pedump 0.3.3

data/lib/pedump/packer.rb

@@ -0,0 +1,124 @@
+class PEdump
+  class Packer < Struct.new(:name, :re, :ep_only, :size)
+
+    DATA_ROOT      = File.dirname(File.dirname(File.dirname(__FILE__)))
+    BIN_SIGS_FILE  = File.join(DATA_ROOT, "data", "sig.bin")
+    TEXT_SIGS_FILE = File.join(DATA_ROOT, "data", "sig.txt")
+
+    Match = Struct.new :offset, :packer
+
+    class << self
+
+      def all
+        @@all ||=
+          begin
+            r = unmarshal
+            unless r
+              if PEdump.respond_to?(:logger) && PEdump.logger
+                PEdump.logger.warn "[?] #{self}: unmarshal failed, using slow text parsing instead"
+              else
+                STDERR.puts "[?] #{self}: unmarshal failed, using slow text parsing instead"
+              end
+              r = parse
+            end
+            r
+          end
+      end
+      alias :load :all
+
+      def max_size
+        @@max_size ||= all.map(&:size).max
+      end
+
+      def of data, ep_offset = nil
+        if data.respond_to?(:read) && data.respond_to?(:seek) && ep_offset
+          of_file data, ep_offset
+        else
+          of_data data
+        end
+      end
+
+      # try to determine packer of FILE f, ep_offset - offset to entrypoint from start of file
+      def of_file f, ep_offset
+        f.seek(ep_offset)
+        of_data f.read(max_size)
+      end
+
+      def of_data data
+        r = []
+        each do |packer|
+          if (idx=data.index(packer.re)) == 0
+            r << Match.new(idx, packer)
+          end
+        end
+        r.any? ? r.sort_by{ |x| -x.packer.size } : nil
+      end
+
+      def method_missing *args, &block
+        all.respond_to?(args.first) ? all.send(*args,&block) : super
+      end
+
+      def unmarshal
+        File.open(BIN_SIGS_FILE,"rb") do |f|
+          Marshal.load(f)
+        end
+      rescue
+        nil
+      end
+
+      # parse text signatures
+      def parse fname = TEXT_SIGS_FILE
+        sigs = {}; sig = nil
+
+        File.open(fname,'r:utf-8') do |f|
+          while line = f.gets
+            line.strip!
+
+            # XXX
+            # "B\xE9rczi G\xE1bor".force_encoding('binary').to_yaml:
+            # RuntimeError: expected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS
+
+            case line
+            when /^;/,/^$/
+              next
+            when /^\[(.+)\]$/
+              sig = Packer.new($1.sub(/^\*\s+/,'').sub(/\s+\(h\)$/,''))
+            when /^signature = (.+)$/
+              sig.re = $1
+              if sigs[sig.re]
+                next if sigs[sig.re].name == sig.name
+                printf "[?] dup %-40s, %s\n", sigs[sig.re].name.inspect, sig.name.inspect
+              end
+              sigs[sig.re] = sig
+            when /^ep_only = (.+)$/
+              sig.ep_only = ($1.strip.downcase == 'true')
+            else raise line
+            end
+          end
+        end
+
+        sigs = sigs.values
+        sigs.each do |sig|
+          sig.re = Regexp.new(
+            sig.re.split(' ').tap do |a|
+              sig.size = a.size
+            end.map do |x|
+              case x
+              when '??'
+                '.'
+              when /[a-f0-9]{2}/i
+                Regexp::escape x.to_i(16).chr
+              else raise x
+              end
+            end.join
+          )
+          if sig.name[/-+>/]
+            a = sig.name.split(/-+>/,2).map(&:strip)
+            sig.name = "#{a[0]} (#{a[1]})"
+          end
+        end
+        sigs
+      end
+    end
+  end
+end

data/lib/pedump/version.rb

@@ -0,0 +1,10 @@
+class PEdump
+  module Version
+    MAJOR = 0
+    MINOR = 3
+    PATCH = 3
+    BUILD = nil
+
+    STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')
+  end
+end

