pedump 0.3.2 → 0.3.3

data/lib/pedump/cli.rb

@@ -14,10 +14,10 @@ class PEdump::CLI
 
   KNOWN_ACTIONS = (
     %w'mz dos_stub rich pe data_directory sections' +
-    %w'strings resources resource_directory imports exports web'
+    %w'strings resources resource_directory imports exports packer web packer_only'
   ).map(&:to_sym)
 
-  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web'.map(&:to_sym)
+  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only'.map(&:to_sym)
 
   URL_BASE = "http://pedump.me"
 
@@ -31,28 +31,35 @@ class PEdump::CLI
     optparser = OptionParser.new do |opts|
       opts.banner = "Usage: pedump [options]"
 
+      opts.on "-V", "--version", "Print version information and exit" do
+        puts PEdump::VERSION
+        exit
+      end
       opts.on "-v", "--[no-]verbose", "Run verbosely" do |v|
         @options[:verbose] ||= 0
         @options[:verbose] += 1
       end
-      opts.on "-F", "--force", "Try to dump by all means (can cause exceptions & heavy wounds)" do |v|
+      opts.on "-F", "--force", "Try to dump by all means","(can cause exceptions & heavy wounds)" do |v|
         @options[:force] ||= 0
         @options[:force] += 1
       end
       opts.on "-f", "--format FORMAT", [:binary, :c, :dump, :hex, :inspect, :table],
-        "Output format: bin,c,dump,hex,inspect,table (default)" do |v|
+        "Output format: bin,c,dump,hex,inspect,table","(default: table)" do |v|
         @options[:format] = v
       end
       KNOWN_ACTIONS.each do |t|
         opts.on "--#{t.to_s.tr('_','-')}", eval("lambda{ |_| @actions << :#{t.to_s.tr('-','_')} }")
       end
-      opts.on "--all", "Dump all but #{(KNOWN_ACTIONS-DEFAULT_ALL_ACTIONS).join(',')} (default)" do
+      opts.on '-P', "--packer-only", "packer/compiler detect only,","mimics 'file' command output" do
+        @actions << :packer_only
+      end
+      opts.on "--all", "Dump all but resource-directory (default)" do
         @actions = DEFAULT_ALL_ACTIONS
       end
       opts.on "--va2file VA", "Convert RVA to file offset" do |va|
         @actions << [:va2file,va]
       end
-      opts.on "-W", "--web", "Upload file to a #{URL_BASE} for a nice HTML tables with image previews, candies & stuff" do
+      opts.on "-W", "--web", "Uploads files to a #{URL_BASE}","for a nice HTML tables with image previews,","candies & stuff" do
         @actions << :web
       end
     end
@@ -68,13 +75,16 @@ class PEdump::CLI
     end
     @actions = DEFAULT_ALL_ACTIONS if @actions.empty?
 
+    if @actions.include?(:packer_only)
+      raise "[!] can't mix --packer-only with other actions" if @actions.size > 1
+      dump_packer_only(argv)
+      return
+    end
+
     argv.each_with_index do |fname,idx|
-      if argv.size > 1
-        puts if idx > 0
-        puts "# -----------------------------------------------"
-        puts "# #{fname}"
-        puts "# -----------------------------------------------"
-      end
+      @need_fname_header = (argv.size > 1)
+      @file_idx  = idx
+      @file_name = fname
 
       File.open(fname,'rb') do |f|
         @pedump = PEdump.new(fname, :force => @options[:force]).tap do |x|
@@ -99,6 +109,23 @@ class PEdump::CLI
     # prevents a 'Broken pipe - <STDOUT> (Errno::EPIPE)' message
   end
 
+  def dump_packer_only fnames
+    max_fname_len = fnames.map(&:size).max
+    fnames.each do |fname|
+      File.open(fname,'rb') do |f|
+        @pedump = PEdump.new(fname, :force => @options[:force]).tap do |x|
+          if @options[:verbose]
+            x.logger.level = @options[:verbose] > 1 ? Logger::INFO : Logger::DEBUG
+          end
+        end
+        packers = @pedump.packers(f)
+        pname = Array(packers).first.try(:packer).try(:name)
+        pname ||= "unknown" if @options[:verbose]
+        printf("%-*s %s\n", max_fname_len+1, "#{fname}:", pname) if pname
+      end
+    end
+  end
+
   class ProgressProxy
     attr_reader :pbar
 
@@ -173,8 +200,17 @@ class PEdump::CLI
   end
 
   def action_title action
+    if @need_fname_header
+      @need_fname_header = false
+      puts if @file_idx > 0
+      puts "# -----------------------------------------------"
+      puts "# #@file_name"
+      puts "# -----------------------------------------------"
+    end
+
     s = action.to_s.upcase.tr('_',' ')
     s += " Header" if [:mz, :pe, :rich].include?(action)
+    s = "Packer / Compiler" if action == :packer
     "\n=== %s ===\n\n" % s
   end
 
@@ -310,6 +346,8 @@ class PEdump::CLI
         dump_strings data
       when PEdump::IMAGE_IMPORT_DESCRIPTOR
         dump_imports data
+      when PEdump::Packer::Match
+        dump_packers data
       else
         puts "[?] don't know how to dump: #{data.inspect[0,50]}" unless data.empty?
       end
@@ -322,6 +360,17 @@ class PEdump::CLI
     end
   end
 
+  def dump_packers data
+    if @options[:verbose]
+      data.each do |p|
+        printf "%8x %4d %s\n", p.offset, p.packer.size, p.packer.name
+      end
+    else
+      # show only largest detected unless verbose output requested
+      puts "  #{data.first.packer.name}"
+    end
+  end
+
   def dump_exports data
     printf "# module %s\n# flags=0x%x  ts=%s  version=%d.%d  ord_base=%d\n",
       data.name.inspect,

data/lib/pedump/packer.rb

@@ -0,0 +1,124 @@
+class PEdump
+  class Packer < Struct.new(:name, :re, :ep_only, :size)
+
+    DATA_ROOT      = File.dirname(File.dirname(File.dirname(__FILE__)))
+    BIN_SIGS_FILE  = File.join(DATA_ROOT, "data", "sig.bin")
+    TEXT_SIGS_FILE = File.join(DATA_ROOT, "data", "sig.txt")
+
+    Match = Struct.new :offset, :packer
+
+    class << self
+
+      def all
+        @@all ||=
+          begin
+            r = unmarshal
+            unless r
+              if PEdump.respond_to?(:logger) && PEdump.logger
+                PEdump.logger.warn "[?] #{self}: unmarshal failed, using slow text parsing instead"
+              else
+                STDERR.puts "[?] #{self}: unmarshal failed, using slow text parsing instead"
+              end
+              r = parse
+            end
+            r
+          end
+      end
+      alias :load :all
+
+      def max_size
+        @@max_size ||= all.map(&:size).max
+      end
+
+      def of data, ep_offset = nil
+        if data.respond_to?(:read) && data.respond_to?(:seek) && ep_offset
+          of_file data, ep_offset
+        else
+          of_data data
+        end
+      end
+
+      # try to determine packer of FILE f, ep_offset - offset to entrypoint from start of file
+      def of_file f, ep_offset
+        f.seek(ep_offset)
+        of_data f.read(max_size)
+      end
+
+      def of_data data
+        r = []
+        each do |packer|
+          if (idx=data.index(packer.re)) == 0
+            r << Match.new(idx, packer)
+          end
+        end
+        r.any? ? r.sort_by{ |x| -x.packer.size } : nil
+      end
+
+      def method_missing *args, &block
+        all.respond_to?(args.first) ? all.send(*args,&block) : super
+      end
+
+      def unmarshal
+        File.open(BIN_SIGS_FILE,"rb") do |f|
+          Marshal.load(f)
+        end
+      rescue
+        nil
+      end
+
+      # parse text signatures
+      def parse fname = TEXT_SIGS_FILE
+        sigs = {}; sig = nil
+
+        File.open(fname,'r:utf-8') do |f|
+          while line = f.gets
+            line.strip!
+
+            # XXX
+            # "B\xE9rczi G\xE1bor".force_encoding('binary').to_yaml:
+            # RuntimeError: expected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS
+
+            case line
+            when /^;/,/^$/
+              next
+            when /^\[(.+)\]$/
+              sig = Packer.new($1.sub(/^\*\s+/,'').sub(/\s+\(h\)$/,''))
+            when /^signature = (.+)$/
+              sig.re = $1
+              if sigs[sig.re]
+                next if sigs[sig.re].name == sig.name
+                printf "[?] dup %-40s, %s\n", sigs[sig.re].name.inspect, sig.name.inspect
+              end
+              sigs[sig.re] = sig
+            when /^ep_only = (.+)$/
+              sig.ep_only = ($1.strip.downcase == 'true')
+            else raise line
+            end
+          end
+        end
+
+        sigs = sigs.values
+        sigs.each do |sig|
+          sig.re = Regexp.new(
+            sig.re.split(' ').tap do |a|
+              sig.size = a.size
+            end.map do |x|
+              case x
+              when '??'
+                '.'
+              when /[a-f0-9]{2}/i
+                Regexp::escape x.to_i(16).chr
+              else raise x
+              end
+            end.join
+          )
+          if sig.name[/-+>/]
+            a = sig.name.split(/-+>/,2).map(&:strip)
+            sig.name = "#{a[0]} (#{a[1]})"
+          end
+        end
+        sigs
+      end
+    end
+  end
+end

data/lib/pedump/version.rb

@@ -0,0 +1,10 @@
+class PEdump
+  module Version
+    MAJOR = 0
+    MINOR = 3
+    PATCH = 3
+    BUILD = nil
+
+    STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')
+  end
+end

data/lib/pedump.rb

@@ -1,5 +1,6 @@
 #!/usr/bin/env ruby
 require 'logger'
+require 'pedump/version'
 
 # pedump.rb by zed_0xff
 #
@@ -37,6 +38,8 @@ end
 class PEdump
   attr_accessor :fname, :logger, :force
 
+  VERSION = Version::STRING
+
   def initialize fname, params = {}
     @fname = fname
     @force = params[:force]
@@ -522,6 +525,7 @@ class PEdump
               nil
             end
         end
+        x[tbl] && x[tbl].compact!
       end
       if x.original_first_thunk && !x.first_thunk
         logger.warn "[?] import table: empty FirstThunk of #{x.module_name}"
@@ -967,6 +971,28 @@ class PEdump
       end
     end.flatten.compact
   end
+
+  def packer f = nil
+    @packer ||= pe(f) && @pe.ioh &&
+      begin
+        if !(va=@pe.ioh.AddressOfEntryPoint)
+          logger.error "[?] can't find EntryPoint RVA"
+          nil
+        elsif !(ofs = va2file(va))
+          logger.error "[?] can't find EntryPoint RVA (0x#{va.to_s(16)}) file offset"
+          nil
+        else
+          require 'pedump/packer'
+          if PEdump::Packer.all.size == 0
+            logger.error "[?] no packer definitions found"
+            nil
+          else
+            Packer.of(f, ofs)
+          end
+        end
+      end
+  end
+  alias :packers :packer
 end
 
 ####################################################################################

data/pedump.gemspec

@@ -5,17 +5,18 @@
 
 Gem::Specification.new do |s|
   s.name = "pedump"
-  s.version = "0.3.2"
+  s.version = "0.3.3"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andrey \"Zed\" Zaikin"]
-  s.date = "2011-12-12"
+  s.date = "2011-12-13"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
   s.email = "zed.0xff@gmail.com"
   s.executables = ["pedump"]
   s.extra_rdoc_files = [
     "LICENSE.txt",
-    "README.rdoc"
+    "README.md",
+    "README.md.tpl"
   ]
   s.files = [
     ".document",
@@ -23,13 +24,19 @@ Gem::Specification.new do |s|
     "Gemfile",
     "Gemfile.lock",
     "LICENSE.txt",
-    "README.rdoc",
+    "README.md",
+    "README.md.tpl",
     "Rakefile",
     "VERSION",
     "bin/pedump",
+    "data/sig.bin",
+    "data/sig.txt",
     "lib/pedump.rb",
     "lib/pedump/cli.rb",
+    "lib/pedump/packer.rb",
+    "lib/pedump/version.rb",
     "pedump.gemspec",
+    "samples/calc.7z",
     "spec/pedump_spec.rb",
     "spec/spec_helper.rb"
   ]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.3.3
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-12-12 00:00:00.000000000Z
+date: 2011-12-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multipart-post
-  requirement: &70099128727380 !ruby/object:Gem::Requirement
+  requirement: &70135365235740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70099128727380
+  version_requirements: *70135365235740
 - !ruby/object:Gem::Dependency
   name: progressbar
-  requirement: &70099128726580 !ruby/object:Gem::Requirement
+  requirement: &70135365807020 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 0.9.2
   type: :runtime
   prerelease: false
-  version_requirements: *70099128726580
+  version_requirements: *70135365807020
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70099128724780 !ruby/object:Gem::Requirement
+  requirement: &70135365806000 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 2.3.0
   type: :development
   prerelease: false
-  version_requirements: *70099128724780
+  version_requirements: *70135365806000
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70099128713520 !ruby/object:Gem::Requirement
+  requirement: &70135365804780 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *70099128713520
+  version_requirements: *70135365804780
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70099128712420 !ruby/object:Gem::Requirement
+  requirement: &70135365803680 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70099128712420
+  version_requirements: *70135365803680
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70099128711520 !ruby/object:Gem::Requirement
+  requirement: &70135365802300 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,7 +76,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70099128711520
+  version_requirements: *70135365802300
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -84,20 +84,27 @@ executables:
 extensions: []
 extra_rdoc_files:
 - LICENSE.txt
-- README.rdoc
+- README.md
+- README.md.tpl
 files:
 - .document
 - .rspec
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
-- README.rdoc
+- README.md
+- README.md.tpl
 - Rakefile
 - VERSION
 - bin/pedump
+- data/sig.bin
+- data/sig.txt
 - lib/pedump.rb
 - lib/pedump/cli.rb
+- lib/pedump/packer.rb
+- lib/pedump/version.rb
 - pedump.gemspec
+- samples/calc.7z
 - spec/pedump_spec.rb
 - spec/spec_helper.rb
 homepage: http://github.com/zed-0xff/pedump
@@ -115,7 +122,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 3702742729748465882
+      hash: -3106600206779889876
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:

data/README.rdoc

@@ -1,19 +0,0 @@
-= pedump
-
-Description goes here.
-
-== Contributing to pedump
- 
-* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
-* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
-* Fork the project
-* Start a feature/bugfix branch
-* Commit and push until you are happy with your contribution
-* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
-* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
-
-== Copyright
-
-Copyright (c) 2011 Andrey "Zed" Zaikin. See LICENSE.txt for
-further details.
-