 15 f 409 "Mod"
252
+ 16 10 409 "R"
253
+ 17 11 409 "^"
254
+ 18 12 409 "Int"
255
+ 19 13 409 "RoL"
256
+ 20 14 409 "RoR"
257
+ 21 15 409 "Not"
258
+ 22 16 409 "sin"
259
+ ...
260
+
261
+ ### Imports
262
+
263
+ # pedump --imports zlib.dll
264
+
265
+ === IMPORTS ===
266
+
267
+ MODULE_NAME HINT ORD FUNCTION_NAME
268
+ KERNEL32.dll e1 GetLastError
269
+ KERNEL32.dll 153 HeapAlloc
270
+ KERNEL32.dll 159 HeapFree
271
+ KERNEL32.dll 9f GetCommandLineA
272
+ KERNEL32.dll 103 GetProcAddress
273
+ KERNEL32.dll eb GetModuleHandleA
274
+ KERNEL32.dll 137 GetVersion
275
+ KERNEL32.dll 164 InitializeCriticalSection
276
+ KERNEL32.dll 44 DeleteCriticalSection
277
+ KERNEL32.dll 4f EnterCriticalSection
278
+ KERNEL32.dll 177 LeaveCriticalSection
279
+ KERNEL32.dll 1fa SetHandleCount
280
+ KERNEL32.dll dc GetFileType
281
+ KERNEL32.dll 116 GetStdHandle
282
+ KERNEL32.dll 114 GetStartupInfoA
283
+ KERNEL32.dll 155 HeapCreate
284
+ KERNEL32.dll 157 HeapDestroy
285
+ KERNEL32.dll c7 GetCurrentThreadId
286
+ KERNEL32.dll 222 TlsSetValue
287
+ KERNEL32.dll 21f TlsAlloc
288
+ KERNEL32.dll 220 TlsFree
289
+ KERNEL32.dll 1fd SetLastError
290
+ KERNEL32.dll 221 TlsGetValue
291
+ KERNEL32.dll 62 ExitProcess
292
+ KERNEL32.dll 1b8 ReadFile
293
+ KERNEL32.dll 16 CloseHandle
294
+ KERNEL32.dll 24f WriteFile
295
+ KERNEL32.dll 83 FlushFileBuffers
296
+ KERNEL32.dll e9 GetModuleFileNameA
297
+ KERNEL32.dll 98 GetCPInfo
298
+ KERNEL32.dll 92 GetACP
299
+ KERNEL32.dll f6 GetOEMCP
300
+ KERNEL32.dll 8b FreeEnvironmentStringsA
301
+ KERNEL32.dll d0 GetEnvironmentStrings
302
+ KERNEL32.dll 8c FreeEnvironmentStringsW
303
+ KERNEL32.dll d2 GetEnvironmentStringsW
304
+ KERNEL32.dll 242 WideCharToMultiByte
305
+ KERNEL32.dll 2b CreateFileA
306
+ KERNEL32.dll 1f8 SetFilePointer
307
+ KERNEL32.dll 206 SetStdHandle
308
+ KERNEL32.dll 178 LoadLibraryA
309
+ KERNEL32.dll 1ef SetEndOfFile
310
+
311
+ ### Exports
312
+
313
+ # pedump --exports zlib.dll
314
+
315
+ === EXPORTS ===
316
+
317
+ # module "zlib.dll"
318
+ # flags=0x0 ts="1996-05-07 12:46:46" version=0.0 ord_base=1
319
+ # nFuncs=27 nNames=27
320
+
321
+ ORD ENTRY_VA NAME
322
+ 1 76d0 adler32
323
+ 2 2db0 compress
324
+ 3 4aa0 crc32
325
+ 4 3c90 deflate
326
+ 5 4060 deflateCopy
327
+ 6 3fd0 deflateEnd
328
+ 7 37f0 deflateInit2_
329
+ 8 37c0 deflateInit_
330
+ 9 3bc0 deflateParams
331
+ 10 3b40 deflateReset
332
+ 11 3a40 deflateSetDictionary
333
+ 12 7510 gzclose
334
+ 13 6f00 gzdopen
335
+ 14 75a0 gzerror
336
+ 15 73f0 gzflush
337
+ 16 6c50 gzopen
338
+ 17 7190 gzread
339
+ 18 7350 gzwrite
340
+ 19 4e50 inflate
341
+ 20 4cc0 inflateEnd
342
+ 21 4d20 inflateInit2_
343
+ 22 4e30 inflateInit_
344
+ 23 4c70 inflateReset
345
+ 24 5260 inflateSetDictionary
346
+ 25 52f0 inflateSync
347
+ 26 4bd0 uncompress
348
+ 27 e340 zlib_version
349
+
350
+ ### VS_VERSIONINFO parsing
351
+
352
+ # pedump --version-info calc.exe
353
+
354
+ === VERSION INFO ===
355
+
356
+ # VS_FIXEDFILEINFO:
357
+ FileVersion : 6.1.6801.0
358
+ ProductVersion : 6.1.6801.0
359
+ StrucVersion : 0x10000
360
+ FileFlagsMask : 0x3f
361
+ FileFlags : 0
362
+ FileOS : 0x40004
363
+ FileType : 1
364
+ FileSubtype : 0
365
+
366
+ # StringTable 040904B0:
367
+ CompanyName : "Microsoft Corporation"
368
+ FileDescription : "Windows Calculator"
369
+ FileVersion : "6.1.6801.0 (winmain_win7m3.080913-2030)"
370
+ InternalName : "CALC"
371
+ LegalCopyright : "© Microsoft Corporation. All rights reserved."
372
+ OriginalFilename : "CALC.EXE"
373
+ ProductName : "Microsoft® Windows® Operating System"
374
+ ProductVersion : "6.1.6801.0"
375
+
376
+ VarFileInfo : [ 0x409, 0x4b0 ]
377
+
378
+ ### Packer / Compiler detection
379
+
380
+ # pedump --packer zlib.dll
381
+
382
+ === Packer / Compiler ===
383
+
384
+ MS Visual C v2.0
385
+
386
+ #### pedump can mimic 'file' command output:
387
+
388
+ #pedump --packer-only -qqq samples/*
389
+
390
+ samples/StringLoader.dll: Microsoft Visual C++ 6.0 DLL (Debug)
391
+ samples/control.exe: ASPack v2.12
392
+ samples/gms_v1_0_3.exe: UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
393
+ samples/unpackme.exe: ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
394
+ samples/zlib.dll: Microsoft Visual C v2.0
395
+
396
+ License
397
+ -------
398
+ Released under the MIT License. See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.