pedump 0.5.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: '09298f0bc9e608f9b7636a80f6f4b9aeb29aaf6f8f3bf72aa743a06d1bc3dd30'
+  data.tar.gz: e86dc4d6edd01222416e4937cec876a2551dea3b4ba8cb7eefb7aaa09d0375ce
+SHA512:
+  metadata.gz: 3b83b01e940fb0388a95566d4ca53fe61913f02b9d474987a35deb9c0b4073d66712a9179f801bc617f7202a3d42fd0d05e5a1cbe34ec332f3cf38c494e2f660
+  data.tar.gz: 64d7ae8c83a01f7e9772ed1e7e631474079baedd914f19ec26c725bb2a663155076d50777c14080532de3bcc3241fa0423705326e8f20067ec568b10e934d84b

data/Gemfile

@@ -0,0 +1,16 @@
+source "https://rubygems.org"
+#gemspec
+
+gem 'rainbow'
+gem "awesome_print"
+gem "iostruct",       ">= 0.0.4"
+gem "multipart-post", ">= 2.0.0"
+gem "progressbar"
+gem "zhexdump",       ">= 0.0.2"
+
+group :development do
+  gem "rspec",   "~> 3.9.0"
+  gem "rspec-its", "~> 1.3.0"
+  gem "bundler", "~> 2.1.4"
+  gem "jeweler", "~> 2.3.9"
+end

data/Gemfile.lock

@@ -0,0 +1,90 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.4.0)
+    awesome_print (1.8.0)
+    builder (3.2.4)
+    descendants_tracker (0.0.4)
+      thread_safe (~> 0.3, >= 0.3.1)
+    diff-lcs (1.3)
+    faraday (0.9.2)
+      multipart-post (>= 1.2, < 3)
+    git (1.5.0)
+    github_api (0.16.0)
+      addressable (~> 2.4.0)
+      descendants_tracker (~> 0.0.4)
+      faraday (~> 0.8, < 0.10)
+      hashie (>= 3.4)
+      mime-types (>= 1.16, < 3.0)
+      oauth2 (~> 1.0)
+    hashie (4.0.0)
+    highline (2.0.3)
+    iostruct (0.0.4)
+    jeweler (2.3.9)
+      builder
+      bundler
+      git (>= 1.2.5)
+      github_api (~> 0.16.0)
+      highline (>= 1.6.15)
+      nokogiri (>= 1.5.10)
+      psych
+      rake
+      rdoc
+      semver2
+    jwt (2.2.1)
+    mime-types (2.99.3)
+    mini_portile2 (2.4.0)
+    multi_json (1.14.1)
+    multi_xml (0.6.0)
+    multipart-post (2.0.0)
+    nokogiri (1.10.7)
+      mini_portile2 (~> 2.4.0)
+    oauth2 (1.4.2)
+      faraday (>= 0.8, < 2.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    progressbar (1.10.1)
+    psych (3.1.0)
+    rack (2.1.1)
+    rainbow (3.0.0)
+    rake (13.0.1)
+    rdoc (6.2.1)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
+    rspec-expectations (3.9.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-its (1.3.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.2)
+    semver2 (3.4.2)
+    thread_safe (0.3.6)
+    zhexdump (0.0.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  awesome_print
+  bundler (~> 2.1.4)
+  iostruct (>= 0.0.4)
+  jeweler (~> 2.3.9)
+  multipart-post (>= 2.0.0)
+  progressbar
+  rainbow
+  rspec (~> 3.9.0)
+  rspec-its (~> 1.3.0)
+  zhexdump (>= 0.0.2)
+
+BUNDLED WITH
+   2.1.4

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2011 Andrey "Zed" Zaikin
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,410 @@
+pedump    [![Build Status](https://travis-ci.org/zed-0xff/pedump.png?branch=master)](https://travis-ci.org/zed-0xff/pedump) [![Dependency Status](https://gemnasium.com/zed-0xff/pedump.png)](https://gemnasium.com/zed-0xff/pedump)
+======
+
+Description
+-----------
+A pure ruby implementation of win32 PE binary files dumper.
