pedump 0.4.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,5 @@
1
+ lib/**/*.rb
2
+ bin/*
3
+ -
4
+ features/**/*.feature
5
+ LICENSE.txt
data/.rspec ADDED
@@ -0,0 +1 @@
1
+ --color
data/Gemfile ADDED
@@ -0,0 +1,16 @@
1
+ source "http://rubygems.org"
2
+ # Add dependencies required to use your gem here.
3
+ # Example:
4
+ # gem "activesupport", ">= 2.3.5"
5
+ gem "multipart-post", "~> 1.1.4"
6
+ gem "progressbar", "~> 0.9.2"
7
+
8
+ # Add dependencies to develop your gem here.
9
+ # Include everything needed to run rake, tests, features, etc.
10
+ group :development do
11
+ gem "rspec", "~> 2.3.0"
12
+ gem "bundler", "~> 1.0.0"
13
+ gem "jeweler", "~> 1.6.4"
14
+ gem "rcov", ">= 0"
15
+ gem "awesome_print"
16
+ end
@@ -0,0 +1,34 @@
1
+ GEM
2
+ remote: http://rubygems.org/
3
+ specs:
4
+ awesome_print (0.4.0)
5
+ diff-lcs (1.1.3)
6
+ git (1.2.5)
7
+ jeweler (1.6.4)
8
+ bundler (~> 1.0)
9
+ git (>= 1.2.5)
10
+ rake
11
+ multipart-post (1.1.4)
12
+ progressbar (0.9.2)
13
+ rake (0.9.2.2)
14
+ rcov (0.9.11)
15
+ rspec (2.3.0)
16
+ rspec-core (~> 2.3.0)
17
+ rspec-expectations (~> 2.3.0)
18
+ rspec-mocks (~> 2.3.0)
19
+ rspec-core (2.3.1)
20
+ rspec-expectations (2.3.0)
21
+ diff-lcs (~> 1.1.2)
22
+ rspec-mocks (2.3.0)
23
+
24
+ PLATFORMS
25
+ ruby
26
+
27
+ DEPENDENCIES
28
+ awesome_print
29
+ bundler (~> 1.0.0)
30
+ jeweler (~> 1.6.4)
31
+ multipart-post (~> 1.1.4)
32
+ progressbar (~> 0.9.2)
33
+ rcov
34
+ rspec (~> 2.3.0)
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2011 Andrey "Zed" Zaikin
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,398 @@
1
+ pedump
2
+ ======
3
+
4
+ Description
5
+ -----------
6
+ A pure ruby implementation of win32 PE binary files dumper, including:
7
+
8
+ * MZ Header
9
+ * DOS stub
10
+ * ['Rich' Header](http://ntcore.com/files/richsign.htm)
11
+ * PE Header
12
+ * Data Directory
13
+ * Sections
14
+ * Resources
15
+ * Strings
16
+ * Imports & Exports
17
+ * VS_VERSIONINFO parsing
18
+ * PE Packer/Compiler detection
19
+ * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
20
+
21
+ Installation
22
+ ------------
23
+ gem install pedump
24
+
25
+ Usage
26
+ -----
27
+
28
+ # pedump -h
29
+
30
+ Usage: pedump [options]
31
+ --version Print version information and exit
32
+ -v, --verbose Run verbosely
33
+ (can be used multiple times)
34
+ -q, --quiet Silent any warnings
35
+ (can be used multiple times)
36
+ -F, --force Try to dump by all means
37
+ (can cause exceptions & heavy wounds)
38
+ -f, --format FORMAT Output format: bin,c,dump,hex,inspect,table
39
+ (default: table)
40
+ --mz
41
+ --dos-stub
42
+ --rich
43
+ --pe
44
+ --data-directory
45
+ -S, --sections
46
+ -s, --strings
47
+ -R, --resources
48
+ --resource-directory
49
+ -I, --imports
50
+ -E, --exports
51
+ -V, --version-info
52
+ --packer
53
+ --deep packer deep scan, significantly slower
54
+ -P, --packer-only packer/compiler detect only,
55
+ mimics 'file' command output
56
+ --all Dump all but resource-directory (default)
57
+ --va2file VA Convert RVA to file offset
58
+ -W, --web Uploads files to a http://pedump.me
59
+ for a nice HTML tables with image previews,
60
+ candies & stuff
61
+
62
+ ### MZ Header
63
+
64
+ # pedump --mz calc.exe
65
+
66
+ === MZ Header ===
67
+
68
+ signature: "MZ"
69
+ bytes_in_last_block: 144 0x90
70
+ blocks_in_file: 3 3
71
+ num_relocs: 0 0
72
+ header_paragraphs: 4 4
73
+ min_extra_paragraphs: 0 0
74
+ max_extra_paragraphs: 65535 0xffff
75
+ ss: 0 0
76
+ sp: 184 0xb8
77
+ checksum: 0 0
78
+ ip: 0 0
79
+ cs: 0 0
80
+ reloc_table_offset: 64 0x40
81
+ overlay_number: 0 0
82
+ reserved0: 0 0
83
+ oem_id: 0 0
84
+ oem_info: 0 0
85
+ reserved2: 0 0
86
+ reserved3: 0 0
87
+ reserved4: 0 0
88
+ reserved5: 0 0
89
+ reserved6: 0 0
90
+ lfanew: 232 0xe8
91
+
92
+ ### DOS stub
93
+
94
+ # pedump --dos-stub calc.exe
95
+
96
+ === DOS STUB ===
97
+
98
+ 00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
99
+ 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
100
+ 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
101
+ 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
102
+
103
+ ### 'Rich' Header
104
+
105
+ # pedump --rich calc.exe
106
+
107
+ === RICH Header ===
108
+
109
+ LIB_ID VERSION TIMES_USED
110
+ 149 95 21022 521e 9 9
111
+ 1 1 0 0 367 16f
112
+ 147 93 21022 521e 29 1d
113
+ 132 84 21022 521e 129 81
114
+ 131 83 21022 521e 25 19
115
+ 148 94 21022 521e 1 1
116
+ 145 91 21022 521e 1 1
117
+
118
+ ### PE Header
119
+
120
+ # pedump --pe calc.exe
121
+
122
+ === PE Header ===
123
+
124
+ signature: "PE\x00\x00"
125
+
126
+ # IMAGE_FILE_HEADER:
127
+ Machine: 332 0x14c x86
128
+ NumberOfSections: 4 4
129
+ TimeDateStamp: "2008-09-14 11:28:52"
130
+ PointerToSymbolTable: 0 0
131
+ NumberOfSymbols: 0 0
132
+ SizeOfOptionalHeader: 224 0xe0
133
+ Characteristics: 258 0x102 EXECUTABLE_IMAGE, 32BIT_MACHINE
134
+
135
+ # IMAGE_OPTIONAL_HEADER32:
136
+ Magic: 267 0x10b 32-bit executable
137
+ LinkerVersion: 9.0
138
+ SizeOfCode: 305664 0x4aa00
139
+ SizeOfInitializedData: 340480 0x53200
140
+ SizeOfUninitializedData: 0 0
141
+ AddressOfEntryPoint: 230155 0x3830b
142
+ BaseOfCode: 4096 0x1000
143
+ BaseOfData: 311296 0x4c000
144
+ ImageBase: 16777216 0x1000000
145
+ SectionAlignment: 4096 0x1000
146
+ FileAlignment: 512 0x200
147
