pedump 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: '09298f0bc9e608f9b7636a80f6f4b9aeb29aaf6f8f3bf72aa743a06d1bc3dd30'
4
+ data.tar.gz: e86dc4d6edd01222416e4937cec876a2551dea3b4ba8cb7eefb7aaa09d0375ce
5
+ SHA512:
6
+ metadata.gz: 3b83b01e940fb0388a95566d4ca53fe61913f02b9d474987a35deb9c0b4073d66712a9179f801bc617f7202a3d42fd0d05e5a1cbe34ec332f3cf38c494e2f660
7
+ data.tar.gz: 64d7ae8c83a01f7e9772ed1e7e631474079baedd914f19ec26c725bb2a663155076d50777c14080532de3bcc3241fa0423705326e8f20067ec568b10e934d84b
data/Gemfile ADDED
@@ -0,0 +1,16 @@
1
+ source "https://rubygems.org"
2
+ #gemspec
3
+
4
+ gem 'rainbow'
5
+ gem "awesome_print"
6
+ gem "iostruct", ">= 0.0.4"
7
+ gem "multipart-post", ">= 2.0.0"
8
+ gem "progressbar"
9
+ gem "zhexdump", ">= 0.0.2"
10
+
11
+ group :development do
12
+ gem "rspec", "~> 3.9.0"
13
+ gem "rspec-its", "~> 1.3.0"
14
+ gem "bundler", "~> 2.1.4"
15
+ gem "jeweler", "~> 2.3.9"
16
+ end
@@ -0,0 +1,90 @@
1
+ GEM
2
+ remote: https://rubygems.org/
3
+ specs:
4
+ addressable (2.4.0)
5
+ awesome_print (1.8.0)
6
+ builder (3.2.4)
7
+ descendants_tracker (0.0.4)
8
+ thread_safe (~> 0.3, >= 0.3.1)
9
+ diff-lcs (1.3)
10
+ faraday (0.9.2)
11
+ multipart-post (>= 1.2, < 3)
12
+ git (1.5.0)
13
+ github_api (0.16.0)
14
+ addressable (~> 2.4.0)
15
+ descendants_tracker (~> 0.0.4)
16
+ faraday (~> 0.8, < 0.10)
17
+ hashie (>= 3.4)
18
+ mime-types (>= 1.16, < 3.0)
19
+ oauth2 (~> 1.0)
20
+ hashie (4.0.0)
21
+ highline (2.0.3)
22
+ iostruct (0.0.4)
23
+ jeweler (2.3.9)
24
+ builder
25
+ bundler
26
+ git (>= 1.2.5)
27
+ github_api (~> 0.16.0)
28
+ highline (>= 1.6.15)
29
+ nokogiri (>= 1.5.10)
30
+ psych
31
+ rake
32
+ rdoc
33
+ semver2
34
+ jwt (2.2.1)
35
+ mime-types (2.99.3)
36
+ mini_portile2 (2.4.0)
37
+ multi_json (1.14.1)
38
+ multi_xml (0.6.0)
39
+ multipart-post (2.0.0)
40
+ nokogiri (1.10.7)
41
+ mini_portile2 (~> 2.4.0)
42
+ oauth2 (1.4.2)
43
+ faraday (>= 0.8, < 2.0)
44
+ jwt (>= 1.0, < 3.0)
45
+ multi_json (~> 1.3)
46
+ multi_xml (~> 0.5)
47
+ rack (>= 1.2, < 3)
48
+ progressbar (1.10.1)
49
+ psych (3.1.0)
50
+ rack (2.1.1)
51
+ rainbow (3.0.0)
52
+ rake (13.0.1)
53
+ rdoc (6.2.1)
54
+ rspec (3.9.0)
55
+ rspec-core (~> 3.9.0)
56
+ rspec-expectations (~> 3.9.0)
57
+ rspec-mocks (~> 3.9.0)
58
+ rspec-core (3.9.1)
59
+ rspec-support (~> 3.9.1)
60
+ rspec-expectations (3.9.0)
61
+ diff-lcs (>= 1.2.0, < 2.0)
62
+ rspec-support (~> 3.9.0)
63
+ rspec-its (1.3.0)
64
+ rspec-core (>= 3.0.0)
65
+ rspec-expectations (>= 3.0.0)
66
+ rspec-mocks (3.9.1)
67
+ diff-lcs (>= 1.2.0, < 2.0)
68
+ rspec-support (~> 3.9.0)
69
+ rspec-support (3.9.2)
70
+ semver2 (3.4.2)
71
+ thread_safe (0.3.6)
72
+ zhexdump (0.0.2)
73
+
74
+ PLATFORMS
75
+ ruby
76
+
77
+ DEPENDENCIES
78
+ awesome_print
79
+ bundler (~> 2.1.4)
80
+ iostruct (>= 0.0.4)
81
+ jeweler (~> 2.3.9)
82
+ multipart-post (>= 2.0.0)
83
+ progressbar
84
+ rainbow
85
+ rspec (~> 3.9.0)
86
+ rspec-its (~> 1.3.0)
87
+ zhexdump (>= 0.0.2)
88
+
89
+ BUNDLED WITH
90
+ 2.1.4
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2011 Andrey "Zed" Zaikin
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,410 @@
1
+ pedump [![Build Status](https://travis-ci.org/zed-0xff/pedump.png?branch=master)](https://travis-ci.org/zed-0xff/pedump) [![Dependency Status](https://gemnasium.com/zed-0xff/pedump.png)](https://gemnasium.com/zed-0xff/pedump)
2
+ ======
3
+
4
+ Description
5
+ -----------
6
+ A pure ruby implementation of win32 PE binary files dumper.
