pedump 0.4.0 → 0.5.0

data/pedump.gemspec

@@ -5,53 +5,97 @@
 
 Gem::Specification.new do |s|
   s.name = "pedump"
-  s.version = "0.4.0"
+  s.version = "0.5.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andrey \"Zed\" Zaikin"]
-  s.date = "2011-12-17"
+  s.date = "2013-04-20"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
   s.email = "zed.0xff@gmail.com"
   s.executables = ["pedump"]
   s.extra_rdoc_files = [
     "LICENSE.txt",
-    "README.md",
-    "README.md.tpl"
+    "README.md"
   ]
   s.files = [
     ".document",
     ".rspec",
+    ".travis.yml",
     "Gemfile",
     "Gemfile.lock",
     "LICENSE.txt",
     "README.md",
-    "README.md.tpl",
     "Rakefile",
     "VERSION",
     "bin/pedump",
     "data/fs.txt",
+    "data/jc-userdb.txt",
     "data/sig.bin",
     "data/signatures.txt",
     "data/userdb.txt",
     "lib/pedump.rb",
     "lib/pedump/cli.rb",
+    "lib/pedump/comparer.rb",
+    "lib/pedump/composite_io.rb",
+    "lib/pedump/core.rb",
+    "lib/pedump/core_ext/try.rb",
+    "lib/pedump/loader.rb",
+    "lib/pedump/loader/minidump.rb",
+    "lib/pedump/loader/section.rb",
+    "lib/pedump/logger.rb",
+    "lib/pedump/ne.rb",
+    "lib/pedump/ne/version_info.rb",
     "lib/pedump/packer.rb",
+    "lib/pedump/pe.rb",
+    "lib/pedump/resources.rb",
+    "lib/pedump/security.rb",
     "lib/pedump/sig_parser.rb",
+    "lib/pedump/tls.rb",
+    "lib/pedump/unpacker.rb",
+    "lib/pedump/unpacker/aspack.rb",
+    "lib/pedump/unpacker/upx.rb",
     "lib/pedump/version.rb",
     "lib/pedump/version_info.rb",
+    "misc/aspack/Makefile",
+    "misc/aspack/aspack_unlzx.c",
+    "misc/aspack/lzxdec.c",
+    "misc/aspack/lzxdec.h",
+    "misc/nedump.c",
     "pedump.gemspec",
-    "samples/calc.7z",
-    "samples/zlib.dll",
+    "samples/bad/68.exe",
+    "samples/bad/data_dir_15_entries.exe",
+    "spec/65535sects_spec.rb",
+    "spec/bad_imports_spec.rb",
+    "spec/bad_samples_spec.rb",
+    "spec/composite_io_spec.rb",
+    "spec/data/calc.exe_sections.yml",
+    "spec/data/data_dir_15_entries.exe_sections.yml",
+    "spec/dllord_spec.rb",
+    "spec/foldedhdr_spec.rb",
+    "spec/imports_badterm_spec.rb",
+    "spec/imports_vterm_spec.rb",
+    "spec/loader/names_spec.rb",
+    "spec/loader/va_spec.rb",
+    "spec/manyimportsW7_spec.rb",
+    "spec/ne_spec.rb",
+    "spec/packer_spec.rb",
+    "spec/pe_spec.rb",
     "spec/pedump_spec.rb",
     "spec/resource_spec.rb",
+    "spec/sections_spec.rb",
     "spec/sig_all_packers_spec.rb",
     "spec/sig_spec.rb",
-    "spec/spec_helper.rb"
+    "spec/spec_helper.rb",
+    "spec/support/samples.rb",
+    "spec/unpackers/aspack_spec.rb",
+    "spec/unpackers/find_spec.rb",
+    "spec/virtsectblXP_spec.rb",
+    "tmp/.keep"
   ]
   s.homepage = "http://github.com/zed-0xff/pedump"
   s.licenses = ["MIT"]
   s.require_paths = ["lib"]
-  s.rubygems_version = "1.8.10"
+  s.rubygems_version = "1.8.24"
   s.summary = "dump win32 PE executable files with a pure ruby"
 
   if s.respond_to? :specification_version then
@@ -59,29 +103,35 @@ Gem::Specification.new do |s|
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
       s.add_runtime_dependency(%q<multipart-post>, ["~> 1.1.4"])
-      s.add_runtime_dependency(%q<progressbar>, ["~> 0.9.2"])
-      s.add_development_dependency(%q<rspec>, ["~> 2.3.0"])
-      s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
-      s.add_development_dependency(%q<jeweler>, ["~> 1.6.4"])
-      s.add_development_dependency(%q<rcov>, [">= 0"])
-      s.add_development_dependency(%q<awesome_print>, [">= 0"])
+      s.add_runtime_dependency(%q<progressbar>, [">= 0"])
+      s.add_runtime_dependency(%q<awesome_print>, [">= 0"])
+      s.add_runtime_dependency(%q<iostruct>, [">= 0.0.4"])
+      s.add_runtime_dependency(%q<zhexdump>, [">= 0.0.2"])
+      s.add_development_dependency(%q<rspec>, [">= 0"])
+      s.add_development_dependency(%q<bundler>, [">= 0"])
+      s.add_development_dependency(%q<jeweler>, [">= 0"])
+      s.add_development_dependency(%q<what_methods>, [">= 0"])
     else
       s.add_dependency(%q<multipart-post>, ["~> 1.1.4"])
-      s.add_dependency(%q<progressbar>, ["~> 0.9.2"])
-      s.add_dependency(%q<rspec>, ["~> 2.3.0"])
-      s.add_dependency(%q<bundler>, ["~> 1.0.0"])
-      s.add_dependency(%q<jeweler>, ["~> 1.6.4"])
-      s.add_dependency(%q<rcov>, [">= 0"])
+      s.add_dependency(%q<progressbar>, [">= 0"])
       s.add_dependency(%q<awesome_print>, [">= 0"])
+      s.add_dependency(%q<iostruct>, [">= 0.0.4"])
+      s.add_dependency(%q<zhexdump>, [">= 0.0.2"])
+      s.add_dependency(%q<rspec>, [">= 0"])
+      s.add_dependency(%q<bundler>, [">= 0"])
+      s.add_dependency(%q<jeweler>, [">= 0"])
+      s.add_dependency(%q<what_methods>, [">= 0"])
     end
   else
     s.add_dependency(%q<multipart-post>, ["~> 1.1.4"])
-    s.add_dependency(%q<progressbar>, ["~> 0.9.2"])
-    s.add_dependency(%q<rspec>, ["~> 2.3.0"])
-    s.add_dependency(%q<bundler>, ["~> 1.0.0"])
-    s.add_dependency(%q<jeweler>, ["~> 1.6.4"])
-    s.add_dependency(%q<rcov>, [">= 0"])
+    s.add_dependency(%q<progressbar>, [">= 0"])
     s.add_dependency(%q<awesome_print>, [">= 0"])
+    s.add_dependency(%q<iostruct>, [">= 0.0.4"])
+    s.add_dependency(%q<zhexdump>, [">= 0.0.2"])
+    s.add_dependency(%q<rspec>, [">= 0"])
+    s.add_dependency(%q<bundler>, [">= 0"])
+    s.add_dependency(%q<jeweler>, [">= 0"])
+    s.add_dependency(%q<what_methods>, [">= 0"])
   end
 end
 

data/spec/65535sects_spec.rb

@@ -0,0 +1,8 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe 'corkami/65535sects.exe' do
+  it "should have 65535 sections" do
+    sample.sections.size.should == 65535
+  end
+end

data/spec/bad_imports_spec.rb

@@ -0,0 +1,20 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe 'bad_imports.exe' do
+  before :all do
+    @imports = sample.imports
+  end
+
+  it "should have IMAGE_IMPORT_DESCRIPTOR" do
+    @imports.size.should == 1
+  end
+
+  it "should have only IMAGE_IMPORT_DESCRIPTORs" do
+    @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
+  end
+
+  it "should not detect packer" do
+    sample.packer.should be_nil
+  end
+end

data/spec/bad_samples_spec.rb

@@ -0,0 +1,13 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+PEDUMP_BINARY = File.expand_path(File.dirname(__FILE__) + '/../bin/pedump')
+
+Dir[File.join(SAMPLES_DIR,"bad","*.exe")].each do |fname|
+  describe fname do
+    it "should not cause exception" do
+      system "#{PEDUMP_BINARY} -qqq #{fname} > /dev/null"
+      $?.should be_success
+    end
+  end
+end

data/spec/composite_io_spec.rb

@@ -0,0 +1,122 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump/composite_io')
+
+describe PEdump::CompositeIO do
+  it "concatenates" do
+    io = PEdump::CompositeIO.new(
+      StringIO.new('foo'),
+      StringIO.new('bar'),
+      StringIO.new('baz')
+    )
+    io.read.should == 'foobarbaz'
+  end
+
+  it "reads sequentally" do
+    io = PEdump::CompositeIO.new(
+      StringIO.new('foo1'),
+      StringIO.new('bar2'),
+      StringIO.new('baz')
+    )
+    io.read(3).should == 'foo'
+    io.read(3).should == '1ba'
+    io.read(3).should == 'r2b'
+    io.read(3).should == 'az'
+  end
+
+  it "behaves like StringIO" do
+    io1 = StringIO.new('foo')
+    io2 = PEdump::CompositeIO.new(StringIO.new('foo'))
+
+    io1.read.should == io2.read       # 'foo'
+    io1.read.should == io2.read       # ''
+    io1.read(3).should == io2.read(3) # nil
+  end
+
+  it "tracks number of bytes read" do
+    io = PEdump::CompositeIO.new(
+      StringIO.new('foo1'),
+      StringIO.new('bar2'),
+      StringIO.new('baz')
+    )
+    io.tell.should == 0
+    io.read(3)
+    io.tell.should == 3
+    io.read(4)
+    io.tell.should == 7
+    io.read
+    io.tell.should == 11
+    io.read
+    io.tell.should == 11
+    io.read 10
+    io.tell.should == 11
+  end
+
+  it "chains eof? call" do
+    io = PEdump::CompositeIO.new(
+      StringIO.new('foo1'),
+      StringIO.new('bar2'),
+      StringIO.new('baz')
+    )
+    io.eof?.should be_false
+    io.read(3)
+    io.eof?.should be_false
+    io.read(4)
+    io.eof?.should be_false
+    io.read
+    io.eof?.should be_true
+    io.read
+    io.eof?.should be_true
+    io.read 10
+    io.eof?.should be_true
+  end
+
+  it "seeks" do
+    io = PEdump::CompositeIO.new(
+      StringIO.new('foo1'),
+      StringIO.new('bar2'),
+      StringIO.new('baz')
+    )
+
+    io.seek(5)
+    io.tell.should == 5
+    io.read(4).should == "ar2b"
+
+    io.seek(0)
+    io.tell.should == 0
+    io.read.should == "foo1bar2baz"
+
+    io.seek(1)
+    io.tell.should == 1
+    io.read.should == "oo1bar2baz"
+  end
+
+  it "respects start positions" do
+    ios = [
+      StringIO.new('foo1'),
+      StringIO.new('bar2'),
+      StringIO.new('baz3')
+    ]
+    ios.each_with_index{ |io,idx| io.seek(idx+1) }
+
+    s = "oo1r23"
+
+    io = PEdump::CompositeIO.new(*ios)
+    io.tell.should == 0
+    io.read.should == s
+
+    s.size.times do |pos|
+      io.seek(pos)
+      io.tell.should == pos
+      io.read.should == s[pos..-1]
+    end
+  end
+
+  it "summarizes size" do
+    io = PEdump::CompositeIO.new(
+      StringIO.new('foo1'),
+      StringIO.new('bar2'),
+      StringIO.new('baz')
+    )
+    io.size.should == 11
+  end
+end

data/spec/data/calc.exe_sections.yml

@@ -0,0 +1,49 @@
+---
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary |-
+    LnRleHQ=
+  VirtualSize: 305562
+  VirtualAddress: 4096
+  SizeOfRawData: 305664
+  PointerToRawData: 1024
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 1610612768
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary |-
+    LmRhdGE=
+  VirtualSize: 17180
+  VirtualAddress: 311296
+  SizeOfRawData: 12288
+  PointerToRawData: 306688
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 3221225536
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary |-
+    LnJzcmM=
+  VirtualSize: 305927
+  VirtualAddress: 331776
+  SizeOfRawData: 306176
+  PointerToRawData: 318976
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 1073741888
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary |-
+    LnJlbG9j
+  VirtualSize: 16886
+  VirtualAddress: 638976
+  SizeOfRawData: 16896
+  PointerToRawData: 625152
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 1107296320

data/spec/data/data_dir_15_entries.exe_sections.yml

@@ -0,0 +1,95 @@
+---
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary ""
+  VirtualSize: 245760
+  VirtualAddress: 8192
+  SizeOfRawData: 103936
+  PointerToRawData: 8192
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 3758096448
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary |-
+    LnJzcmM=
+  VirtualSize: 2624
+  VirtualAddress: 253952
+  SizeOfRawData: 1536
+  PointerToRawData: 112128
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 3221225536
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary |-
+    LmlkYXRh
+  VirtualSize: 8192
+  VirtualAddress: 262144
+  SizeOfRawData: 1024
+  PointerToRawData: 113664
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 3221225536
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary ""
+  VirtualSize: 1679360
+  VirtualAddress: 270336
+  SizeOfRawData: 512
+  PointerToRawData: 114688
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 3758096448
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary |-
+    cnVsbm1kdnE=
+  VirtualSize: 1613824
+  VirtualAddress: 1949696
+  SizeOfRawData: 1607680
+  PointerToRawData: 115200
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 3758096448
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary |-
+    Ym5uYm1jcWY=
+  VirtualSize: 8192
+  VirtualAddress: 3563520
+  SizeOfRawData: 512
+  PointerToRawData: 1722880
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 3758096448
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary |-
+    Ym5uYm1jcWY=
+  VirtualSize: 8192
+  VirtualAddress: 3571712
+  SizeOfRawData: 3072
+  PointerToRawData: 1723392
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 3758096448
+- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
+  Name: !binary |-
+    LmRhdGEAQXA=
+  VirtualSize: 8192
+  VirtualAddress: 3579904
+  SizeOfRawData: 0
+  PointerToRawData: 1726464
+  PointerToRelocations: 0
+  PointerToLinenumbers: 0
+  NumberOfRelocations: 0
+  NumberOfLinenumbers: 0
+  Characteristics: 3758096448