+ OperatingSystemVersion: 5.1
148
+ ImageVersion: 5.256
149
+ SubsystemVersion: 5.1
150
+ Reserved1: 0 0
151
+ SizeOfImage: 659456 0xa1000
152
+ SizeOfHeaders: 1024 0x400
153
+ CheckSum: 690555 0xa897b
154
+ Subsystem: 2 2 WINDOWS_GUI
155
+ DllCharacteristics: 33088 0x8140 DYNAMIC_BASE, NX_COMPAT
156
+ TERMINAL_SERVER_AWARE
157
+ SizeOfStackReserve: 262144 0x40000
158
+ SizeOfStackCommit: 8192 0x2000
159
+ SizeOfHeapReserve: 1048576 0x100000
160
+ SizeOfHeapCommit: 4096 0x1000
161
+ LoaderFlags: 0 0
162
+ NumberOfRvaAndSizes: 16 0x10
163
+
164
+ ### Data Directory
165
+
166
+ # pedump --data-directory calc.exe
167
+
168
+ === DATA DIRECTORY ===
169
+
170
+ EXPORT rva:0x 0 size:0x 0
171
+ IMPORT rva:0x 49c1c size:0x 12c
172
+ RESOURCE rva:0x 51000 size:0x 4ab07
173
+ EXCEPTION rva:0x 0 size:0x 0
174
+ SECURITY rva:0x 0 size:0x 0
175
+ BASERELOC rva:0x 9c000 size:0x 3588
176
+ DEBUG rva:0x 1610 size:0x 1c
177
+ ARCHITECTURE rva:0x 0 size:0x 0
178
+ GLOBALPTR rva:0x 0 size:0x 0
179
+ TLS rva:0x 0 size:0x 0
180
+ LOAD_CONFIG rva:0x 3d78 size:0x 40
181
+ Bound_IAT rva:0x 280 size:0x 12c
182
+ IAT rva:0x 1000 size:0x 594
183
+ Delay_IAT rva:0x 49bac size:0x 40
184
+ CLR_Header rva:0x 0 size:0x 0
185
+ rva:0x 0 size:0x 0
186
+
187
+ ### Sections
188
+
189
+ # pedump --sections calc.exe
190
+
191
+ === SECTIONS ===
192
+
193
+ NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
194
+ .text 1000 4a99a 4aa00 400 0 0 0 0 60000020 R-X CODE
195
+ .data 4c000 431c 3000 4ae00 0 0 0 0 c0000040 RW- IDATA
196
+ .rsrc 51000 4ab07 4ac00 4de00 0 0 0 0 40000040 R-- IDATA
197
+ .reloc 9c000 41f6 4200 98a00 0 0 0 0 42000040 R-- IDATA DISCARDABLE
198
+
199
+ ### Resources
200
+
201
+ # pedump --resources calc.exe
202
+
203
+ === RESOURCES ===
204
+
205
+ FILE_OFFSET CP LANG SIZE TYPE NAME
206
+ 0x4ec84 0 0x409 7465 IMAGE #157
207
+ 0x509b0 0 0x409 4086 IMAGE #165
208
+ 0x519a8 0 0x409 4234 IMAGE #170
209
+ 0x52a34 0 0x409 4625 IMAGE #175
210
+ 0x53c48 0 0x409 4873 IMAGE #180
211
+ 0x54f54 0 0x409 3048 IMAGE #204
212
+ 0x55b3c 0 0x409 3052 IMAGE #208
213
+ 0x56728 0 0x409 3217 IMAGE #212
214
+ 0x573bc 0 0x409 3338 IMAGE #216
215
+ 0x580c8 0 0x409 4191 IMAGE #217
216
+ 0x59128 0 0x409 4229 IMAGE #218
217
+ 0x5a1b0 0 0x409 4110 IMAGE #219
218
+ 0x5b1c0 0 0x409 4065 IMAGE #220
219
+ 0x5c1a4 0 0x409 3235 IMAGE #961
220
+ 0x5ce48 0 0x409 470 IMAGE #981
221
+ 0x5d020 0 0x409 587 IMAGE #982
222
+ 0x5d26c 0 0x409 518 IMAGE #983
223
+ 0x5d474 0 0x409 5344 IMAGE #3000
224
+ 0x5e954 0 0x409 4154 IMAGE #3015
225
+ 0x5f990 0 0x409 4815 IMAGE #3045
226
+ 0x60c60 0 0x409 6038 IMAGE #3051
227
+ 0x623f8 0 0x409 4290 IMAGE #3060
228
+ ...