data/pedump.gemspec

@@ -0,0 +1,76 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = "pedump"
+  s.version = "0.3.3"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Andrey \"Zed\" Zaikin"]
+  s.date = "2011-12-13"
+  s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
+  s.email = "zed.0xff@gmail.com"
+  s.executables = ["pedump"]
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.md",
+    "README.md.tpl"
+  ]
+  s.files = [
+    ".document",
+    ".rspec",
+    "Gemfile",
+    "Gemfile.lock",
+    "LICENSE.txt",
+    "README.md",
+    "README.md.tpl",
+    "Rakefile",
+    "VERSION",
+    "bin/pedump",
+    "data/sig.bin",
+    "data/sig.txt",
+    "lib/pedump.rb",
+    "lib/pedump/cli.rb",
+    "lib/pedump/packer.rb",
+    "lib/pedump/version.rb",
+    "pedump.gemspec",
+    "samples/calc.7z",
+    "spec/pedump_spec.rb",
+    "spec/spec_helper.rb"
+  ]
+  s.homepage = "http://github.com/zed-0xff/pedump"
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = "1.8.10"
+  s.summary = "dump win32 PE executable files with a pure ruby"
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<multipart-post>, ["~> 1.1.4"])
+      s.add_runtime_dependency(%q<progressbar>, ["~> 0.9.2"])
+      s.add_development_dependency(%q<rspec>, ["~> 2.3.0"])
+      s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_development_dependency(%q<jeweler>, ["~> 1.6.4"])
+      s.add_development_dependency(%q<rcov>, [">= 0"])
+    else
+      s.add_dependency(%q<multipart-post>, ["~> 1.1.4"])
+      s.add_dependency(%q<progressbar>, ["~> 0.9.2"])
+      s.add_dependency(%q<rspec>, ["~> 2.3.0"])
+      s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_dependency(%q<jeweler>, ["~> 1.6.4"])
+      s.add_dependency(%q<rcov>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<multipart-post>, ["~> 1.1.4"])
+    s.add_dependency(%q<progressbar>, ["~> 0.9.2"])
+    s.add_dependency(%q<rspec>, ["~> 2.3.0"])
+    s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+    s.add_dependency(%q<jeweler>, ["~> 1.6.4"])
+    s.add_dependency(%q<rcov>, [">= 0"])
+  end
+end
+

data/spec/pedump_spec.rb

@@ -0,0 +1,7 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "Pedump" do
+  it "fails" do
+    fail "hey buddy, you should probably rename this file and start specing for real"
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,12 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'rspec'
+require 'pedump'
+
+# Requires supporting files with custom matchers and macros, etc,
+# in ./support/ and its subdirectories.
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+
+RSpec.configure do |config|
+  
+end

metadata

@@ -0,0 +1,138 @@
+--- !ruby/object:Gem::Specification
+name: pedump
+version: !ruby/object:Gem::Version
+  version: 0.3.3
+  prerelease: 
+platform: ruby
+authors:
+- Andrey "Zed" Zaikin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-12-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: multipart-post
+  requirement: &70135365235740 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.4
+  type: :runtime
+  prerelease: false
+  version_requirements: *70135365235740
+- !ruby/object:Gem::Dependency
+  name: progressbar
+  requirement: &70135365807020 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.9.2
+  type: :runtime
+  prerelease: false
+  version_requirements: *70135365807020
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &70135365806000 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.3.0
+  type: :development
+  prerelease: false
+  version_requirements: *70135365806000
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: &70135365804780 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+  type: :development
+  prerelease: false
+  version_requirements: *70135365804780
+- !ruby/object:Gem::Dependency
+  name: jeweler
+  requirement: &70135365803680 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.6.4
+  type: :development
+  prerelease: false
+  version_requirements: *70135365803680
+- !ruby/object:Gem::Dependency
+  name: rcov
+  requirement: &70135365802300 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70135365802300
+description: dump headers, sections, extract resources of win32 PE exe,dll,etc
+email: zed.0xff@gmail.com
+executables:
+- pedump
+extensions: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.md
+- README.md.tpl
+files:
+- .document
+- .rspec
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- README.md.tpl
+- Rakefile
+- VERSION
+- bin/pedump
+- data/sig.bin
+- data/sig.txt
+- lib/pedump.rb
+- lib/pedump/cli.rb
+- lib/pedump/packer.rb
+- lib/pedump/version.rb
+- pedump.gemspec
+- samples/calc.7z
+- spec/pedump_spec.rb
+- spec/spec_helper.rb
+homepage: http://github.com/zed-0xff/pedump
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -3106600206779889876
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: dump win32 PE executable files with a pure ruby
+test_files: []