RubyGems - pedump - Versions diffs - 0.4.0 - Mend

pedump 0.4.0

Files changed (29) hide show

data/.document +5 -0
data/.rspec +1 -0
data/Gemfile +16 -0
data/Gemfile.lock +34 -0
data/LICENSE.txt +20 -0
data/README.md +398 -0
data/README.md.tpl +90 -0
data/Rakefile +179 -0
data/VERSION +1 -0
data/bin/pedump +7 -0
data/data/fs.txt +1595 -0
data/data/sig.bin +0 -0
data/data/signatures.txt +678 -0
data/data/userdb.txt +14083 -0
data/lib/pedump.rb +1105 -0
data/lib/pedump/cli.rb +703 -0
data/lib/pedump/packer.rb +125 -0
data/lib/pedump/sig_parser.rb +386 -0
data/lib/pedump/version.rb +10 -0
data/lib/pedump/version_info.rb +166 -0
data/pedump.gemspec +87 -0
data/samples/calc.7z +0 -0
data/samples/zlib.dll +0 -0
data/spec/pedump_spec.rb +7 -0
data/spec/resource_spec.rb +13 -0
data/spec/sig_all_packers_spec.rb +14 -0
data/spec/sig_spec.rb +63 -0
data/spec/spec_helper.rb +12 -0
metadata +157 -0

data/.document ADDED

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+-
+features/**/*.feature
+LICENSE.txt

data/.rspec ADDED

	@@ -0,0 +1 @@
1	+ --color

data/Gemfile ADDED

@@ -0,0 +1,16 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+#   gem "activesupport", ">= 2.3.5"
+gem "multipart-post", "~> 1.1.4"
+gem "progressbar", "~> 0.9.2"
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "rspec", "~> 2.3.0"
+  gem "bundler", "~> 1.0.0"
+  gem "jeweler", "~> 1.6.4"
+  gem "rcov", ">= 0"
+  gem "awesome_print"
+end

data/Gemfile.lock ADDED

@@ -0,0 +1,34 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    awesome_print (0.4.0)
+    diff-lcs (1.1.3)
+    git (1.2.5)
+    jeweler (1.6.4)
+      bundler (~> 1.0)
+      git (>= 1.2.5)
+      rake
+    multipart-post (1.1.4)
+    progressbar (0.9.2)
+    rake (0.9.2.2)
+    rcov (0.9.11)
+    rspec (2.3.0)
+      rspec-core (~> 2.3.0)
+      rspec-expectations (~> 2.3.0)
+      rspec-mocks (~> 2.3.0)
+    rspec-core (2.3.1)
+    rspec-expectations (2.3.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.3.0)
+PLATFORMS
+  ruby
+DEPENDENCIES
+  awesome_print
+  bundler (~> 1.0.0)
+  jeweler (~> 1.6.4)
+  multipart-post (~> 1.1.4)
+  progressbar (~> 0.9.2)
+  rcov
+  rspec (~> 2.3.0)

data/LICENSE.txt ADDED

@@ -0,0 +1,20 @@
+Copyright (c) 2011 Andrey "Zed" Zaikin
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md ADDED