229
+
230
+ ### Strings
231
+
232
+ # pedump --strings calc.exe.mui
233
+
234
+ === STRINGS ===
235
+
236
+ ID ID LANG STRING
237
+ 0 0 409 "+/-"
238
+ 1 1 409 "C"
239
+ 2 2 409 "CE"
240
+ 3 3 409 "Backspace"
241
+ 4 4 409 "."
242
+ 6 6 409 "And"
243
+ 7 7 409 "Or"
244
+ 8 8 409 "Xor"
245
+ 9 9 409 "Lsh"
246
+ 10 a 409 "Rsh"
247
+ 11 b 409 "/"
248
+ 12 c 409 "*"
249
+ 13 d 409 "+"
250
+ 14 e 409 "-"
251
+ 15 f 409 "Mod"
252
+ 16 10 409 "R"
253
+ 17 11 409 "^"
254
+ 18 12 409 "Int"
255
+ 19 13 409 "RoL"
256
+ 20 14 409 "RoR"
257
+ 21 15 409 "Not"
258
+ 22 16 409 "sin"
259
+ ...
260
+
261
+ ### Imports
262
+
263
+ # pedump --imports zlib.dll
264
+
265
+ === IMPORTS ===
266
+
267
+ MODULE_NAME HINT ORD FUNCTION_NAME
268
+ KERNEL32.dll e1 GetLastError
269
+ KERNEL32.dll 153 HeapAlloc
270
+ KERNEL32.dll 159 HeapFree
271
+ KERNEL32.dll 9f GetCommandLineA
272
+ KERNEL32.dll 103 GetProcAddress
273
+ KERNEL32.dll eb GetModuleHandleA
274
+ KERNEL32.dll 137 GetVersion
275
+ KERNEL32.dll 164 InitializeCriticalSection
276
+ KERNEL32.dll 44 DeleteCriticalSection
277
+ KERNEL32.dll 4f EnterCriticalSection
278
+ KERNEL32.dll 177 LeaveCriticalSection
279
+ KERNEL32.dll 1fa SetHandleCount
280
+ KERNEL32.dll dc GetFileType
281
+ KERNEL32.dll 116 GetStdHandle
282
+ KERNEL32.dll 114 GetStartupInfoA
283
+ KERNEL32.dll 155 HeapCreate
284
+ KERNEL32.dll 157 HeapDestroy
285
+ KERNEL32.dll c7 GetCurrentThreadId
286
+ KERNEL32.dll 222 TlsSetValue
287
+ KERNEL32.dll 21f TlsAlloc
288
+ KERNEL32.dll 220 TlsFree
289
+ KERNEL32.dll 1fd SetLastError
290
+ KERNEL32.dll 221 TlsGetValue
291
+ KERNEL32.dll 62 ExitProcess
292
+ KERNEL32.dll 1b8 ReadFile
293
+ KERNEL32.dll 16 CloseHandle
294
+ KERNEL32.dll 24f WriteFile
295
+ KERNEL32.dll 83 FlushFileBuffers
296
+ KERNEL32.dll e9 GetModuleFileNameA
297
+ KERNEL32.dll 98 GetCPInfo
298
+ KERNEL32.dll 92 GetACP
299
+ KERNEL32.dll f6 GetOEMCP
300
+ KERNEL32.dll 8b FreeEnvironmentStringsA
301
+ KERNEL32.dll d0 GetEnvironmentStrings
302
+ KERNEL32.dll 8c FreeEnvironmentStringsW
303
+ KERNEL32.dll d2 GetEnvironmentStringsW
304
+ KERNEL32.dll 242 WideCharToMultiByte
305
+ KERNEL32.dll 2b CreateFileA
306
+ KERNEL32.dll 1f8 SetFilePointer
307
+ KERNEL32.dll 206 SetStdHandle
308
+ KERNEL32.dll 178 LoadLibraryA
309
+ KERNEL32.dll 1ef SetEndOfFile
310
+
311
+ ### Exports
312
+
313
+ # pedump --exports zlib.dll
314
+
315