7
+
8
+ Supported formats:
9
+
10
+ * DOS MZ EXE
11
+ * win16 NE
12
+ * win32 PE
13
+ * win64 PE
14
+
15
+ Can dump:
16
+
17
+ * MZ/NE/PE Header
18
+ * DOS stub
19
+ * ['Rich' Header](http://ntcore.com/files/richsign.htm)
20
+ * Data Directory
21
+ * Sections
22
+ * Resources
23
+ * Strings
24
+ * Imports & Exports
25
+ * VS_VERSIONINFO parsing
26
+ * PE Packer/Compiler detection
27
+ * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
28
+
29
+ Installation
30
+ ------------
31
+ gem install pedump
32
+
33
+ Usage
34
+ -----
35
+
36
+ # pedump -h
37
+
38
+ Usage: pedump [options]
39
+ --version Print version information and exit
40
+ -v, --verbose Run verbosely
41
+ (can be used multiple times)
42
+ -q, --quiet Silent any warnings
43
+ (can be used multiple times)
44
+ -F, --force Try to dump by all means
45
+ (can cause exceptions & heavy wounds)
46
+ -f, --format FORMAT Output format: bin,c,dump,hex,inspect,table,yaml
47
+ (default: table)
48
+ --mz
49
+ --dos-stub
50
+ --rich
51
+ --pe
52
+ --ne
53
+ --data-directory
54
+ -S, --sections
55
+ --tls
56
+ --security
57
+ -s, --strings
58
+ -R, --resources
59
+ --resource-directory
60
+ -I, --imports
61
+ -E, --exports
62
+ -V, --version-info
63
+ --packer
64
+ --deep packer deep scan, significantly slower
65
+ -P, --packer-only packer/compiler detect only,
66
+ mimics 'file' command output
67
+ -r, --recursive recurse dirs in packer detect
68
+ --all Dump all but resource-directory (default)
69
+ --va2file VA Convert RVA to file offset
70
+ -W, --web Uploads files to a http://pedump.me
71
+ for a nice HTML tables with image previews,
72
+ candies & stuff
73
+
74
+ ### MZ Header
75
+
76
+ # pedump --mz calc.exe
77
+
78
+ === MZ Header ===
79
+
80
+ signature: "MZ"
81
+ bytes_in_last_block: 144 0x90
82
+ blocks_in_file: 3 3
83
+ num_relocs: 0 0
84
+ header_paragraphs: 4 4
85
+ min_extra_paragraphs: 0 0
86
+ max_extra_paragraphs: 65535 0xffff
87
+ ss: 0 0
88
+ sp: 184 0xb8
89
+ checksum: 0 0
90
+ ip: 0 0
91
+ cs: 0 0
92
+ reloc_table_offset: 64 0x40
93
+ overlay_number: 0 0
94
+ reserved0: 0 0
95
+ oem_id: 0 0
96
+ oem_info: 0 0
97
+ reserved2: 0 0
98
+ reserved3: 0 0
99
+ reserved4: 0 0
100
+ reserved5: 0 0
101
+ reserved6: 0 0
102
+ lfanew: 232 0xe8
103
+
104
+ ### DOS stub
105
+
106
+ # pedump --dos-stub calc.exe
107
+
108
+ === DOS STUB ===
109
+
110
+ 00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
111
+ 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
112
+ 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
113
+ 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
114
+
115
+ ### 'Rich' Header
116
+
117
+ # pedump --rich calc.exe
118
+
119
+ === RICH Header ===
120
+
121
+ LIB_ID VERSION TIMES_USED
122
+ 149 95 21022 521e 9 9
123
+ 1 1 0 0 367 16f
124
+ 147 93 21022 521e 29 1d
125
+ 132 84 21022 521e 129 81
126
+ 131 83 21022 521e 25 19
127
+ 148 94 21022 521e 1 1
128
+ 145 91 21022 521e 1 1
129
+
130
+ ### PE Header
131
+
132
+ # pedump --pe calc.exe
133
+
134
+ === PE Header ===
135
+
136
+ signature: "PE\x00\x00"
137
+
138
+ # IMAGE_FILE_HEADER:
139
+ Machine: 332 0x14c x86
140
+ NumberOfSections: 4 4
141
+ TimeDateStamp: "2008-09-14 07:28:52"
142
+ PointerToSymbolTable: 0 0
143
+ NumberOfSymbols: 0 0
144
+ SizeOfOptionalHeader: 224 0xe0
145
+ Characteristics: 258 0x102 EXECUTABLE_IMAGE, 32BIT_MACHINE
146
+
147
+ # IMAGE_OPTIONAL_HEADER32:
148
+ Magic: 267 0x10b 32-bit executable
149
+ LinkerVersion: 9.0
150
+ SizeOfCode: 305664 0x4aa00
151
+ SizeOfInitializedData: 340480 0x53200
152
+ SizeOfUninitializedData: 0 0
153
+ AddressOfEntryPoint: 230155 0x3830b
154
+ BaseOfCode: 4096 0x1000
155
+ BaseOfData: 311296 0x4c000
156
+ ImageBase: 16777216 0x1000000
157
+ SectionAlignment: 4096 0x1000
158
+ FileAlignment: 512 0x200
159
+ OperatingSystemVersion: 5.1
160
+ ImageVersion: 5.256
161
+ SubsystemVersion: 5.1
162
+ Reserved1: 0 0
163
+ SizeOfImage: 659456 0xa1000
164
+ SizeOfHeaders: 1024 0x400
165
+ CheckSum: 690555 0xa897b
166
+ Subsystem: 2 2 WINDOWS_GUI
167
+ DllCharacteristics: 33088 0x8140 DYNAMIC_BASE, NX_COMPAT
168
+ TERMINAL_SERVER_AWARE
169
+ SizeOfStackReserve: 262144 0x40000
170
+ SizeOfStackCommit: 8192 0x2000
171
+ SizeOfHeapReserve: 1048576 0x100000
172
+ SizeOfHeapCommit: 4096 0x1000
173
+ LoaderFlags: 0 0
174
+ NumberOfRvaAndSizes: 16 0x10
175
+
176
+ ### Data Directory
177
+
178
+ # pedump --data-directory calc.exe
179
+
180
+ === DATA DIRECTORY ===
181
+
182
+ EXPORT rva:0x 0 size:0x 0
183
+ IMPORT rva:0x 49c1c size:0x 12c
184
+ RESOURCE rva:0x 51000 size:0x 4ab07
185
+ EXCEPTION rva:0x 0 size:0x 0
186
+ SECURITY rva:0x 0 size:0x 0
187
+ BASERELOC rva:0x 9c000 size:0x 3588
188
+ DEBUG rva:0x 1610 size:0x 1c
189
+ ARCHITECTURE rva:0x 0 size:0x 0
190
+ GLOBALPTR rva:0x 0 size:0x 0
191
+ TLS rva:0x 0 size:0x 0
192
+ LOAD_CONFIG rva:0x 3d78 size:0x 40
193
+ Bound_IAT rva:0x 280 size:0x 12c
194
+ IAT rva:0x 1000 size:0x 594
195
+ Delay_IAT rva:0x 49bac size:0x 40
196
+ CLR_Header rva:0x 0 size:0x 0
197
+ rva:0x 0 size:0x 0
198
+
199
+ ### Sections
200
+
201
+ # pedump --sections calc.exe
202
+
203
+ === SECTIONS ===
204
+
205
+ NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
206
+ .text 1000 4a99a 4aa00 400 0 0 0 0 60000020 R-X CODE
207
+ .data 4c000 431c 3000 4ae00 0 0 0 0 c0000040 RW- IDATA
208
+ .rsrc 51000 4ab07 4ac00 4de00 0 0 0 0 40000040 R-- IDATA
209
+ .reloc 9c000 41f6 4200 98a00 0 0 0 0 42000040 R-- IDATA DISCARDABLE
210
+
211
+ ### Resources
212
+
213
+ # pedump --resources calc.exe
214
+
215
+ === RESOURCES ===
216
+
217
+ FILE_OFFSET CP LANG SIZE TYPE NAME
218
+ 0x4ec84 0 0x409 7465 IMAGE #157
219
+ 0x509b0 0 0x409 4086 IMAGE #165
220
+ 0x519a8 0 0x409 4234 IMAGE #170
221
+ 0x52a34 0 0x409 4625 IMAGE #175
222
+ 0x53c48 0 0x409 4873 IMAGE #180
223
+ 0x54f54 0 0x409 3048 IMAGE #204
224
+ 0x55b3c 0 0x409 3052 IMAGE #208
225
+ 0x56728 0 0x409 3217 IMAGE #212
226
+ 0x573bc 0 0x409 3338 IMAGE #216
227
+ 0x580c8 0 0x409 4191 IMAGE #217
228
+ 0x59128 0 0x409 4229 IMAGE #218
229
+ 0x5a1b0 0 0x409 4110 IMAGE #219
230
+ 0x5b1c0 0 0x409 4065 IMAGE #220
231
+ 0x5c1a4 0 0x409 3235 IMAGE #961
232
+ 0x5ce48 0 0x409 470 IMAGE #981
233
+ 0x5d020 0 0x409 587 IMAGE #982
234
+ 0x5d26c 0 0x409 518 IMAGE #983
235
+ 0x5d474 0 0x409 5344 IMAGE #3000
236
+ 0x5e954 0 0x409 4154 IMAGE #3015
237
+ 0x5f990 0 0x409 4815 IMAGE #3045
238
+ 0x60c60 0 0x409 6038 IMAGE #3051
239
+ 0x623f8 0 0x409 4290 IMAGE #3060
240
+ ...
241
+
242
+ ### Strings
243
+
244
+ # pedump --strings calc.exe.mui
245
+
246
+ === STRINGS ===
247
+
248
+ ID ID LANG STRING
249
+ 0 0 409 "+/-"
250
+ 1 1 409 "C"
251
+ 2 2 409 "CE"
252
+ 3 3 409 "Backspace"
253
+ 4 4 409 "."
254
+ 6 6 409 "And"
255
+ 7 7 409 "Or"
256
+ 8 8 409 "Xor"
257
+ 9 9 409 "Lsh"
258
+ 10 a 409 "Rsh"
259
+ 11 b 409 "/"
260
+ 12 c 409 "*"
261
+ 13 d 409 "+"
262
+ 14 e 409 "-"
263
+ 15 f 409 "Mod"
264
+ 16 10 409 "R"
265
+ 17 11 409 "^"
266
+ 18 12 409 "Int"
267
+ 19 13 409 "RoL"
268
+ 20 14 409 "RoR"
269
+ 21 15 409 "Not"
270
+ 22 16 409 "sin"
271
+ ...
272
+
273
+ ### Imports
274
+
275
+ # pedump --imports zlib.dll
276
+
277
+ === IMPORTS ===
278
+
279
+ MODULE_NAME HINT ORD FUNCTION_NAME
280
+ KERNEL32.dll e1 GetLastError
281
+ KERNEL32.dll 153 HeapAlloc
282
+ KERNEL32.dll 159 HeapFree
283
+ KERNEL32.dll 9f GetCommandLineA
284
+ KERNEL32.dll 103 GetProcAddress
285
+ KERNEL32.dll eb GetModuleHandleA
286
+ KERNEL32.dll 137 GetVersion
287
+ KERNEL32.dll 164 InitializeCriticalSection
288
+ KERNEL32.dll 44 DeleteCriticalSection
289
+ KERNEL32.dll 4f EnterCriticalSection
290
+ KERNEL32.dll 177 LeaveCriticalSection
291
+ KERNEL32.dll 1fa SetHandleCount
292
+ KERNEL32.dll dc GetFileType
293
+ KERNEL32.dll 116 GetStdHandle
294
+ KERNEL32.dll 114 GetStartupInfoA
295
+ KERNEL32.dll 155 HeapCreate
296
+ KERNEL32.dll 157 HeapDestroy
297
+ KERNEL32.dll c7 GetCurrentThreadId
298
+ KERNEL32.dll 222 TlsSetValue
299
+ KERNEL32.dll 21f TlsAlloc
300
+ KERNEL32.dll 220 TlsFree
301
+ KERNEL32.dll 1fd SetLastError
302
+ KERNEL32.dll 221 TlsGetValue
303
+ KERNEL32.dll 62 ExitProcess
304
+ KERNEL32.dll 1b8 ReadFile
305
+ KERNEL32.dll 16 CloseHandle
306
+ KERNEL32.dll 24f WriteFile
307
+ KERNEL32.dll 83 FlushFileBuffers
308
+ KERNEL32.dll e9 GetModuleFileNameA
309
+ KERNEL32.dll 98 GetCPInfo
310
+ KERNEL32.dll 92 GetACP
311
+ KERNEL32.dll f6 GetOEMCP
312
+ KERNEL32.dll 8b FreeEnvironmentStringsA
313