@@ -0,0 +1,398 @@
+pedump
+======
+Description
+-----------
+A pure ruby implementation of win32 PE binary files dumper, including:
+ * MZ Header
+ * DOS stub
+ * ['Rich' Header](http://ntcore.com/files/richsign.htm)
+ * PE Header
+ * Data Directory
+ * Sections
+ * Resources
+ * Strings
+ * Imports & Exports
+ * VS_VERSIONINFO parsing
+ * PE Packer/Compiler detection
+ * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
+Installation
+------------
+    gem install pedump
+Usage
+-----
+    # pedump -h
+    Usage: pedump [options]
+            --version                    Print version information and exit
+        -v, --verbose                    Run verbosely
+                                         (can be used multiple times)
+        -q, --quiet                      Silent any warnings
+                                         (can be used multiple times)
+        -F, --force                      Try to dump by all means
+                                         (can cause exceptions & heavy wounds)
+        -f, --format FORMAT              Output format: bin,c,dump,hex,inspect,table
+                                         (default: table)
+            --mz
+            --dos-stub
+            --rich
+            --pe
+            --data-directory
+        -S, --sections
+        -s, --strings
+        -R, --resources
+            --resource-directory
+        -I, --imports
+        -E, --exports
+        -V, --version-info
+            --packer
+            --deep                       packer deep scan, significantly slower
+        -P, --packer-only                packer/compiler detect only,
+                                         mimics 'file' command output
+            --all                        Dump all but resource-directory (default)
+            --va2file VA                 Convert RVA to file offset
+        -W, --web                        Uploads files to a http://pedump.me
+                                         for a nice HTML tables with image previews,
+                                         candies & stuff
+### MZ Header
+    # pedump --mz calc.exe
+    === MZ Header ===
+                         signature:                     "MZ"
+               bytes_in_last_block:        144          0x90
+                    blocks_in_file:          3             3
+                        num_relocs:          0             0
+                 header_paragraphs:          4             4
+              min_extra_paragraphs:          0             0
+              max_extra_paragraphs:      65535        0xffff
+                                ss:          0             0
+                                sp:        184          0xb8
+                          checksum:          0             0
+                                ip:          0             0
+                                cs:          0             0
+                reloc_table_offset:         64          0x40
+                    overlay_number:          0             0
+                         reserved0:          0             0
+                            oem_id:          0             0
+                          oem_info:          0             0
+                         reserved2:          0             0
+                         reserved3:          0             0
+                         reserved4:          0             0
+                         reserved5:          0             0
+                         reserved6:          0             0
+                            lfanew:        232          0xe8
+### DOS stub
+    # pedump --dos-stub calc.exe
+    === DOS STUB ===
+    00000000:  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
+    00000010:  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
+    00000020:  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
+    00000030:  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
+### 'Rich' Header
+    # pedump --rich calc.exe
+    === RICH Header ===
+        LIB_ID        VERSION        TIMES_USED
+       149  95      21022  521e         9   9
+         1   1          0     0       367 16f
+       147  93      21022  521e        29  1d
+       132  84      21022  521e       129  81
+       131  83      21022  521e        25  19
+       148  94      21022  521e         1   1
+       145  91      21022  521e         1   1
+### PE Header
+    # pedump --pe calc.exe
+    === PE Header ===
+                         signature:             "PE\x00\x00"
+    # IMAGE_FILE_HEADER:
+                           Machine:        332         0x14c  x86
+                  NumberOfSections:          4             4
+                     TimeDateStamp:    "2008-09-14 11:28:52"
+              PointerToSymbolTable:          0             0
+                   NumberOfSymbols:          0             0
+              SizeOfOptionalHeader:        224          0xe0
+                   Characteristics:        258         0x102  EXECUTABLE_IMAGE, 32BIT_MACHINE
+    # IMAGE_OPTIONAL_HEADER32:
+                             Magic:        267         0x10b  32-bit executable
+                     LinkerVersion:                      9.0
+                        SizeOfCode:     305664       0x4aa00
+             SizeOfInitializedData:     340480       0x53200
+           SizeOfUninitializedData:          0             0
+               AddressOfEntryPoint:     230155       0x3830b
+                        BaseOfCode:       4096        0x1000
+                        BaseOfData:     311296       0x4c000
+                         ImageBase:   16777216     0x1000000
+                  SectionAlignment:       4096        0x1000
+                     FileAlignment:        512         0x200
+            OperatingSystemVersion:                      5.1
+                      ImageVersion:                    5.256
+                  SubsystemVersion:                      5.1
+                         Reserved1:          0             0
+                       SizeOfImage:     659456       0xa1000
+                     SizeOfHeaders:       1024         0x400
+                          CheckSum:     690555       0xa897b
+                         Subsystem:          2             2  WINDOWS_GUI
+                DllCharacteristics:      33088        0x8140  DYNAMIC_BASE, NX_COMPAT
+                                                              TERMINAL_SERVER_AWARE
+                SizeOfStackReserve:     262144       0x40000
+                 SizeOfStackCommit:       8192        0x2000
+                 SizeOfHeapReserve:    1048576      0x100000
+                  SizeOfHeapCommit:       4096        0x1000
+                       LoaderFlags:          0             0
+               NumberOfRvaAndSizes:         16          0x10
+### Data Directory
+    # pedump --data-directory calc.exe
+    === DATA DIRECTORY ===
+      EXPORT        rva:0x       0   size:0x        0
+      IMPORT        rva:0x   49c1c   size:0x      12c
+      RESOURCE      rva:0x   51000   size:0x    4ab07
+      EXCEPTION     rva:0x       0   size:0x        0
+      SECURITY      rva:0x       0   size:0x        0
+      BASERELOC     rva:0x   9c000   size:0x     3588
+      DEBUG         rva:0x    1610   size:0x       1c
+      ARCHITECTURE  rva:0x       0   size:0x        0
+      GLOBALPTR     rva:0x       0   size:0x        0
+      TLS           rva:0x       0   size:0x        0
+      LOAD_CONFIG   rva:0x    3d78   size:0x       40
+      Bound_IAT     rva:0x     280   size:0x      12c
+      IAT           rva:0x    1000   size:0x      594
+      Delay_IAT     rva:0x   49bac   size:0x       40
+      CLR_Header    rva:0x       0   size:0x        0
+                    rva:0x       0   size:0x        0
+### Sections
+    # pedump --sections calc.exe
+    === SECTIONS ===
+      NAME          RVA      VSZ   RAW_SZ  RAW_PTR  nREL  REL_PTR nLINE LINE_PTR     FLAGS
+      .text        1000    4a99a    4aa00      400     0        0     0        0  60000020  R-X CODE
+      .data       4c000     431c     3000    4ae00     0        0     0        0  c0000040  RW- IDATA
+      .rsrc       51000    4ab07    4ac00    4de00     0        0     0        0  40000040  R-- IDATA
+      .reloc      9c000     41f6     4200    98a00     0        0     0        0  42000040  R-- IDATA DISCARDABLE
+### Resources
+    # pedump --resources calc.exe
+    === RESOURCES ===
+    FILE_OFFSET    CP  LANG     SIZE  TYPE          NAME
+        0x4ec84     0 0x409     7465  IMAGE         #157
+        0x509b0     0 0x409     4086  IMAGE         #165
+        0x519a8     0 0x409     4234  IMAGE         #170
+        0x52a34     0 0x409     4625  IMAGE         #175
+        0x53c48     0 0x409     4873  IMAGE         #180
+        0x54f54     0 0x409     3048  IMAGE         #204
+        0x55b3c     0 0x409     3052  IMAGE         #208
+        0x56728     0 0x409     3217  IMAGE         #212
+        0x573bc     0 0x409     3338  IMAGE         #216
+        0x580c8     0 0x409     4191  IMAGE         #217
+        0x59128     0 0x409     4229  IMAGE         #218
+        0x5a1b0     0 0x409     4110  IMAGE         #219
+        0x5b1c0     0 0x409     4065  IMAGE         #220
+        0x5c1a4     0 0x409     3235  IMAGE         #961
+        0x5ce48     0 0x409      470  IMAGE         #981
+        0x5d020     0 0x409      587  IMAGE         #982
+        0x5d26c     0 0x409      518  IMAGE         #983
+        0x5d474     0 0x409     5344  IMAGE         #3000
+        0x5e954     0 0x409     4154  IMAGE         #3015
+        0x5f990     0 0x409     4815  IMAGE         #3045
+        0x60c60     0 0x409     6038  IMAGE         #3051
+        0x623f8     0 0x409     4290  IMAGE         #3060
+    ...
+### Strings
+    # pedump --strings calc.exe.mui
+    === STRINGS ===
+       ID    ID  LANG  STRING
+        0     0   409  "+/-"
+        1     1   409  "C"
+        2     2   409  "CE"
+        3     3   409  "Backspace"
+        4     4   409  "."
+        6     6   409  "And"
+        7     7   409  "Or"
+        8     8   409  "Xor"
+        9     9   409  "Lsh"
+       10     a   409  "Rsh"
+       11     b   409  "/"
+       12     c   409  "*"
+       13     d   409  "+"
+       14     e   409  "-"
+       15     f   409  "Mod"
+       16    10   409  "R"
+       17    11   409  "^"
+       18    12   409  "Int"
+       19    13   409  "RoL"
+       20    14   409  "RoR"
+       21    15   409  "Not"
+       22    16   409  "sin"
+    ...
+### Imports
+    # pedump --imports zlib.dll
+    === IMPORTS ===
+    MODULE_NAME      HINT   ORD  FUNCTION_NAME
+    KERNEL32.dll       e1        GetLastError
+    KERNEL32.dll      153        HeapAlloc
+    KERNEL32.dll      159        HeapFree
+    KERNEL32.dll       9f        GetCommandLineA
+    KERNEL32.dll      103        GetProcAddress
+    KERNEL32.dll       eb        GetModuleHandleA
+    KERNEL32.dll      137        GetVersion
+    KERNEL32.dll      164        InitializeCriticalSection
+    KERNEL32.dll       44        DeleteCriticalSection
+    KERNEL32.dll       4f        EnterCriticalSection
+    KERNEL32.dll      177        LeaveCriticalSection
+    KERNEL32.dll      1fa        SetHandleCount
+    KERNEL32.dll       dc        GetFileType
+    KERNEL32.dll      116        GetStdHandle
+    KERNEL32.dll      114        GetStartupInfoA
+    KERNEL32.dll      155        HeapCreate
+    KERNEL32.dll      157        HeapDestroy
+    KERNEL32.dll       c7        GetCurrentThreadId
+    KERNEL32.dll      222        TlsSetValue
+    KERNEL32.dll      21f        TlsAlloc
+    KERNEL32.dll      220        TlsFree
+    KERNEL32.dll      1fd        SetLastError
+    KERNEL32.dll      221        TlsGetValue
+    KERNEL32.dll       62        ExitProcess
+    KERNEL32.dll      1b8        ReadFile
+    KERNEL32.dll       16        CloseHandle
+    KERNEL32.dll      24f        WriteFile
+    KERNEL32.dll       83        FlushFileBuffers
+    KERNEL32.dll       e9        GetModuleFileNameA
+    KERNEL32.dll       98        GetCPInfo
+    KERNEL32.dll       92        GetACP
+    KERNEL32.dll       f6        GetOEMCP
+    KERNEL32.dll       8b        FreeEnvironmentStringsA
+    KERNEL32.dll       d0        GetEnvironmentStrings
+    KERNEL32.dll       8c        FreeEnvironmentStringsW
+    KERNEL32.dll       d2        GetEnvironmentStringsW
+    KERNEL32.dll      242        WideCharToMultiByte
+    KERNEL32.dll       2b        CreateFileA
+    KERNEL32.dll      1f8        SetFilePointer
+    KERNEL32.dll      206        SetStdHandle
+    KERNEL32.dll      178        LoadLibraryA
+    KERNEL32.dll      1ef        SetEndOfFile
+### Exports
+    # pedump --exports zlib.dll
+    === EXPORTS ===
+    # module "zlib.dll"
+    # flags=0x0  ts="1996-05-07 12:46:46"  version=0.0  ord_base=1
+    # nFuncs=27  nNames=27
+      ORD ENTRY_VA  NAME
+        1     76d0  adler32
+        2     2db0  compress
+        3     4aa0  crc32
+        4     3c90  deflate
+        5     4060  deflateCopy
+        6     3fd0  deflateEnd
+        7     37f0  deflateInit2_
+        8     37c0  deflateInit_
+        9     3bc0  deflateParams
+       10     3b40  deflateReset
+       11     3a40  deflateSetDictionary
+       12     7510  gzclose
+       13     6f00  gzdopen
+       14     75a0  gzerror
+       15     73f0  gzflush
+       16     6c50  gzopen
+       17     7190  gzread
+       18     7350  gzwrite
+       19     4e50  inflate
+       20     4cc0  inflateEnd
+       21     4d20  inflateInit2_
+       22     4e30  inflateInit_
+       23     4c70  inflateReset
+       24     5260  inflateSetDictionary
+       25     52f0  inflateSync
+       26     4bd0  uncompress
+       27     e340  zlib_version
+### VS_VERSIONINFO parsing
+    # pedump --version-info calc.exe
+    === VERSION INFO ===
+    # VS_FIXEDFILEINFO:
+      FileVersion         :  6.1.6801.0
+      ProductVersion      :  6.1.6801.0
+      StrucVersion        :  0x10000
+      FileFlagsMask       :  0x3f
+      FileFlags           :  0
+      FileOS              :  0x40004
+      FileType            :  1
+      FileSubtype         :  0
+    # StringTable 040904B0:
+      CompanyName         :  "Microsoft Corporation"
+      FileDescription     :  "Windows Calculator"
+      FileVersion         :  "6.1.6801.0 (winmain_win7m3.080913-2030)"
+      InternalName        :  "CALC"
+      LegalCopyright      :  "© Microsoft Corporation. All rights reserved."
+      OriginalFilename    :  "CALC.EXE"
+      ProductName         :  "Microsoft® Windows® Operating System"
+      ProductVersion      :  "6.1.6801.0"
+      VarFileInfo         :  [ 0x409, 0x4b0 ]
+### Packer / Compiler detection
+    # pedump --packer zlib.dll
+    === Packer / Compiler ===
+      MS Visual C v2.0
+#### pedump can mimic 'file' command output:
+    #pedump --packer-only -qqq samples/*
+    samples/StringLoader.dll:                 Microsoft Visual C++ 6.0 DLL (Debug)
+    samples/control.exe:                      ASPack v2.12
+    samples/gms_v1_0_3.exe:                   UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
+    samples/unpackme.exe:                     ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
+    samples/zlib.dll:                         Microsoft Visual C v2.0
+License
+-------
+Released under the MIT License.  See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.