RubyGems - pedump - Versions diffs - 0.4.0 → 0.4.1 - Mend

pedump 0.4.0 → 0.4.1

Files changed (13) hide show

data/VERSION +1 -1
data/lib/pedump.rb +7 -6
data/lib/pedump/cli.rb +3 -3
data/lib/pedump/version.rb +1 -1
data/pedump.gemspec +9 -2
data/samples/65535sects.7z +0 -0
data/samples/imports_badterm.exe +0 -0
data/samples/imports_vterm.exe +0 -0
data/spec/65535sects_spec.rb +16 -0
data/spec/imports_badterm_spec.rb +58 -0
data/spec/imports_vterm_spec.rb +58 -0
data/spec/pe_spec.rb +6 -0
metadata +24 -17

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.4.0
1	+ 0.4.1

data/lib/pedump.rb CHANGED Viewed

@@ -185,7 +185,7 @@ class PEdump
     def initialize *args
       super
-      self.TimeDateStamp = Time.at(self.TimeDateStamp)
+      self.TimeDateStamp = Time.at(self.TimeDateStamp).utc
     end
     def flags
       FLAGS.find_all{ |k,v| (self.Characteristics & k) != 0 }.map(&:last)
@@ -471,12 +471,12 @@ class PEdump
               end
             end
-            if (nToRead=pe.ifh.NumberOfSections) > 32
+            if (nToRead=pe.ifh.NumberOfSections) > 0xffff
               if @force.is_a?(Numeric) && @force > 1
                 logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). forced. reading all"
               else
-                logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). not forced, reading first 32"
-                nToRead = 32
+                logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). not forced, reading first 65535"
+                nToRead = 65535
               end
             end
             pe.section_table = nToRead.times.map do
@@ -543,13 +543,14 @@ class PEdump
     return nil unless file_offset
     f.seek file_offset
     r = []
-    until (t=IMAGE_IMPORT_DESCRIPTOR.read(f)).empty?
+    until (t=IMAGE_IMPORT_DESCRIPTOR.read(f)).Name.to_i == 0
       r << t
     end
+    logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" unless t.empty?
     @imports = r.each do |x|
       if x.Name.to_i != 0 && (va = va2file(x.Name))
         f.seek va
-        x.module_name = f.gets("\x00").chop
+        x.module_name = f.gets("\x00").chomp("\x00")
       end
       [:original_first_thunk, :first_thunk].each do |tbl|
         camel = tbl.capitalize.to_s.gsub(/_./){ |char| char[1..-1].upcase}

data/lib/pedump/cli.rb CHANGED Viewed

@@ -268,7 +268,7 @@ class PEdump::CLI
       when :pe
         @pedump.pe.ifh.TimeDateStamp = @pedump.pe.ifh.TimeDateStamp.to_i
         data = @pedump.pe.signature + (@pedump.pe.ifh.try(:pack)||'') + (@pedump.pe.ioh.try(:pack)||'')
-        @pedump.pe.ifh.TimeDateStamp = Time.at(@pedump.pe.ifh.TimeDateStamp)
+        @pedump.pe.ifh.TimeDateStamp = Time.at(@pedump.pe.ifh.TimeDateStamp).utc
       when :resources
         return dump_resources(data)
       when :strings
@@ -352,7 +352,7 @@ class PEdump::CLI
           printf "%30s: %24s\n", k.to_s.sub('Major',''), "#{v}.#{data[k.to_s.sub('Major','Minor')]}"
         when /\AMinor.*Version\Z/
         when /TimeDateStamp/
-          printf "%30s: %24s\n", k, Time.at(v).strftime('"%Y-%m-%d %H:%M:%S"')
+          printf "%30s: %24s\n", k, Time.at(v).utc.strftime('"%Y-%m-%d %H:%M:%S"')
         else
           comment = ''
           if COMMENTS[k]
@@ -485,7 +485,7 @@ class PEdump::CLI
     printf "# module %s\n# flags=0x%x  ts=%s  version=%d.%d  ord_base=%d\n",
       data.name.inspect,
       data.Characteristics.to_i,
-      Time.at(data.TimeDateStamp.to_i).strftime('"%Y-%m-%d %H:%M:%S"'),
+      Time.at(data.TimeDateStamp.to_i).utc.strftime('"%Y-%m-%d %H:%M:%S"'),
       data.MajorVersion, data.MinorVersion,
       data.Base