+ KERNEL32.dll d0 GetEnvironmentStrings
314
+ KERNEL32.dll 8c FreeEnvironmentStringsW
315
+ KERNEL32.dll d2 GetEnvironmentStringsW
316
+ KERNEL32.dll 242 WideCharToMultiByte
317
+ KERNEL32.dll 2b CreateFileA
318
+ KERNEL32.dll 1f8 SetFilePointer
319
+ KERNEL32.dll 206 SetStdHandle
320
+ KERNEL32.dll 178 LoadLibraryA
321
+ KERNEL32.dll 1ef SetEndOfFile
322
+
323
+ ### Exports
324
+
325
+ # pedump --exports zlib.dll
326
+
327
+ === EXPORTS ===
328
+
329
+ # module "zlib.dll"
330
+ # flags=0x0 ts="1996-05-07 08:46:46" version=0.0 ord_base=1
331
+ # nFuncs=27 nNames=27
332
+
333
+ ORD ENTRY_VA NAME
334
+ 1 76d0 adler32
335
+ 2 2db0 compress
336
+ 3 4aa0 crc32
337
+ 4 3c90 deflate
338
+ 5 4060 deflateCopy
339
+ 6 3fd0 deflateEnd
340
+ 7 37f0 deflateInit2_
341
+ 8 37c0 deflateInit_
342
+ 9 3bc0 deflateParams
343
+ a 3b40 deflateReset
344
+ b 3a40 deflateSetDictionary
345
+ c 7510 gzclose
346
+ d 6f00 gzdopen
347
+ e 75a0 gzerror
348
+ f 73f0 gzflush
349
+ 10 6c50 gzopen
350
+ 11 7190 gzread
351
+ 12 7350 gzwrite
352
+ 13 4e50 inflate
353
+ 14 4cc0 inflateEnd
354
+ 15 4d20 inflateInit2_
355
+ 16 4e30 inflateInit_
356
+ 17 4c70 inflateReset
357
+ 18 5260 inflateSetDictionary
358
+ 19 52f0 inflateSync
359
+ 1a 4bd0 uncompress
360
+ 1b e340 zlib_version
361
+
362
+ ### VS_VERSIONINFO parsing
363
+
364
+ # pedump --version-info calc.exe
365
+
366
+ === VERSION INFO ===
367
+
368
+ # VS_FIXEDFILEINFO:
369
+ FileVersion : 6.1.6801.0
370
+ ProductVersion : 6.1.6801.0
371
+ StrucVersion : 0x10000
372
+ FileFlagsMask : 0x3f
373
+ FileFlags : 0
374
+ FileOS : 0x40004
375
+ FileType : 1
376
+ FileSubtype : 0
377
+
378
+ # StringTable 040904B0:
379
+ CompanyName : "Microsoft Corporation"
380
+ FileDescription : "Windows Calculator"
381
+ FileVersion : "6.1.6801.0 (winmain_win7m3.080913-2030)"
382
+ InternalName : "CALC"
383
+ LegalCopyright : "© Microsoft Corporation. All rights reserved."
384
+ OriginalFilename : "CALC.EXE"
385
+ ProductName : "Microsoft® Windows® Operating System"
386
+ ProductVersion : "6.1.6801.0"
387
+
388
+ VarFileInfo : [ 0x409, 0x4b0 ]
389
+
390
+ ### Packer / Compiler detection
391
+
392
+ # pedump --packer zlib.dll
393
+
394
+ === Packer / Compiler ===
395
+
396
+ MS Visual C v2.0
397
+
398
+ #### pedump can mimic 'file' command output:
399
+
400
+ #pedump --packer-only -qqq samples/*
401
+
402
+ samples/StringLoader.dll: Microsoft Visual C++ 6.0 DLL (Debug)
403
+ samples/control.exe: ASPack v2.12
404
+ samples/gms_v1_0_3.exe: UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
405
+ samples/unpackme.exe: ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
406
+ samples/zlib.dll: Microsoft Visual C v2.0
407
+
408
+ License
409
+ -------
410
+ Released under the MIT License. See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.