+ === EXPORTS ===
316
+
317
+ # module "zlib.dll"
318
+ # flags=0x0 ts="1996-05-07 12:46:46" version=0.0 ord_base=1
319
+ # nFuncs=27 nNames=27
320
+
321
+ ORD ENTRY_VA NAME
322
+ 1 76d0 adler32
323
+ 2 2db0 compress
324
+ 3 4aa0 crc32
325
+ 4 3c90 deflate
326
+ 5 4060 deflateCopy
327
+ 6 3fd0 deflateEnd
328
+ 7 37f0 deflateInit2_
329
+ 8 37c0 deflateInit_
330
+ 9 3bc0 deflateParams
331
+ 10 3b40 deflateReset
332
+ 11 3a40 deflateSetDictionary
333
+ 12 7510 gzclose
334
+ 13 6f00 gzdopen
335
+ 14 75a0 gzerror
336
+ 15 73f0 gzflush
337
+ 16 6c50 gzopen
338
+ 17 7190 gzread
339
+ 18 7350 gzwrite
340
+ 19 4e50 inflate
341
+ 20 4cc0 inflateEnd
342
+ 21 4d20 inflateInit2_
343
+ 22 4e30 inflateInit_
344
+ 23 4c70 inflateReset
345
+ 24 5260 inflateSetDictionary
346
+ 25 52f0 inflateSync
347
+ 26 4bd0 uncompress
348
+ 27 e340 zlib_version
349
+
350
+ ### VS_VERSIONINFO parsing
351
+
352
+ # pedump --version-info calc.exe
353
+
354
+ === VERSION INFO ===
355
+
356
+ # VS_FIXEDFILEINFO:
357
+ FileVersion : 6.1.6801.0
358
+ ProductVersion : 6.1.6801.0
359
+ StrucVersion : 0x10000
360
+ FileFlagsMask : 0x3f
361
+ FileFlags : 0
362
+ FileOS : 0x40004
363
+ FileType : 1
364
+ FileSubtype : 0
365
+
366
+ # StringTable 040904B0:
367
+ CompanyName : "Microsoft Corporation"
368
+ FileDescription : "Windows Calculator"
369
+ FileVersion : "6.1.6801.0 (winmain_win7m3.080913-2030)"
370
+ InternalName : "CALC"
371
+ LegalCopyright : "© Microsoft Corporation. All rights reserved."
372
+ OriginalFilename : "CALC.EXE"
373
+ ProductName : "Microsoft® Windows® Operating System"
374
+ ProductVersion : "6.1.6801.0"
375
+
376
+ VarFileInfo : [ 0x409, 0x4b0 ]
377
+
378
+ ### Packer / Compiler detection
379
+
380
+ # pedump --packer zlib.dll
381
+
382
+ === Packer / Compiler ===
383
+
384
+ MS Visual C v2.0
385
+
386
+ #### pedump can mimic 'file' command output:
387
+
388
+ #pedump --packer-only -qqq samples/*
389
+
390
+ samples/StringLoader.dll: Microsoft Visual C++ 6.0 DLL (Debug)
391
+ samples/control.exe: ASPack v2.12
392
+ samples/gms_v1_0_3.exe: UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
393
+ samples/unpackme.exe: ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
394
+ samples/zlib.dll: Microsoft Visual C v2.0
395
+
396
+ License
397
+ -------
398
+ Released under the MIT License. See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.