data/lib/pedump/version.rb CHANGED Viewed

@@ -2,7 +2,7 @@ class PEdump
   module Version
     MAJOR = 0
     MINOR = 4
-    PATCH = 0
+    PATCH = 1
     BUILD = nil
     STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')

data/pedump.gemspec CHANGED Viewed

@@ -5,11 +5,11 @@
 Gem::Specification.new do |s|
   s.name = "pedump"
-  s.version = "0.4.0"
+  s.version = "0.4.1"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andrey \"Zed\" Zaikin"]
-  s.date = "2011-12-17"
+  s.date = "2011-12-19"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
   s.email = "zed.0xff@gmail.com"
   s.executables = ["pedump"]
@@ -40,8 +40,15 @@ Gem::Specification.new do |s|
     "lib/pedump/version.rb",
     "lib/pedump/version_info.rb",
     "pedump.gemspec",
+    "samples/65535sects.7z",
     "samples/calc.7z",
+    "samples/imports_badterm.exe",
+    "samples/imports_vterm.exe",
     "samples/zlib.dll",
+    "spec/65535sects_spec.rb",
+    "spec/imports_badterm_spec.rb",
+    "spec/imports_vterm_spec.rb",
+    "spec/pe_spec.rb",
     "spec/pedump_spec.rb",
     "spec/resource_spec.rb",
     "spec/sig_all_packers_spec.rb",

data/samples/65535sects.7z ADDED Viewed

Binary file

data/samples/imports_badterm.exe ADDED Viewed

Binary file

data/samples/imports_vterm.exe ADDED Viewed

Binary file

data/spec/65535sects_spec.rb ADDED Viewed

@@ -0,0 +1,16 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+describe 'a PE file with 65535 sections' do
+  before :all do
+    fname = File.expand_path(File.dirname(__FILE__) + '/../samples/65535sects.exe')
+    File.open(fname,"rb") do |f|
+      @pedump = PEdump.new(fname)
+      @sections = @pedump.sections(f)
+    end
+  end
+  it "should have 65535 sections" do
+    @sections.size.should == 65535
+  end
+end

data/spec/imports_badterm_spec.rb ADDED Viewed

@@ -0,0 +1,58 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+describe 'Imports' do
+  # PE with a 'bad' imports terminator, just the dll name is empty
+  # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/imports_badterm.asm
+  describe "imports_badterm.exe" do
+    before :all do
+      fname = File.expand_path(File.dirname(__FILE__) + '/../samples/imports_badterm.exe')
+      File.open(fname,"rb") do |f|
+        @pedump = PEdump.new(fname)
+        @imports = @pedump.imports(f)
+      end
+    end
+    it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
+      @imports.size.should == 2
+    end
+    it "should have only IMAGE_IMPORT_DESCRIPTORs" do
+      @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
+    end
+    it "should have all entries thunks equal" do
+      @imports.each do |iid|
+        iid.first_thunk.should == iid.original_first_thunk
+      end
+    end
+    describe "1st image_import_descriptor" do
+      it "should be from kernel32.dll" do
+        @imports[0].module_name.should == "kernel32.dll"
+      end
+      it "should have 1 function" do
+        @imports[0].first_thunk.size.should == 1
+      end
+      it "should have ExitProcess" do
+        @imports[0].first_thunk.first.name.should == "ExitProcess"
+        @imports[0].first_thunk.first.hint.should == 0
+        @imports[0].first_thunk.first.ordinal.should be_nil
+      end
+    end
+    describe "2nd image_import_descriptor" do
+      it "should be from msvcrt.dll" do
+        @imports[1].module_name.should == "msvcrt.dll"
+      end
+      it "should have 1 function" do
+        @imports[1].first_thunk.size.should == 1
+      end
+      it "should have printf" do
+        @imports[1].first_thunk.first.name.should == "printf"
+        @imports[1].first_thunk.first.hint.should == 0
+        @imports[1].first_thunk.first.ordinal.should be_nil
+      end
+    end
+  end
+end

data/spec/imports_vterm_spec.rb ADDED Viewed

@@ -0,0 +1,58 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+describe 'Imports' do
+  # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/imports_vterm.asm
+  #describe "import terminator in virtual space" do
+  describe "imports_vterm.exe" do
+    before :all do
+      fname = File.expand_path(File.dirname(__FILE__) + '/../samples/imports_vterm.exe')
+      File.open(fname,"rb") do |f|
+        @pedump = PEdump.new(fname)
+        @imports = @pedump.imports(f)
+      end
+    end
+    it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
+      @imports.size.should == 2
+    end
+    it "should have only IMAGE_IMPORT_DESCRIPTORs" do
+      @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
+    end
+    it "should have all entries thunks equal" do
+      @imports.each do |iid|
+        iid.first_thunk.should == iid.original_first_thunk
+      end
+    end
+    describe "1st image_import_descriptor" do
+      it "should be from kernel32.dll" do
+        @imports[0].module_name.should == "kernel32.dll"
+      end
+      it "should have 1 function" do
+        @imports[0].first_thunk.size.should == 1
+      end
+      it "should have ExitProcess" do
+        @imports[0].first_thunk.first.name.should == "ExitProcess"
+        @imports[0].first_thunk.first.hint.should == 0
+        @imports[0].first_thunk.first.ordinal.should be_nil
+      end
+    end
+    describe "2nd image_import_descriptor" do
+      it "should be from msvcrt.dll" do
+        @imports[1].module_name.should == "msvcrt.dll"
+      end
+      it "should have 1 function" do
+        @imports[1].first_thunk.size.should == 1
+      end
+      it "should have printf" do
+        @imports[1].first_thunk.first.name.should == "printf"
+        @imports[1].first_thunk.first.hint.should == 0
+        @imports[1].first_thunk.first.ordinal.should be_nil
+      end
+    end
+  end
+end

data/spec/pe_spec.rb ADDED Viewed

@@ -0,0 +1,6 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+describe 'PE' do
+  it "should assume TimeDateStamp is in UTC"
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.1
   prerelease:
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-12-17 00:00:00.000000000 Z
+date: 2011-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multipart-post
-  requirement: &70304131999160 !ruby/object:Gem::Requirement
+  requirement: &70337431501640 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70304131999160
+  version_requirements: *70337431501640
 - !ruby/object:Gem::Dependency
   name: progressbar
-  requirement: &70304131998620 !ruby/object:Gem::Requirement
+  requirement: &70337431501120 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 0.9.2
   type: :runtime
   prerelease: false
-  version_requirements: *70304131998620
+  version_requirements: *70337431501120
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70304131998140 !ruby/object:Gem::Requirement
+  requirement: &70337431500620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 2.3.0
   type: :development
   prerelease: false
-  version_requirements: *70304131998140
+  version_requirements: *70337431500620
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70304131997660 !ruby/object:Gem::Requirement
+  requirement: &70337431500120 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *70304131997660
+  version_requirements: *70337431500120
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70304131997180 !ruby/object:Gem::Requirement
+  requirement: &70337431499220 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70304131997180
+  version_requirements: *70337431499220
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70304131996680 !ruby/object:Gem::Requirement
+  requirement: &70337431498520 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70304131996680
+  version_requirements: *70337431498520
 - !ruby/object:Gem::Dependency
   name: awesome_print
-  requirement: &70304131996200 !ruby/object:Gem::Requirement
+  requirement: &70337431497620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,7 +87,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70304131996200
+  version_requirements: *70337431497620
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -119,8 +119,15 @@ files:
 - lib/pedump/version.rb
 - lib/pedump/version_info.rb
 - pedump.gemspec
+- samples/65535sects.7z
 - samples/calc.7z
+- samples/imports_badterm.exe
+- samples/imports_vterm.exe
 - samples/zlib.dll
+- spec/65535sects_spec.rb
+- spec/imports_badterm_spec.rb
+- spec/imports_vterm_spec.rb
+- spec/pe_spec.rb
 - spec/pedump_spec.rb
 - spec/resource_spec.rb
 - spec/sig_all_packers_spec.rb
@@ -141,7 +148,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2685694954412936403
+      hash: 3050538541444126729
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: