pedump 0.3.3 → 0.4.0

data/lib/pedump/version.rb

@@ -1,8 +1,8 @@
 class PEdump
   module Version
     MAJOR = 0
-    MINOR = 3
-    PATCH = 3
+    MINOR = 4
+    PATCH = 0
     BUILD = nil
 
     STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')

data/lib/pedump/version_info.rb

@@ -0,0 +1,166 @@
+class PEdump
+  class VS_VERSIONINFO < PEdump.create_struct( 'v3a32v',
+    :wLength,
+    :wValueLength,
+    :wType,
+    :szKey,          # The Unicode string L"VS_VERSION_INFO".
+    :Padding1,
+    # manual:
+    :Value,          # VS_FIXEDFILEINFO
+    :Padding2,
+    :Children
+  )
+    def self.read f, size = SIZE
+      super.tap do |vi|
+        vi.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        vi.Padding1 = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        vi.Value = VS_FIXEDFILEINFO.read(f,vi.wValueLength)
+        # As many zero words as necessary to align the Children member on a 32-bit boundary.
+        # These bytes are not included in wValueLength. This member is optional.
+        vi.Padding2 = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        vi.Children = [] # An array of zero or one StringFileInfo structures,
+                         # and zero or one VarFileInfo structures
+
+        2.times do
+          pos = f.tell
+          f.seek(pos+6)  # seek 6 bytes forward
+          t = f.read(6)
+          f.seek(pos)    # return back
+          case t
+          when "V\x00a\x00r\x00"
+            vi.Children << VarFileInfo.read(f)
+          when "S\x00t\x00r\x00"
+            vi.Children << StringFileInfo.read(f)
+          else
+            PEdump.logger.warn "[?] invalid VS_VERSIONINFO child type #{t.inspect}"
+            break
+          end
+        end
+      end
+    end
+  end
+
+  class VS_FIXEDFILEINFO < PEdump.create_struct( 'V13',
+    :dwSignature,
+    :dwStrucVersion,
+    :dwFileVersionMS,
+    :dwFileVersionLS,
+    :dwProductVersionMS,
+    :dwProductVersionLS,
+    :dwFileFlagsMask,
+    :dwFileFlags,
+    :dwFileOS,
+    :dwFileType,
+    :dwFileSubtype,
+    :dwFileDateMS,
+    :dwFileDateLS,
+    # manual:
+    :valid
+  )
+    def self.read f, size = SIZE
+      super.tap do |ffi|
+        ffi.valid = (ffi.dwSignature == 0xFEEF04BD)
+      end
+    end
+  end
+
+  class StringFileInfo < PEdump.create_struct( 'v3a30',
+    :wLength,
+    :wValueLength,  # always 0
+    :wType,         # 1 => text data, 0 => binary data
+    :szKey,         # The Unicode string L"StringFileInfo"
+    :Padding,       # As many zero words as necessary to align the Children member on a 32-bit boundary
+    :Children       # An array of one or more StringTable structures
+  )
+    def self.read f, size = SIZE
+      pos0 = f.tell
+      super.tap do |x|
+        x.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        x.Padding = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        x.Children = []
+        while !f.eof? && f.tell < pos0+x.wLength
+          x.Children << StringTable.read(f)
+        end
+      end
+    end
+  end
+
+  class StringTable < PEdump.create_struct( 'v3a16v',
+    :wLength,       # The length, in bytes, of this StringTable structure,
+                    # including all structures indicated by the Children member.
+    :wValueLength,  # always 0
+    :wType,         # 1 => text data, 0 => binary data
+    :szKey,         # An 8-digit hexadecimal number stored as a Unicode string
+    :Padding,       # As many zero words as necessary to align the Children member on a 32-bit boundary
+    :Children       # An array of one or more String structures.
+  )
+    def self.read f, size = SIZE
+      pos0 = f.tell
+      super.tap do |x|
+        x.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        x.Padding = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        x.Children = []
+        while !f.eof? && f.tell < pos0+x.wLength
+          x.Children << VersionString.read(f)
+        end
+      end
+    end
+  end
+
+  class VersionString < PEdump.create_struct( 'v3',
+    :wLength,       # The length, in bytes, of this String structure.
+    :wValueLength,  # The size, in words, of the Value member
+    :wType,         # 1 => text data, 0 => binary data
+    :szKey,         # An arbitrary Unicode string
+    :Padding,       # As many zero words as necessary to align the Value member on a 32-bit boundary
+    :Value          # A zero-terminated string. See the szKey member description for more information
+  )
+    def self.read f, size = SIZE
+      super.tap do |x|
+        x.szKey   = ''
+        x.szKey << f.read(2) until x.szKey[-2..-1] == "\x00\x00" || f.eof?
+        x.Padding = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        x.Value   = f.read(x.wValueLength*2)
+        if f.tell%4 > 0
+          f.read(4-f.tell%4) # undoc padding?
+        end
+        x.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        x.Value.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+      end
+    end
+  end
+
+  class VarFileInfo < PEdump.create_struct( 'v3a24v',
+    :wLength,
+    :wValueLength,  # always 0
+    :wType,         # 1 => text data, 0 => binary data
+    :szKey,         # The Unicode string L"VarFileInfo"
+    :Padding,       # As many zero words as necessary to align the Children member on a 32-bit boundary
+    :Children       # Typically contains a list of languages that the application or DLL supports
+  )
+    def self.read f, size = SIZE
+      super.tap do |x|
+        x.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        x.Padding = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        x.Children = Var.read(f)
+      end
+    end
+  end
+
+  class Var < PEdump.create_struct( 'v3a24',
+    :wLength,
+    :wValueLength,  # The length, in bytes, of the Value member
+    :wType,         # 1 => text data, 0 => binary data
+    :szKey,         # The Unicode string L"Translation"
+    :Padding,       # As many zero words as necessary to align the Children member on a 32-bit boundary
+    :Value          # An array of one or more values that are language and code page identifier pairs
+  )
+    def self.read f, size = SIZE
+      super.tap do |x|
+        x.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        x.Padding = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        x.Value = f.read(x.wValueLength).unpack('v*')
+      end
+    end
+  end
+end

data/pedump.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "pedump"
-  s.version = "0.3.3"
+  s.version = "0.4.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andrey \"Zed\" Zaikin"]
-  s.date = "2011-12-13"
+  s.date = "2011-12-17"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
   s.email = "zed.0xff@gmail.com"
   s.executables = ["pedump"]
@@ -29,15 +29,23 @@ Gem::Specification.new do |s|
     "Rakefile",
     "VERSION",
     "bin/pedump",
+    "data/fs.txt",
     "data/sig.bin",
-    "data/sig.txt",
+    "data/signatures.txt",
+    "data/userdb.txt",
     "lib/pedump.rb",
     "lib/pedump/cli.rb",
     "lib/pedump/packer.rb",
+    "lib/pedump/sig_parser.rb",
     "lib/pedump/version.rb",
+    "lib/pedump/version_info.rb",
     "pedump.gemspec",
     "samples/calc.7z",
+    "samples/zlib.dll",
     "spec/pedump_spec.rb",
+    "spec/resource_spec.rb",
+    "spec/sig_all_packers_spec.rb",
+    "spec/sig_spec.rb",
     "spec/spec_helper.rb"
   ]
   s.homepage = "http://github.com/zed-0xff/pedump"
@@ -56,6 +64,7 @@ Gem::Specification.new do |s|
       s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
       s.add_development_dependency(%q<jeweler>, ["~> 1.6.4"])
       s.add_development_dependency(%q<rcov>, [">= 0"])
+      s.add_development_dependency(%q<awesome_print>, [">= 0"])
     else
       s.add_dependency(%q<multipart-post>, ["~> 1.1.4"])
       s.add_dependency(%q<progressbar>, ["~> 0.9.2"])
@@ -63,6 +72,7 @@ Gem::Specification.new do |s|
       s.add_dependency(%q<bundler>, ["~> 1.0.0"])
       s.add_dependency(%q<jeweler>, ["~> 1.6.4"])
       s.add_dependency(%q<rcov>, [">= 0"])
+      s.add_dependency(%q<awesome_print>, [">= 0"])
     end
   else
     s.add_dependency(%q<multipart-post>, ["~> 1.1.4"])
@@ -71,6 +81,7 @@ Gem::Specification.new do |s|
     s.add_dependency(%q<bundler>, ["~> 1.0.0"])
     s.add_dependency(%q<jeweler>, ["~> 1.6.4"])
     s.add_dependency(%q<rcov>, [">= 0"])
+    s.add_dependency(%q<awesome_print>, [">= 0"])
   end
 end
 

data/spec/pedump_spec.rb

@@ -1,7 +1,7 @@
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 
 describe "Pedump" do
-  it "fails" do
-    fail "hey buddy, you should probably rename this file and start specing for real"
-  end
+#  it "fails" do
+#    fail "hey buddy, you should probably rename this file and start specing for real"
+#  end
 end

data/spec/resource_spec.rb

@@ -0,0 +1,13 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe 'PEdump' do
+  it "should get all resources" do
+    fname = File.expand_path(File.dirname(__FILE__) + '/../samples/calc.exe')
+    File.open(fname,"rb") do |f|
+      @pedump = PEdump.new(fname)
+      @resources = @pedump.resources(f)
+    end
+    @resources.size.should == 71
+  end
+end

data/spec/sig_all_packers_spec.rb

@@ -0,0 +1,14 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump/packer')
+
+describe "PEdump::Packer" do
+  describe "matchers" do
+    PEdump::SigParser.parse(:raw => true).each do |sig|
+      data = sig.re.join
+      next if data == "This program cannot be run in DOS mo"
+      it "should find #{sig.name}" do
+        PEdump::Packer.of(data).map(&:name).should include(sig.name)
+      end
+    end
+  end
+end

data/spec/sig_spec.rb

@@ -0,0 +1,63 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump/packer')
+
+describe "PEdump::Packer" do
+  it "should have enough signatures" do
+    PEdump::Packer.count.should > 1000
+  end
+
+  it "should not match" do
+    maxlen = PEdump::Packer.map(&:size).max
+    s = 'x'*maxlen
+    PEdump::Packer.of_data(s).should be_nil
+  end
+
+  it "should parse" do
+    a = PEdump::SigParser.parse
+    a.should be_instance_of(Array)
+    a.map(&:class).uniq.should == [PEdump::Packer]
+  end
+
+  it "should not react to DOS signature" do
+    data = "This program cannot be run in DOS mode"
+    PEdump::Packer.of(data).should be_nil
+  end
+
+  it "should match sigs" do
+    n = 0
+    File.open('data/signatures.txt', 'r:cp1252') do |f|
+      while row = f.gets
+        row.strip!
+        next unless row =~ /^\[(.*)=(.*)\]$/
+        s = ''
+        title,hexstring = $1,$2
+        (hexstring.size/2).times do |i|
+          c = hexstring[i*2,2]
+          if c == '::'
+            s << '.'
+          else
+            s << c.to_i(16).chr
+          end
+        end
+        packers = PEdump::Packer.of(s)
+        if packers
+          names = packers.map(&:name)
+          next if names.any? do |name|
+            a = name.upcase.tr('V','')
+            b = title.upcase.tr('V','')
+            a[b] || b[a]
+          end
+#          puts "[.] #{title}"
+#          names.each do |x|
+#            puts "\t= #{x}"
+#          end
+        else
+          puts "[?] #{title}"
+          n += 1
+        end
+      end
+    end
+    #puts "[.] diff = #{n}"
+    n.should == 0
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.4.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-12-13 00:00:00.000000000 Z
+date: 2011-12-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multipart-post
-  requirement: &70135365235740 !ruby/object:Gem::Requirement
+  requirement: &70304131999160 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70135365235740
+  version_requirements: *70304131999160
 - !ruby/object:Gem::Dependency
   name: progressbar
-  requirement: &70135365807020 !ruby/object:Gem::Requirement
+  requirement: &70304131998620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 0.9.2
   type: :runtime
   prerelease: false
-  version_requirements: *70135365807020
+  version_requirements: *70304131998620
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70135365806000 !ruby/object:Gem::Requirement
+  requirement: &70304131998140 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 2.3.0
   type: :development
   prerelease: false
-  version_requirements: *70135365806000
+  version_requirements: *70304131998140
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70135365804780 !ruby/object:Gem::Requirement
+  requirement: &70304131997660 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *70135365804780
+  version_requirements: *70304131997660
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70135365803680 !ruby/object:Gem::Requirement
+  requirement: &70304131997180 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70135365803680
+  version_requirements: *70304131997180
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70135365802300 !ruby/object:Gem::Requirement
+  requirement: &70304131996680 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,7 +76,18 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70135365802300
+  version_requirements: *70304131996680
+- !ruby/object:Gem::Dependency
+  name: awesome_print
+  requirement: &70304131996200 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70304131996200
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -97,15 +108,23 @@ files:
 - Rakefile
 - VERSION
 - bin/pedump
+- data/fs.txt
 - data/sig.bin
-- data/sig.txt
+- data/signatures.txt
+- data/userdb.txt
 - lib/pedump.rb
 - lib/pedump/cli.rb
 - lib/pedump/packer.rb
+- lib/pedump/sig_parser.rb
 - lib/pedump/version.rb
+- lib/pedump/version_info.rb
 - pedump.gemspec
 - samples/calc.7z
+- samples/zlib.dll
 - spec/pedump_spec.rb
+- spec/resource_spec.rb
+- spec/sig_all_packers_spec.rb
+- spec/sig_spec.rb
 - spec/spec_helper.rb
 homepage: http://github.com/zed-0xff/pedump
 licenses:
@@ -122,7 +141,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -3106600206779889876
+      hash: 2685694954412936403
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: