RubyGems - pedump - Versions diffs - 0.4.0 → 0.4.1 - Mend

pedump 0.4.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

data/VERSION +1 -1
data/lib/pedump.rb +7 -6
data/lib/pedump/cli.rb +3 -3
data/lib/pedump/version.rb +1 -1
data/pedump.gemspec +9 -2
data/samples/65535sects.7z +0 -0
data/samples/imports_badterm.exe +0 -0
data/samples/imports_vterm.exe +0 -0
data/spec/65535sects_spec.rb +16 -0
data/spec/imports_badterm_spec.rb +58 -0
data/spec/imports_vterm_spec.rb +58 -0
data/spec/pe_spec.rb +6 -0
metadata +24 -17

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.4.0
1	+ 0.4.1

data/lib/pedump.rb CHANGED Viewed

@@ -185,7 +185,7 @@ class PEdump
     def initialize *args
       super
-      self.TimeDateStamp = Time.at(self.TimeDateStamp)
+      self.TimeDateStamp = Time.at(self.TimeDateStamp).utc
     end
     def flags
       FLAGS.find_all{ |k,v| (self.Characteristics & k) != 0 }.map(&:last)
@@ -471,12 +471,12 @@ class PEdump
               end
             end
-            if (nToRead=pe.ifh.NumberOfSections) > 32
+            if (nToRead=pe.ifh.NumberOfSections) > 0xffff
               if @force.is_a?(Numeric) && @force > 1
                 logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). forced. reading all"
               else
-                logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). not forced, reading first 32"
-                nToRead = 32
+                logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). not forced, reading first 65535"
+                nToRead = 65535
               end
             end
             pe.section_table = nToRead.times.map do
@@ -543,13 +543,14 @@ class PEdump
     return nil unless file_offset
     f.seek file_offset
     r = []
-    until (t=IMAGE_IMPORT_DESCRIPTOR.read(f)).empty?
+    until (t=IMAGE_IMPORT_DESCRIPTOR.read(f)).Name.to_i == 0
       r << t
     end
+    logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" unless t.empty?
     @imports = r.each do |x|
       if x.Name.to_i != 0 && (va = va2file(x.Name))
         f.seek va
-        x.module_name = f.gets("\x00").chop
+        x.module_name = f.gets("\x00").chomp("\x00")
       end
       [:original_first_thunk, :first_thunk].each do |tbl|
         camel = tbl.capitalize.to_s.gsub(/_./){ |char| char[1..-1].upcase}

data/lib/pedump/cli.rb CHANGED Viewed

@@ -268,7 +268,7 @@ class PEdump::CLI
       when :pe
         @pedump.pe.ifh.TimeDateStamp = @pedump.pe.ifh.TimeDateStamp.to_i
         data = @pedump.pe.signature + (@pedump.pe.ifh.try(:pack)||'') + (@pedump.pe.ioh.try(:pack)||'')
-        @pedump.pe.ifh.TimeDateStamp = Time.at(@pedump.pe.ifh.TimeDateStamp)
+        @pedump.pe.ifh.TimeDateStamp = Time.at(@pedump.pe.ifh.TimeDateStamp).utc
       when :resources
         return dump_resources(data)
       when :strings
@@ -352,7 +352,7 @@ class PEdump::CLI
           printf "%30s: %24s\n", k.to_s.sub('Major',''), "#{v}.#{data[k.to_s.sub('Major','Minor')]}"
         when /\AMinor.*Version\Z/
         when /TimeDateStamp/
-          printf "%30s: %24s\n", k, Time.at(v).strftime('"%Y-%m-%d %H:%M:%S"')
+          printf "%30s: %24s\n", k, Time.at(v).utc.strftime('"%Y-%m-%d %H:%M:%S"')
         else
           comment = ''
           if COMMENTS[k]
@@ -485,7 +485,7 @@ class PEdump::CLI
     printf "# module %s\n# flags=0x%x  ts=%s  version=%d.%d  ord_base=%d\n",
       data.name.inspect,
       data.Characteristics.to_i,
-      Time.at(data.TimeDateStamp.to_i).strftime('"%Y-%m-%d %H:%M:%S"'),
+      Time.at(data.TimeDateStamp.to_i).utc.strftime('"%Y-%m-%d %H:%M:%S"'),
       data.MajorVersion, data.MinorVersion,
       data.Base

data/lib/pedump/version.rb CHANGED Viewed

@@ -2,7 +2,7 @@ class PEdump
   module Version
     MAJOR = 0
     MINOR = 4
-    PATCH = 0
+    PATCH = 1
     BUILD = nil
     STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')

data/pedump.gemspec CHANGED Viewed

@@ -5,11 +5,11 @@
 Gem::Specification.new do |s|
   s.name = "pedump"
-  s.version = "0.4.0"
+  s.version = "0.4.1"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andrey \"Zed\" Zaikin"]
-  s.date = "2011-12-17"
+  s.date = "2011-12-19"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
   s.email = "zed.0xff@gmail.com"
   s.executables = ["pedump"]
@@ -40,8 +40,15 @@ Gem::Specification.new do |s|
     "lib/pedump/version.rb",
     "lib/pedump/version_info.rb",
     "pedump.gemspec",
+    "samples/65535sects.7z",
     "samples/calc.7z",
+    "samples/imports_badterm.exe",
+    "samples/imports_vterm.exe",
     "samples/zlib.dll",
+    "spec/65535sects_spec.rb",
+    "spec/imports_badterm_spec.rb",
+    "spec/imports_vterm_spec.rb",
+    "spec/pe_spec.rb",
     "spec/pedump_spec.rb",
     "spec/resource_spec.rb",
     "spec/sig_all_packers_spec.rb",

data/samples/65535sects.7z ADDED Viewed

Binary file

data/samples/imports_badterm.exe ADDED Viewed

Binary file

data/samples/imports_vterm.exe ADDED Viewed

Binary file

data/spec/65535sects_spec.rb ADDED Viewed

@@ -0,0 +1,16 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+describe 'a PE file with 65535 sections' do
+  before :all do
+    fname = File.expand_path(File.dirname(__FILE__) + '/../samples/65535sects.exe')
+    File.open(fname,"rb") do |f|
+      @pedump = PEdump.new(fname)
+      @sections = @pedump.sections(f)
+    end
+  end
+  it "should have 65535 sections" do
+    @sections.size.should == 65535
+  end
+end

data/spec/imports_badterm_spec.rb ADDED Viewed

@@ -0,0 +1,58 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+describe 'Imports' do
+  # PE with a 'bad' imports terminator, just the dll name is empty
+  # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/imports_badterm.asm
+  describe "imports_badterm.exe" do
+    before :all do
+      fname = File.expand_path(File.dirname(__FILE__) + '/../samples/imports_badterm.exe')
+      File.open(fname,"rb") do |f|
+        @pedump = PEdump.new(fname)
+        @imports = @pedump.imports(f)
+      end
+    end
+    it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
+      @imports.size.should == 2
+    end
+    it "should have only IMAGE_IMPORT_DESCRIPTORs" do
+      @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
+    end
+    it "should have all entries thunks equal" do
+      @imports.each do |iid|
+        iid.first_thunk.should == iid.original_first_thunk
+      end
+    end
+    describe "1st image_import_descriptor" do
+      it "should be from kernel32.dll" do
+        @imports[0].module_name.should == "kernel32.dll"
+      end
+      it "should have 1 function" do
+        @imports[0].first_thunk.size.should == 1
+      end
+      it "should have ExitProcess" do
+        @imports[0].first_thunk.first.name.should == "ExitProcess"
+        @imports[0].first_thunk.first.hint.should == 0
+        @imports[0].first_thunk.first.ordinal.should be_nil
+      end
+    end
+    describe "2nd image_import_descriptor" do
+      it "should be from msvcrt.dll" do
+        @imports[1].module_name.should == "msvcrt.dll"
+      end
+      it "should have 1 function" do
+        @imports[1].first_thunk.size.should == 1
+      end
+      it "should have printf" do
+        @imports[1].first_thunk.first.name.should == "printf"
+        @imports[1].first_thunk.first.hint.should == 0
+        @imports[1].first_thunk.first.ordinal.should be_nil
+      end
+    end
+  end
+end

data/spec/imports_vterm_spec.rb ADDED Viewed

@@ -0,0 +1,58 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+describe 'Imports' do
+  # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/imports_vterm.asm
+  #describe "import terminator in virtual space" do
+  describe "imports_vterm.exe" do
+    before :all do
+      fname = File.expand_path(File.dirname(__FILE__) + '/../samples/imports_vterm.exe')
+      File.open(fname,"rb") do |f|
+        @pedump = PEdump.new(fname)
+        @imports = @pedump.imports(f)
+      end
+    end
+    it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
+      @imports.size.should == 2
+    end
+    it "should have only IMAGE_IMPORT_DESCRIPTORs" do
+      @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
+    end
+    it "should have all entries thunks equal" do
+      @imports.each do |iid|
+        iid.first_thunk.should == iid.original_first_thunk
+      end
+    end
+    describe "1st image_import_descriptor" do
+      it "should be from kernel32.dll" do
+        @imports[0].module_name.should == "kernel32.dll"
+      end
+      it "should have 1 function" do
+        @imports[0].first_thunk.size.should == 1
+      end
+      it "should have ExitProcess" do
+        @imports[0].first_thunk.first.name.should == "ExitProcess"
+        @imports[0].first_thunk.first.hint.should == 0
+        @imports[0].first_thunk.first.ordinal.should be_nil
+      end
+    end
+    describe "2nd image_import_descriptor" do
+      it "should be from msvcrt.dll" do
+        @imports[1].module_name.should == "msvcrt.dll"
+      end
+      it "should have 1 function" do
+        @imports[1].first_thunk.size.should == 1
+      end
+      it "should have printf" do
+        @imports[1].first_thunk.first.name.should == "printf"
+        @imports[1].first_thunk.first.hint.should == 0
+        @imports[1].first_thunk.first.ordinal.should be_nil
+      end
+    end
+  end
+end

data/spec/pe_spec.rb ADDED Viewed

@@ -0,0 +1,6 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+describe 'PE' do
+  it "should assume TimeDateStamp is in UTC"
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.1
   prerelease:
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-12-17 00:00:00.000000000 Z
+date: 2011-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multipart-post
-  requirement: &70304131999160 !ruby/object:Gem::Requirement
+  requirement: &70337431501640 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70304131999160
+  version_requirements: *70337431501640
 - !ruby/object:Gem::Dependency
   name: progressbar
-  requirement: &70304131998620 !ruby/object:Gem::Requirement
+  requirement: &70337431501120 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 0.9.2
   type: :runtime
   prerelease: false
-  version_requirements: *70304131998620
+  version_requirements: *70337431501120
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70304131998140 !ruby/object:Gem::Requirement
+  requirement: &70337431500620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 2.3.0
   type: :development
   prerelease: false
-  version_requirements: *70304131998140
+  version_requirements: *70337431500620
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70304131997660 !ruby/object:Gem::Requirement
+  requirement: &70337431500120 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *70304131997660
+  version_requirements: *70337431500120
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70304131997180 !ruby/object:Gem::Requirement
+  requirement: &70337431499220 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70304131997180
+  version_requirements: *70337431499220
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70304131996680 !ruby/object:Gem::Requirement
+  requirement: &70337431498520 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70304131996680
+  version_requirements: *70337431498520
 - !ruby/object:Gem::Dependency
   name: awesome_print
-  requirement: &70304131996200 !ruby/object:Gem::Requirement
+  requirement: &70337431497620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,7 +87,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70304131996200
+  version_requirements: *70337431497620
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -119,8 +119,15 @@ files:
 - lib/pedump/version.rb
 - lib/pedump/version_info.rb
 - pedump.gemspec
+- samples/65535sects.7z
 - samples/calc.7z
+- samples/imports_badterm.exe
+- samples/imports_vterm.exe
 - samples/zlib.dll
+- spec/65535sects_spec.rb
+- spec/imports_badterm_spec.rb
+- spec/imports_vterm_spec.rb
+- spec/pe_spec.rb
 - spec/pedump_spec.rb
 - spec/resource_spec.rb
 - spec/sig_all_packers_spec.rb
@@ -141,7 +148,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2685694954412936403
+      hash: 3050538541444126729
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: