pedump 0.4.0 → 0.5.0

data/spec/pedump_spec.rb

@@ -1,7 +1,19 @@
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 
-describe "Pedump" do
-#  it "fails" do
-#    fail "hey buddy, you should probably rename this file and start specing for real"
-#  end
+describe "PEdump#dump" do
+  describe "should save packer" do
+    it "when arg is a filename" do
+      dump = PEdump.dump("samples/arm_upx.exe", :log_level => Logger::FATAL)
+      dump.packers.size.should == 1
+      dump.packers.first.name.should =~ /UPX/
+    end
+
+    it "when arg is an IO" do
+      File.open("samples/arm_upx.exe", "rb") do |f|
+        dump = PEdump.dump(f, :log_level => Logger::FATAL)
+        dump.packers.size.should == 1
+        dump.packers.first.name.should =~ /UPX/
+      end
+    end
+  end
 end

data/spec/sections_spec.rb

@@ -0,0 +1,11 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+require 'yaml'
+
+['calc.exe', 'bad/data_dir_15_entries.exe'].each do |fname|
+  describe fname do
+    it "should match saved sections info" do
+      sample.sections.should == YAML::load_file(File.join(DATA_DIR,"#{File.basename(fname)}_sections.yml"))
+    end
+  end
+end

data/spec/sig_all_packers_spec.rb

@@ -3,12 +3,22 @@ require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump/packer')
 
 describe "PEdump::Packer" do
   describe "matchers" do
-    PEdump::SigParser.parse(:raw => true).each do |sig|
-      data = sig.re.join
-      next if data == "This program cannot be run in DOS mo"
-      it "should find #{sig.name}" do
-        PEdump::Packer.of(data).map(&:name).should include(sig.name)
+    if ENV['SLOW']
+      PEdump::SigParser.parse(:raw => true).each do |sig|
+        data = sig.re.join
+        next if data == "This program cannot be run in DOS mo"
+        it "should find #{sig.name}" do
+          a = PEdump::Packer.of(data).map(&:name)
+          a.size.should > 0
+
+          a = sig.name.split - a.join(' ').split - ['Exe','PE']
+          a.delete_if{ |x| x[/[vV\.\/()\[\]]/] }
+          p a if a.size > 1
+          a.size.should < 2
+        end
       end
+    else
+      pending "SLOW"
     end
   end
 end

data/spec/sig_spec.rb

@@ -31,6 +31,11 @@ describe "PEdump::Packer" do
         next unless row =~ /^\[(.*)=(.*)\]$/
         s = ''
         title,hexstring = $1,$2
+
+        # bad sigs
+        next if hexstring == '909090909090909090909090909090909090909090909090909090909090909090909090'
+        next if hexstring == 'E9::::0000000000000000'
+
         (hexstring.size/2).times do |i|
           c = hexstring[i*2,2]
           if c == '::'
@@ -52,7 +57,7 @@ describe "PEdump::Packer" do
 #            puts "\t= #{x}"
 #          end
         else
-          puts "[?] #{title}"
+          puts "[?] #{title}: #{hexstring}"
           n += 1
         end
       end

data/spec/spec_helper.rb

@@ -2,11 +2,23 @@ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 require 'rspec'
 require 'pedump'
+require 'fileutils'
 
-# Requires supporting files with custom matchers and macros, etc,
-# in ./support/ and its subdirectories.
+DATA_DIR = File.join(File.dirname(__FILE__), "data")
 Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
 
+def unarchive_samples fname
+  flag_fname = File.join(File.dirname(fname), ".#{File.basename(fname)}_unpacked")
+  # check if already unpacked
+  return if File.exist?(flag_fname)
+  system "7zr", "x", "-y", "-o#{SAMPLES_DIR}", fname
+  FileUtils.touch(flag_fname) if $?.success?
+end
+
 RSpec.configure do |config|
-  
+  config.before :suite do
+    Dir[File.join(SAMPLES_DIR,"*.7z")].each do |fname|
+      unarchive_samples fname
+    end
+  end
 end

data/spec/support/samples.rb

@@ -0,0 +1,24 @@
+SAMPLES_DIR = File.expand_path(File.dirname(__FILE__) + '/../../samples/')
+
+def sample
+  @pedump ||=
+    begin
+      fname =
+        if self.example
+          # called from it(...)
+          self.example.full_description.split.first
+        else
+          # called from before(:all)
+          self.class.metadata[:example_group][:description_args].first
+        end
+      fname = File.join(SAMPLES_DIR, fname)
+      File.open(fname,"rb") do |f|
+        if block_given?
+          yield PEdump.new(f)
+        else
+          PEdump.new(f).dump
+        end
+      end
+    end
+end
+

data/spec/unpackers/aspack_spec.rb

@@ -0,0 +1,69 @@
+root = File.expand_path(File.dirname(File.dirname(File.dirname(__FILE__))))
+require "#{root}/spec/spec_helper"
+require "#{root}/lib/pedump"
+require "#{root}/lib/pedump/unpacker/aspack"
+require "#{root}/lib/pedump/comparer"
+
+describe PEdump::Unpacker::ASPack do
+  Dir["#{root}/samples/*.asp[1-9]*.{exe}"].each do |pname|
+    orig_fname = pname.sub(/\.asp[^.]+/,'')
+
+    describe File.basename(orig_fname) + " vs " + File.basename(pname) do
+      before :all do
+        @ldr = PEdump::Loader.new(File.open(orig_fname,"rb"))
+      end
+
+      it "should have no differences" do
+        File.open(pname,"rb") do |f|
+          u = PEdump::Unpacker::ASPack.new(f)
+          File.open("#{root}/tmp/unpacked.tmp","w+") do |fo|
+            u.unpack.dump(fo)
+            fo.rewind
+            ldr = PEdump::Loader.new(fo)
+
+            comparer = PEdump::Comparer.new(@ldr, ldr)
+            comparer.ignored_data_dirs = [
+              PEdump::IMAGE_DATA_DIRECTORY::LOAD_CONFIG,
+              PEdump::IMAGE_DATA_DIRECTORY::Bound_IAT,
+              PEdump::IMAGE_DATA_DIRECTORY::Delay_IAT
+            ]
+            comparer.ignored_sections = [ '.rsrc', '.aspack' ]
+            comparer.diff.should == []
+          end
+        end
+      end
+    end
+  end
+
+  Dir["#{root}/samples/*.asp[1-9]*.{ocx}"].each do |pname|
+    orig_fname = pname.sub(/\.asp[^.]+/,'')
+
+    describe File.basename(orig_fname) + " vs " + File.basename(pname) do
+      before :all do
+        @ldr = PEdump::Loader.new(File.open(orig_fname,"rb"))
+      end
+
+      it "should have no differences" do
+        File.open(pname,"rb") do |f|
+          u = PEdump::Unpacker::ASPack.new(f)
+          File.open("#{root}/tmp/unpacked.tmp","w+") do |fo|
+            u.unpack.dump(fo)
+            fo.rewind
+            ldr = PEdump::Loader.new(fo)
+
+            comparer = PEdump::Comparer.new(@ldr, ldr)
+            comparer.ignored_data_dirs = [
+              PEdump::IMAGE_DATA_DIRECTORY::LOAD_CONFIG,
+              PEdump::IMAGE_DATA_DIRECTORY::Bound_IAT,
+              PEdump::IMAGE_DATA_DIRECTORY::Delay_IAT,
+              PEdump::IMAGE_DATA_DIRECTORY::BASERELOC, # 0x15496 vs 0x15494
+              PEdump::IMAGE_DATA_DIRECTORY::IAT
+            ]
+            comparer.ignored_sections = [ '.rsrc', '.aspack', '.cas' ]
+            comparer.diff.should == []
+          end
+        end
+      end
+    end
+  end
+end

data/spec/unpackers/find_spec.rb

@@ -0,0 +1,21 @@
+root = File.expand_path(File.dirname(File.dirname(File.dirname(__FILE__))))
+require "#{root}/spec/spec_helper"
+require "#{root}/lib/pedump/unpacker"
+
+describe PEdump::Unpacker do
+  it "finds UPX" do
+    PEdump::Unpacker.find("#{root}/samples/calc_upx.exe").should == PEdump::Unpacker::UPX
+  end
+
+  it "finds ARM UPX" do
+    PEdump::Unpacker.find("#{root}/samples/arm_upx.exe").should == PEdump::Unpacker::UPX
+  end
+
+  it "finds ASPack" do
+    PEdump::Unpacker.find("#{root}/samples/calc.asp212.exe").should == PEdump::Unpacker::ASPack
+  end
+
+  it "finds nothing" do
+    PEdump::Unpacker.find("#{root}/samples/calc.exe").should be_nil
+  end
+end

data/spec/virtsectblXP_spec.rb

@@ -0,0 +1,12 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe 'corkami/virtsectblXP.exe' do
+  it "should have 2 imports" do
+    sample.imports.size.should == 2
+    sample.imports.map(&:module_name).should == %w'kernel32.dll msvcrt.dll'
+    sample.imports.map do |iid|
+      (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
+    end.flatten.should == ["ExitProcess", "printf"]
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-12-17 00:00:00.000000000 Z
+date: 2013-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multipart-post
-  requirement: &70304131999160 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,65 +21,127 @@ dependencies:
         version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70304131999160
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.4
 - !ruby/object:Gem::Dependency
   name: progressbar
-  requirement: &70304131998620 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 0.9.2
+        version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70304131998620
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: awesome_print
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: iostruct
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.0.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.0.4
+- !ruby/object:Gem::Dependency
+  name: zhexdump
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.0.2
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70304131998140 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 2.3.0
+        version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70304131998140
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70304131997660 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70304131997660
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70304131997180 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 1.6.4
+        version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70304131997180
-- !ruby/object:Gem::Dependency
-  name: rcov
-  requirement: &70304131996680 !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: *70304131996680
 - !ruby/object:Gem::Dependency
-  name: awesome_print
-  requirement: &70304131996200 !ruby/object:Gem::Requirement
+  name: what_methods
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,7 +149,12 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70304131996200
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -96,36 +163,80 @@ extensions: []
 extra_rdoc_files:
 - LICENSE.txt
 - README.md
-- README.md.tpl
 files:
 - .document
 - .rspec
+- .travis.yml
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
 - README.md
-- README.md.tpl
 - Rakefile
 - VERSION
 - bin/pedump
 - data/fs.txt
+- data/jc-userdb.txt
 - data/sig.bin
 - data/signatures.txt
 - data/userdb.txt
 - lib/pedump.rb
 - lib/pedump/cli.rb
+- lib/pedump/comparer.rb
+- lib/pedump/composite_io.rb
+- lib/pedump/core.rb
+- lib/pedump/core_ext/try.rb
+- lib/pedump/loader.rb
+- lib/pedump/loader/minidump.rb
+- lib/pedump/loader/section.rb
+- lib/pedump/logger.rb
+- lib/pedump/ne.rb
+- lib/pedump/ne/version_info.rb
 - lib/pedump/packer.rb
+- lib/pedump/pe.rb
+- lib/pedump/resources.rb
+- lib/pedump/security.rb
 - lib/pedump/sig_parser.rb
+- lib/pedump/tls.rb
+- lib/pedump/unpacker.rb
+- lib/pedump/unpacker/aspack.rb
+- lib/pedump/unpacker/upx.rb
 - lib/pedump/version.rb
 - lib/pedump/version_info.rb
+- misc/aspack/Makefile
+- misc/aspack/aspack_unlzx.c
+- misc/aspack/lzxdec.c
+- misc/aspack/lzxdec.h
+- misc/nedump.c
 - pedump.gemspec
-- samples/calc.7z
-- samples/zlib.dll
+- samples/bad/68.exe
+- samples/bad/data_dir_15_entries.exe
+- spec/65535sects_spec.rb
+- spec/bad_imports_spec.rb
+- spec/bad_samples_spec.rb
+- spec/composite_io_spec.rb
+- spec/data/calc.exe_sections.yml
+- spec/data/data_dir_15_entries.exe_sections.yml
+- spec/dllord_spec.rb
+- spec/foldedhdr_spec.rb
+- spec/imports_badterm_spec.rb
+- spec/imports_vterm_spec.rb
+- spec/loader/names_spec.rb
+- spec/loader/va_spec.rb
+- spec/manyimportsW7_spec.rb
+- spec/ne_spec.rb
+- spec/packer_spec.rb
+- spec/pe_spec.rb
 - spec/pedump_spec.rb
 - spec/resource_spec.rb
+- spec/sections_spec.rb
 - spec/sig_all_packers_spec.rb
 - spec/sig_spec.rb
 - spec/spec_helper.rb
+- spec/support/samples.rb
+- spec/unpackers/aspack_spec.rb
+- spec/unpackers/find_spec.rb
+- spec/virtsectblXP_spec.rb
+- tmp/.keep
 homepage: http://github.com/zed-0xff/pedump
 licenses:
 - MIT
@@ -141,7 +252,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2685694954412936403
+      hash: -1369606751108388991
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -150,7 +261,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.10
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: dump win32 PE executable files with a pure ruby