pedump 0.4.0 → 0.5.0

data/spec/dllord_spec.rb

@@ -0,0 +1,21 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe 'corkami/dllord.dll' do
+  it "should have 1 import" do
+    sample.imports.size.should == 1
+    sample.imports.map(&:module_name).should == %w'msvcrt.dll'
+    sample.imports.map do |iid|
+      (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
+    end.flatten.should == ["printf"]
+  end
+
+  it "exports at least 2 entries" do
+    sample.exports.Base.should == 0x313
+    sample.exports.name.should be_nil
+    sample.exports.names.should be_empty
+    sample.exports.name_ordinals.should be_empty
+    sample.exports.entry_points[0].should == 0xffff_ffff
+    sample.exports.entry_points[1].should == 0x1008
+  end
+end

data/spec/foldedhdr_spec.rb

@@ -0,0 +1,28 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+[ 'corkami/foldedhdr.exe', 'corkami/foldedhdrW7.exe' ].each do |fname|
+  describe fname do
+    before :all do
+      @sample = sample
+    end
+
+    it "should have 2 imports" do
+      @sample.imports.size.should == 2
+      @sample.imports.map(&:module_name).should == %w'kernel32.dll msvcrt.dll'
+      @sample.imports.map do |iid|
+        (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
+      end.flatten.should == ["ExitProcess", "printf"]
+    end
+
+    it "should have 1 section" do
+      @sample.sections.size.should == 1
+      s = @sample.sections.first
+      s.VirtualSize.should == 0x1000
+      s.VirtualAddress.should == 0x1000
+      s.SizeOfRawData.should == 0x200
+      s.PointerToRawData.should == 0x200
+      s.flags.should == 0xa0000000
+    end
+  end
+end

data/spec/imports_badterm_spec.rb

@@ -0,0 +1,52 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe 'corkami/imports_badterm.exe' do
+  # PE with a 'bad' imports terminator, just the dll name is empty
+  # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/imports_badterm.asm
+  before :all do
+    @imports = sample.imports
+  end
+
+  it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
+    @imports.size.should == 2
+  end
+
+  it "should have only IMAGE_IMPORT_DESCRIPTORs" do
+    @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
+  end
+
+#  it "should have all entries thunks equal" do
+#    @imports.each do |iid|
+#      iid.first_thunk.should == iid.original_first_thunk
+#    end
+#  end
+
+  describe "1st image_import_descriptor" do
+    it "should be from kernel32.dll" do
+      @imports[0].module_name.should == "kernel32.dll"
+    end
+    it "should have 1 function" do
+      @imports[0].first_thunk.size.should == 1
+    end
+    it "should have ExitProcess" do
+      @imports[0].first_thunk.first.name.should == "ExitProcess"
+      @imports[0].first_thunk.first.hint.should == 0
+      @imports[0].first_thunk.first.ordinal.should be_nil
+    end
+  end
+
+  describe "2nd image_import_descriptor" do
+    it "should be from msvcrt.dll" do
+      @imports[1].module_name.should == "msvcrt.dll"
+    end
+    it "should have 1 function" do
+      @imports[1].first_thunk.size.should == 1
+    end
+    it "should have printf" do
+      @imports[1].first_thunk.first.name.should == "printf"
+      @imports[1].first_thunk.first.hint.should == 0
+      @imports[1].first_thunk.first.ordinal.should be_nil
+    end
+  end
+end

data/spec/imports_vterm_spec.rb

@@ -0,0 +1,52 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe 'corkami/imports_vterm.exe' do
+  # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/imports_vterm.asm
+  #describe "import terminator in virtual space" do
+  before :all do
+    @imports = sample.imports
+  end
+
+  it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
+    @imports.size.should == 2
+  end
+
+  it "should have only IMAGE_IMPORT_DESCRIPTORs" do
+    @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
+  end
+
+#  it "should have all entries thunks equal" do
+#    @imports.each do |iid|
+#      iid.first_thunk.should == iid.original_first_thunk
+#    end
+#  end
+
+  describe "1st image_import_descriptor" do
+    it "should be from kernel32.dll" do
+      @imports[0].module_name.should == "kernel32.dll"
+    end
+    it "should have 1 function" do
+      @imports[0].first_thunk.size.should == 1
+    end
+    it "should have ExitProcess" do
+      @imports[0].first_thunk.first.name.should == "ExitProcess"
+      @imports[0].first_thunk.first.hint.should == 0
+      @imports[0].first_thunk.first.ordinal.should be_nil
+    end
+  end
+
+  describe "2nd image_import_descriptor" do
+    it "should be from msvcrt.dll" do
+      @imports[1].module_name.should == "msvcrt.dll"
+    end
+    it "should have 1 function" do
+      @imports[1].first_thunk.size.should == 1
+    end
+    it "should have printf" do
+      @imports[1].first_thunk.first.name.should == "printf"
+      @imports[1].first_thunk.first.hint.should == 0
+      @imports[1].first_thunk.first.ordinal.should be_nil
+    end
+  end
+end

data/spec/loader/names_spec.rb

@@ -0,0 +1,24 @@
+require 'spec_helper'
+require 'pedump/loader'
+
+describe PEdump::Loader do
+  it "should read names from imports" do
+    io = open("samples/calc.exe","rb")
+    @ldr = PEdump::Loader.new io
+
+    @ldr.names.should_not be_nil
+    @ldr.names.should_not be_empty
+    @ldr.names.size.should >= 343
+    @ldr.names[0x10010d0].should == 'GetStartupInfoA'
+  end
+
+  it "should read names from exports" do
+    io = open("samples/zlib.dll","rb")
+    @ldr = PEdump::Loader.new io
+
+    @ldr.names.should_not be_nil
+    @ldr.names.should_not be_empty
+    @ldr.names.size.should >= 69
+    @ldr.names[0x1000e340].should == 'zlib_version'
+  end
+end

data/spec/loader/va_spec.rb

@@ -0,0 +1,44 @@
+require 'spec_helper'
+require 'pedump/loader'
+
+describe PEdump::Loader do
+  describe "#valid_va?" do
+    describe "samples/calc.exe" do
+      before do
+        io = open("samples/calc.exe","rb")
+        @ldr = PEdump::Loader.new io
+      end
+
+      %w'1001000 1010000 104b999 104c000 1051000 109c000 10a01f5'.each do |x|
+        it "returns true for 0x#{x}" do
+          @ldr.valid_va?(x.to_i(16)).should be_true
+        end
+      end
+
+      %w'0 1 1000 1000fff 104b99a 104bfff 1050fff 109bfff 10a01f6'.each do |x|
+        it "returns false for 0x#{x}" do
+          @ldr.valid_va?(x.to_i(16)).should be_false
+        end
+      end
+    end
+
+    describe "samples/upx.exe" do
+      before do
+        io = open("samples/upx.exe","rb")
+        @ldr = PEdump::Loader.new io
+      end
+
+      %w'401000 541000 589000 589fff'.each do |x|
+        it "returns true for 0x#{x}" do
+          @ldr.valid_va?(x.to_i(16)).should be_true
+        end
+      end
+
+      %w'0 1 1000 400000 58a000'.each do |x|
+        it "returns false for 0x#{x}" do
+          @ldr.valid_va?(x.to_i(16)).should be_false
+        end
+      end
+    end
+  end
+end

data/spec/manyimportsW7_spec.rb

@@ -0,0 +1,22 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe "corkami/manyimportsW7.exe" do
+  before :all do
+    @sample = sample
+  end
+
+  it "should have 2 imports" do
+    @sample.imports.size.should == 2
+    @sample.imports.map(&:module_name).should == %w'kernel32.dll msvcrt.dll'
+    @sample.imports.map do |iid|
+      (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
+    end.flatten.should == ["ExitProcess", "printf"]
+  end
+
+  it "should have 1 TLS" do
+    @sample.tls.size.should == 1
+    @sample.tls.first.AddressOfIndex.should == 0x401148
+    @sample.tls.first.AddressOfCallBacks.should == 0x401100
+  end
+end

data/spec/ne_spec.rb

@@ -0,0 +1,125 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+5.times do |idx|
+  fname = "ne#{idx}." + (idx==4 ? "dll" : "exe")
+
+  modulenames = %w"_DELIS VISTA21P ISSET_SE HORSNCF MAPI"
+  exports = []
+
+  # ne0.exe
+  exports << [
+    PEdump::ExportedFunction.new("WNDPROC", 1, 0x10258)
+  ]
+
+  # ne1.exe
+  exports << []
+
+  # ne2.exe
+  exports << [
+    PEdump::ExportedFunction.new("LOGODLGPROC", 1, 0x13ACA),
+    PEdump::ExportedFunction.new("BARWNDPROC",  2, 0x15FF0),
+    PEdump::ExportedFunction.new("SETUPWNDPROC",3, 0x100B2),
+    PEdump::ExportedFunction.new("LOGOBWNDPROC",4, 0x147B4),
+  ]
+
+  # ne3.exe
+  exports << [
+    PEdump::ExportedFunction.new("___EXPORTEDSTUB", 1, 0x63cf4),
+    PEdump::ExportedFunction.new("_AFX_VERSION",    2, 0x4272c),
+  ]
+
+  # ne4.dll
+  exports << [
+    PEdump::ExportedFunction.new("WEP", 1, 0x10000),
+    PEdump::ExportedFunction.new("BMAPIGETREADMAIL",  33, 0x7020A),
+    PEdump::ExportedFunction.new("BMAPIRESOLVENAME",  38, 0x7077C),
+    PEdump::ExportedFunction.new("BMAPIGETADDRESS",   36, 0x70692),
+    PEdump::ExportedFunction.new("BMAPIFINDNEXT",     34, 0x70074),
+    PEdump::ExportedFunction.new("BMAPIDETAILS",      37, 0x706F1),
+    PEdump::ExportedFunction.new("MAPIFREEBUFFER",    18, 0xb0A71),
+    PEdump::ExportedFunction.new("MAPIFINDNEXT",      16, 0xa0000),
+    PEdump::ExportedFunction.new("MAPIDELETEMAIL",    17, 0x90000),
+    PEdump::ExportedFunction.new("MAPIREADMAIL",      15, 0x100000),
+    PEdump::ExportedFunction.new("BMAPIADDRESS",      35, 0x7051D),
+    PEdump::ExportedFunction.new("MAPIADDRESS",       19, 0x60139),
+    PEdump::ExportedFunction.new("MAPILOGON",         11, 0xc0000),
+    PEdump::ExportedFunction.new("MAPISENDMAIL",      13, 0x130000),
+    PEdump::ExportedFunction.new("MAPIRESOLVENAME",   21, 0x60A3F),
+    PEdump::ExportedFunction.new("MAPIDETAILS",       20, 0x60752),
+    PEdump::ExportedFunction.new("BMAPISAVEMAIL",     31, 0x70455),
+    PEdump::ExportedFunction.new("MAPISAVEMAIL",      14, 0x1302BE),
+    PEdump::ExportedFunction.new("BMAPIREADMAIL",     32, 0x70141),
+    PEdump::ExportedFunction.new("MAPISENDDOCUMENTS", 10, 0x120703),
+    PEdump::ExportedFunction.new("MAPILOGOFF",        12, 0xc00D2),
+    PEdump::ExportedFunction.new("BMAPISENDMAIL",     30, 0x70000),
+  ]
+
+  imports = [
+    ['KERNEL',   0x80],
+    ['VBRUN300', 0x64],
+    ['GDI',      0x15f],
+    ['FINSTDLL', nil,  'FILECOPY'],
+    ['DEMILAYR', 0x6f]
+  ]
+
+  versions = %w'2.20.900.0 - 3.0.111.0 1.0.0.1 3.2.0.4057'
+
+  describe fname do
+    it "should have NE header" do
+      sample do |f|
+        f.ne.should_not be_nil
+      end
+    end
+
+    it "should not have PE header" do
+      sample do |f|
+        f.pe.should be_nil
+      end
+    end
+
+    it "should have NE segments" do
+      sample do |f|
+        f.ne.segments.size.should == f.ne.ne_cseg
+      end
+    end
+
+    it "should have NE resources" do
+      sample do |f|
+        f.ne.resources.should_not be_nil
+        ver = f.ne.resources.find{ |res| res.type == 'VERSION' }
+        expected = versions[idx]
+        if expected == '-'
+          ver.should be_nil
+        else
+          vi = ver.data.first
+          [
+            vi.Value.dwFileVersionMS.to_i >> 16,
+            vi.Value.dwFileVersionMS.to_i &  0xffff,
+            vi.Value.dwFileVersionLS.to_i >> 16,
+            vi.Value.dwFileVersionLS.to_i &  0xffff
+          ].join('.').should == expected
+        end
+      end
+    end
+
+    it "should have imports" do
+      sample do |f|
+        f.ne.imports.should_not be_nil
+        func = PEdump::ImportedFunction.new
+        func.module_name = imports[idx][0]
+        func.ordinal     = imports[idx][1]
+        func.name        = imports[idx][2]
+
+        f.ne.imports.should include(func)
+      end
+    end
+    it "should have exports" do
+      sample do |f|
+        f.ne.exports.should_not be_nil
+        f.ne.exports.name.should == modulenames[idx]
+        f.ne.exports.functions.should == exports[idx]
+      end
+    end
+  end
+end

data/spec/packer_spec.rb

@@ -0,0 +1,17 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+%w'calc_upx.exe arm_upx.exe'.each do |fname|
+  describe fname do
+    before :all do
+      File.open(File.join("samples",fname),"rb") do |f|
+        @packer = PEdump.new(f).packer.first
+      end
+    end
+
+    it "should detect UPX" do
+      @packer.should_not be_nil
+      @packer.name.should include 'UPX'
+    end
+  end
+end

data/spec/pe_spec.rb

@@ -0,0 +1,67 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe 'PE' do
+  it "should assume TimeDateStamp is in UTC"
+
+  KLASS = PEdump::ImportedFunction
+
+  describe KLASS do
+    it "should be equal" do
+      pending "necessary?"
+      a = []
+      KLASS.new(*a).should == KLASS.new(*a)
+      a = ['a']
+      KLASS.new(*a).should == KLASS.new(*a)
+      a = ['a','b']
+      KLASS.new(*a).should == KLASS.new(*a)
+      a = ['a','b','c']
+      KLASS.new(*a).should == KLASS.new(*a)
+      a = ['a','b','c','d']
+      KLASS.new(*a).should == KLASS.new(*a)
+    end
+
+    it "should not be equal" do
+      a = ['a']
+      b = []
+      KLASS.new(*a).should_not == KLASS.new(*b)
+      a = ['a']
+      b = ['b']
+      KLASS.new(*a).should_not == KLASS.new(*b)
+      a = ['a','B']
+      b = ['a','b']
+      KLASS.new(*a).should_not == KLASS.new(*b)
+      a = ['a','b','c']
+      b = ['a','b']
+      KLASS.new(*a).should_not == KLASS.new(*b)
+      a = ['a','b','c']
+      b = ['a','b','X']
+      KLASS.new(*a).should_not == KLASS.new(*b)
+    end
+
+    it "should be equal with different VA's" do
+      pending "necessary?"
+      a = ['a','b','c',nil]
+      b = ['a','b','c','d']
+      KLASS.new(*a).should == KLASS.new(*b)
+      a = ['a','b','c',0x1000]
+      b = ['a','b','c',0x2000]
+      KLASS.new(*a).should == KLASS.new(*b)
+      a = ['a','b','c',0x1000]
+      b = ['a','b','c',0x1000]
+      KLASS.new(*a).should == KLASS.new(*b)
+    end
+
+    it "should be equal in uniq() with different VA's" do
+      a = ['a','b','c',nil]
+      b = ['a','b','c','d']
+      [KLASS.new(*a), KLASS.new(*b)].uniq.size.should == 1
+      a = ['a','b','c',0x1000]
+      b = ['a','b','c',0x2000]
+      [KLASS.new(*a), KLASS.new(*b)].uniq.size.should == 1
+      a = ['a','b','c',0x1000]
+      b = ['a','b','c',0x1000]
+      [KLASS.new(*a), KLASS.new(*b)].uniq.size.should == 1
+    end
+  end
+end