+
+Supported formats:
+
+ * DOS MZ EXE
+ * win16 NE
+ * win32 PE
+ * win64 PE
+
+Can dump:
+
+ * MZ/NE/PE Header
+ * DOS stub
+ * ['Rich' Header](http://ntcore.com/files/richsign.htm)
+ * Data Directory
+ * Sections
+ * Resources
+ * Strings
+ * Imports & Exports
+ * VS_VERSIONINFO parsing
+ * PE Packer/Compiler detection
+ * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
+
+Installation
+------------
+    gem install pedump
+
+Usage
+-----
+
+    # pedump -h
+
+    Usage: pedump [options]
+            --version                    Print version information and exit
+        -v, --verbose                    Run verbosely
+                                         (can be used multiple times)
+        -q, --quiet                      Silent any warnings
+                                         (can be used multiple times)
+        -F, --force                      Try to dump by all means
+                                         (can cause exceptions & heavy wounds)
+        -f, --format FORMAT              Output format: bin,c,dump,hex,inspect,table,yaml
+                                         (default: table)
+            --mz
+            --dos-stub
+            --rich
+            --pe
+            --ne
+            --data-directory
+        -S, --sections
+            --tls
+            --security
+        -s, --strings
+        -R, --resources
+            --resource-directory
+        -I, --imports
+        -E, --exports
+        -V, --version-info
+            --packer
+            --deep                       packer deep scan, significantly slower
+        -P, --packer-only                packer/compiler detect only,
+                                         mimics 'file' command output
+        -r, --recursive                  recurse dirs in packer detect
+            --all                        Dump all but resource-directory (default)
+            --va2file VA                 Convert RVA to file offset
+        -W, --web                        Uploads files to a http://pedump.me
+                                         for a nice HTML tables with image previews,
+                                         candies & stuff
+
+### MZ Header
+
+    # pedump --mz calc.exe
+
+    === MZ Header ===
+    
+                         signature:                     "MZ"
+               bytes_in_last_block:        144          0x90
+                    blocks_in_file:          3             3
+                        num_relocs:          0             0
+                 header_paragraphs:          4             4
+              min_extra_paragraphs:          0             0
+              max_extra_paragraphs:      65535        0xffff
+                                ss:          0             0
+                                sp:        184          0xb8
+                          checksum:          0             0
+                                ip:          0             0
+                                cs:          0             0
+                reloc_table_offset:         64          0x40
+                    overlay_number:          0             0
+                         reserved0:          0             0
+                            oem_id:          0             0
+                          oem_info:          0             0
+                         reserved2:          0             0
+                         reserved3:          0             0
+                         reserved4:          0             0
+                         reserved5:          0             0
+                         reserved6:          0             0
+                            lfanew:        232          0xe8
+
+### DOS stub
+
+    # pedump --dos-stub calc.exe
+
+    === DOS STUB ===
+    
+    00000000:  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
+    00000010:  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
+    00000020:  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
+    00000030:  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
+
+### 'Rich' Header
+
+    # pedump --rich calc.exe
+
+    === RICH Header ===
+    
+        LIB_ID        VERSION        TIMES_USED   
+       149  95      21022  521e         9   9
+         1   1          0     0       367 16f
+       147  93      21022  521e        29  1d
+       132  84      21022  521e       129  81
+       131  83      21022  521e        25  19
+       148  94      21022  521e         1   1
+       145  91      21022  521e         1   1
+
+### PE Header
+
+    # pedump --pe calc.exe
+
+    === PE Header ===
+    
+                         signature:             "PE\x00\x00"
+    
+    # IMAGE_FILE_HEADER:
+                           Machine:        332         0x14c  x86
+                  NumberOfSections:          4             4
+                     TimeDateStamp:    "2008-09-14 07:28:52"
+              PointerToSymbolTable:          0             0
+                   NumberOfSymbols:          0             0
+              SizeOfOptionalHeader:        224          0xe0
+                   Characteristics:        258         0x102  EXECUTABLE_IMAGE, 32BIT_MACHINE
+    
+    # IMAGE_OPTIONAL_HEADER32:
+                             Magic:        267         0x10b  32-bit executable
+                     LinkerVersion:                      9.0
+                        SizeOfCode:     305664       0x4aa00
+             SizeOfInitializedData:     340480       0x53200
+           SizeOfUninitializedData:          0             0
+               AddressOfEntryPoint:     230155       0x3830b
+                        BaseOfCode:       4096        0x1000
+                        BaseOfData:     311296       0x4c000
+                         ImageBase:   16777216     0x1000000
+                  SectionAlignment:       4096        0x1000
+                     FileAlignment:        512         0x200
+            OperatingSystemVersion:                      5.1
+                      ImageVersion:                    5.256
+                  SubsystemVersion:                      5.1
+                         Reserved1:          0             0
+                       SizeOfImage:     659456       0xa1000
+                     SizeOfHeaders:       1024         0x400
+                          CheckSum:     690555       0xa897b
+                         Subsystem:          2             2  WINDOWS_GUI
+                DllCharacteristics:      33088        0x8140  DYNAMIC_BASE, NX_COMPAT
+                                                              TERMINAL_SERVER_AWARE
+                SizeOfStackReserve:     262144       0x40000
+                 SizeOfStackCommit:       8192        0x2000
+                 SizeOfHeapReserve:    1048576      0x100000
+                  SizeOfHeapCommit:       4096        0x1000
+                       LoaderFlags:          0             0
+               NumberOfRvaAndSizes:         16          0x10
+
+### Data Directory
+
+    # pedump --data-directory calc.exe
+
+    === DATA DIRECTORY ===
+    
+      EXPORT        rva:0x       0   size:0x        0
+      IMPORT        rva:0x   49c1c   size:0x      12c
+      RESOURCE      rva:0x   51000   size:0x    4ab07
+      EXCEPTION     rva:0x       0   size:0x        0
+      SECURITY      rva:0x       0   size:0x        0
+      BASERELOC     rva:0x   9c000   size:0x     3588
+      DEBUG         rva:0x    1610   size:0x       1c
+      ARCHITECTURE  rva:0x       0   size:0x        0
+      GLOBALPTR     rva:0x       0   size:0x        0
+      TLS           rva:0x       0   size:0x        0
+      LOAD_CONFIG   rva:0x    3d78   size:0x       40
+      Bound_IAT     rva:0x     280   size:0x      12c
+      IAT           rva:0x    1000   size:0x      594
+      Delay_IAT     rva:0x   49bac   size:0x       40
+      CLR_Header    rva:0x       0   size:0x        0
+                    rva:0x       0   size:0x        0
+
+### Sections
+
+    # pedump --sections calc.exe
+
+    === SECTIONS ===
+    
+      NAME          RVA      VSZ   RAW_SZ  RAW_PTR  nREL  REL_PTR nLINE LINE_PTR     FLAGS
+      .text        1000    4a99a    4aa00      400     0        0     0        0  60000020  R-X CODE
+      .data       4c000     431c     3000    4ae00     0        0     0        0  c0000040  RW- IDATA
+      .rsrc       51000    4ab07    4ac00    4de00     0        0     0        0  40000040  R-- IDATA
+      .reloc      9c000     41f6     4200    98a00     0        0     0        0  42000040  R-- IDATA DISCARDABLE
+
+### Resources
+
+    # pedump --resources calc.exe
+
+    === RESOURCES ===
+    
+    FILE_OFFSET    CP  LANG     SIZE  TYPE          NAME
+        0x4ec84     0 0x409     7465  IMAGE         #157
+        0x509b0     0 0x409     4086  IMAGE         #165
+        0x519a8     0 0x409     4234  IMAGE         #170
+        0x52a34     0 0x409     4625  IMAGE         #175
+        0x53c48     0 0x409     4873  IMAGE         #180
+        0x54f54     0 0x409     3048  IMAGE         #204
+        0x55b3c     0 0x409     3052  IMAGE         #208
+        0x56728     0 0x409     3217  IMAGE         #212
+        0x573bc     0 0x409     3338  IMAGE         #216
+        0x580c8     0 0x409     4191  IMAGE         #217
+        0x59128     0 0x409     4229  IMAGE         #218
+        0x5a1b0     0 0x409     4110  IMAGE         #219
+        0x5b1c0     0 0x409     4065  IMAGE         #220
+        0x5c1a4     0 0x409     3235  IMAGE         #961
+        0x5ce48     0 0x409      470  IMAGE         #981
+        0x5d020     0 0x409      587  IMAGE         #982
+        0x5d26c     0 0x409      518  IMAGE         #983
+        0x5d474     0 0x409     5344  IMAGE         #3000
+        0x5e954     0 0x409     4154  IMAGE         #3015
+        0x5f990     0 0x409     4815  IMAGE         #3045
+        0x60c60     0 0x409     6038  IMAGE         #3051
+        0x623f8     0 0x409     4290  IMAGE         #3060
+    ...
+
+### Strings
+
+    # pedump --strings calc.exe.mui
+
+    === STRINGS ===
+    
+       ID    ID  LANG  STRING
+        0     0   409  "+/-"
+        1     1   409  "C"
+        2     2   409  "CE"
+        3     3   409  "Backspace"
+        4     4   409  "."
+        6     6   409  "And"
+        7     7   409  "Or"
+        8     8   409  "Xor"
+        9     9   409  "Lsh"
+       10     a   409  "Rsh"
+       11     b   409  "/"
+       12     c   409  "*"
+       13     d   409  "+"
+       14     e   409  "-"
+       15     f   409  "Mod"
+       16    10   409  "R"
+       17    11   409  "^"
+       18    12   409  "Int"
+       19    13   409  "RoL"
+       20    14   409  "RoR"
+       21    15   409  "Not"
+       22    16   409  "sin"
+    ...
+
+### Imports
+
+    # pedump --imports zlib.dll
+
+    === IMPORTS ===
+    
+    MODULE_NAME      HINT   ORD  FUNCTION_NAME
+    KERNEL32.dll       e1        GetLastError
+    KERNEL32.dll      153        HeapAlloc
+    KERNEL32.dll      159        HeapFree
+    KERNEL32.dll       9f        GetCommandLineA
+    KERNEL32.dll      103        GetProcAddress
+    KERNEL32.dll       eb        GetModuleHandleA
+    KERNEL32.dll      137        GetVersion
+    KERNEL32.dll      164        InitializeCriticalSection
+    KERNEL32.dll       44        DeleteCriticalSection
+    KERNEL32.dll       4f        EnterCriticalSection
+    KERNEL32.dll      177        LeaveCriticalSection
+    KERNEL32.dll      1fa        SetHandleCount
+    KERNEL32.dll       dc        GetFileType
+    KERNEL32.dll      116        GetStdHandle
+    KERNEL32.dll      114        GetStartupInfoA
+    KERNEL32.dll      155        HeapCreate
+    KERNEL32.dll      157        HeapDestroy
+    KERNEL32.dll       c7        GetCurrentThreadId
+    KERNEL32.dll      222        TlsSetValue
+    KERNEL32.dll      21f        TlsAlloc
+    KERNEL32.dll      220        TlsFree
+    KERNEL32.dll      1fd        SetLastError
+    KERNEL32.dll      221        TlsGetValue
+    KERNEL32.dll       62        ExitProcess
+    KERNEL32.dll      1b8        ReadFile
+    KERNEL32.dll       16        CloseHandle
+    KERNEL32.dll      24f        WriteFile
+    KERNEL32.dll       83        FlushFileBuffers
+    KERNEL32.dll       e9        GetModuleFileNameA
+    KERNEL32.dll       98        GetCPInfo
+    KERNEL32.dll       92        GetACP
+    KERNEL32.dll       f6        GetOEMCP
+    KERNEL32.dll       8b        FreeEnvironmentStringsA
+    KERNEL32.dll       d0        GetEnvironmentStrings
+    KERNEL32.dll       8c        FreeEnvironmentStringsW
+    KERNEL32.dll       d2        GetEnvironmentStringsW
+    KERNEL32.dll      242        WideCharToMultiByte
+    KERNEL32.dll       2b        CreateFileA
+    KERNEL32.dll      1f8        SetFilePointer
+    KERNEL32.dll      206        SetStdHandle
+    KERNEL32.dll      178        LoadLibraryA
+    KERNEL32.dll      1ef        SetEndOfFile
+
+### Exports
+
+    # pedump --exports zlib.dll
+
+    === EXPORTS ===
+    
+    # module "zlib.dll"
+    # flags=0x0  ts="1996-05-07 08:46:46"  version=0.0  ord_base=1
+    # nFuncs=27  nNames=27
+    
+      ORD ENTRY_VA  NAME
+        1     76d0  adler32
+        2     2db0  compress
+        3     4aa0  crc32
+        4     3c90  deflate
+        5     4060  deflateCopy
+        6     3fd0  deflateEnd
+        7     37f0  deflateInit2_
+        8     37c0  deflateInit_
+        9     3bc0  deflateParams
+        a     3b40  deflateReset
+        b     3a40  deflateSetDictionary
+        c     7510  gzclose
+        d     6f00  gzdopen
+        e     75a0  gzerror
+        f     73f0  gzflush
+       10     6c50  gzopen
+       11     7190  gzread
+       12     7350  gzwrite
+       13     4e50  inflate
+       14     4cc0  inflateEnd
+       15     4d20  inflateInit2_
+       16     4e30  inflateInit_
+       17     4c70  inflateReset
+       18     5260  inflateSetDictionary
+       19     52f0  inflateSync
+       1a     4bd0  uncompress
+       1b     e340  zlib_version
+
+### VS_VERSIONINFO parsing
+
+    # pedump --version-info calc.exe
+
+    === VERSION INFO ===
+    
+    # VS_FIXEDFILEINFO:
+      FileVersion         :  6.1.6801.0
+      ProductVersion      :  6.1.6801.0
+      StrucVersion        :  0x10000
+      FileFlagsMask       :  0x3f
+      FileFlags           :  0
+      FileOS              :  0x40004
+      FileType            :  1
+      FileSubtype         :  0
+    
+    # StringTable 040904B0:
+      CompanyName         :  "Microsoft Corporation"
+      FileDescription     :  "Windows Calculator"
+      FileVersion         :  "6.1.6801.0 (winmain_win7m3.080913-2030)"
+      InternalName        :  "CALC"
+      LegalCopyright      :  "© Microsoft Corporation. All rights reserved."
+      OriginalFilename    :  "CALC.EXE"
+      ProductName         :  "Microsoft® Windows® Operating System"
+      ProductVersion      :  "6.1.6801.0"
+    
+      VarFileInfo         :  [ 0x409, 0x4b0 ]
+
+### Packer / Compiler detection
+
+    # pedump --packer zlib.dll
+
+    === Packer / Compiler ===
+    
+      MS Visual C v2.0
+
+#### pedump can mimic 'file' command output:
+
+    #pedump --packer-only -qqq samples/*
+    
+    samples/StringLoader.dll:                 Microsoft Visual C++ 6.0 DLL (Debug)
+    samples/control.exe:                      ASPack v2.12
+    samples/gms_v1_0_3.exe:                   UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
+    samples/unpackme.exe:                     ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
+    samples/zlib.dll:                         Microsoft Visual C v2.0
+
+License
+-------
+Released under the MIT License.  See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.