pedump 0.4.0 → 0.5.0

data/lib/pedump.rb

@@ -1,115 +1,47 @@
 #!/usr/bin/env ruby
-require 'logger'
-require 'pedump/version'
+require 'stringio'
+require 'iostruct'
+require 'zhexdump'
+
+unless Object.new.respond_to?(:try) && nil.respond_to?(:try)
+  require 'pedump/core_ext/try'
+end
+
+require 'pedump/core'
+require 'pedump/pe'
+require 'pedump/resources'
+require 'pedump/version_info'
+require 'pedump/tls'
+require 'pedump/security'
+require 'pedump/packer'
+require 'pedump/ne'
+require 'pedump/ne/version_info'
 
 # pedump.rb by zed_0xff
 #
 #   http://zed.0xff.me
 #   http://github.com/zed-0xff
 
-class String
-  def xor x
-    if x.is_a?(String)
-      r = ''
-      j = 0
-      0.upto(self.size-1) do |i|
-        r << (self[i].ord^x[j].ord).chr
-        j+=1
-        j=0 if j>= x.size
-      end
-      r
-    else
-      r = ''
-      0.upto(self.size-1) do |i|
-        r << (self[i].ord^x).chr
-      end
-      r
-    end
-  end
-end
-
-class File
-  def checked_seek newpos
-    @file_range ||= (0..size)
-    @file_range.include?(newpos) && (seek(newpos) || true)
-  end
-end
-
 class PEdump
-  attr_accessor :fname, :logger, :force
+  attr_accessor :fname, :logger, :force, :io
 
-  VERSION = Version::STRING
+  VERSION    = Version::STRING
+  MAX_ERRORS = 100
 
   @@logger = nil
 
-  def initialize fname, params = {}
-    @fname = fname
-    @force = params[:force]
-    @logger = @@logger = params[:logger] || PEdump::Logger.new(STDERR)
-  end
-
-  class Logger < ::Logger
-    def initialize *args
-      super
-      @formatter = proc do |severity,_,_,msg|
-        # quick and dirty way to remove duplicate messages
-        if @prevmsg == msg && severity != 'DEBUG' && severity != 'INFO'
-          ''
-        else
-          @prevmsg = msg
-          "#{msg}\n"
-        end
-      end
-      @level = Logger::WARN
-    end
-  end
-
-  module Readable
-    def read file, size = nil
-      size ||= const_get 'SIZE'
-      data = file.read(size).to_s
-      if data.size < size && PEdump.logger
-        PEdump.logger.error "[!] #{self.to_s} want #{size} bytes, got #{data.size}"
-      end
-      new(*data.unpack(const_get('FORMAT')))
-    end
-  end
-
-  class << self
-    def logger;    @@logger;   end
-    def logger= l; @@logger=l; end
-
-    def create_struct fmt, *args
-      size = fmt.scan(/([a-z])(\d*)/i).map do |f,len|
-        [len.to_i, 1].max *
-          case f
-          when /[aAC]/ then 1
-          when 'v' then 2
-          when 'V' then 4
-          when 'Q' then 8
-          else raise "unknown fmt #{f.inspect}"
-          end
-      end.inject(&:+)
-
-      Struct.new( *args ).tap do |x|
-        x.const_set 'FORMAT', fmt
-        x.const_set 'SIZE',  size
-        x.class_eval do
-          def pack
-            to_a.pack self.class.const_get('FORMAT')
-          end
-          def empty?
-            to_a.all?{ |t| t == 0 || t.nil? || t.to_s.tr("\x00","").empty? }
-          end
-        end
-        x.extend Readable
-      end
+  def initialize io = nil, params = {}
+    if io.is_a?(Hash)
+      @io, params = nil, io
+    else
+      @io = io
     end
+    @force = params[:force]
+    @logger = @@logger = Logger.create(params)
   end
 
-
   # http://www.delorie.com/djgpp/doc/exe/
-  MZ = create_struct( "a2v13Qv2V6",
+  MZ = IOStruct.new( "a2v13Qv2V6",
     :signature,
     :bytes_in_last_block,
     :blocks_in_file,
@@ -135,24 +67,8 @@ class PEdump
     :lfanew
   )
 
-  class PE < Struct.new(
-    :signature,            # "PE\x00\x00"
-    :image_file_header,
-    :image_optional_header,
-    :section_table
-  )
-    alias :ifh :image_file_header
-    alias :ioh :image_optional_header
-    def x64?
-      ifh && ifh.Machine == 0x8664
-    end
-    def dll?
-      ifh && ifh.flags.include?('DLL')
-    end
-  end
-
   # http://msdn.microsoft.com/en-us/library/ms809762.aspx
-  class IMAGE_FILE_HEADER < create_struct( 'v2V3v2',
+  class IMAGE_FILE_HEADER < IOStruct.new( 'v2V3v2',
     :Machine,              # w
     :NumberOfSections,     # w
     :TimeDateStamp,        # dw
@@ -183,10 +99,10 @@ class PEdump
       0x8000 => 'BYTES_REVERSED_HI'         # The bytes of the word are reversed. This flag is obsolete.
     }
 
-    def initialize *args
-      super
-      self.TimeDateStamp = Time.at(self.TimeDateStamp)
-    end
+#    def initialize *args
+#      super
+#      self.TimeDateStamp = Time.at(self.TimeDateStamp).utc
+#    end
     def flags
       FLAGS.find_all{ |k,v| (self.Characteristics & k) != 0 }.map(&:last)
     end
@@ -226,6 +142,7 @@ class PEdump
         cFORMAT = self.const_get 'FORMAT'
         size ||= cSIZE
         PEdump.logger.warn "[?] unusual size of IMAGE_OPTIONAL_HEADER = #{size} (must be #{usual_size})" if size != usual_size
+        PEdump.logger.warn "[?] #{size-usual_size} spare bytes after IMAGE_OPTIONAL_HEADER" if size > usual_size
         new(*file.read([size,cSIZE].min).to_s.unpack(cFORMAT)).tap do |ioh|
           ioh.DataDirectory = []
 
@@ -240,6 +157,9 @@ class PEdump
             ioh.DataDirectory.last.type = IMAGE_DATA_DIRECTORY::TYPES[idx]
           end
           #ioh.DataDirectory.pop while ioh.DataDirectory.last.empty?
+
+          # skip spare bytes, if any. XXX may contain suspicious data
+          file.seek(size-usual_size, IO::SEEK_CUR) if size > usual_size
         end
       end
     end
@@ -251,7 +171,7 @@ class PEdump
   end
 
   # http://msdn.microsoft.com/en-us/library/ms809762.aspx
-  class IMAGE_OPTIONAL_HEADER32 < create_struct( 'vC2V9v6V4v2V6',
+  class IMAGE_OPTIONAL_HEADER32 < IOStruct.new( 'vC2V9v6V4v2V6',
     :Magic, # w
     :MajorLinkerVersion, :MinorLinkerVersion, # 2b
     :SizeOfCode, :SizeOfInitializedData, :SizeOfUninitializedData, :AddressOfEntryPoint, # 9dw
@@ -269,7 +189,7 @@ class PEdump
   end
 
   # http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=VS.85).aspx)
-  class IMAGE_OPTIONAL_HEADER64 < create_struct( 'vC2V5QV2v6V4v2Q4V2',
+  class IMAGE_OPTIONAL_HEADER64 < IOStruct.new( 'vC2V5QV2v6V4v2Q4V2',
     :Magic, # w
     :MajorLinkerVersion, :MinorLinkerVersion, # 2b
     :SizeOfCode, :SizeOfInitializedData, :SizeOfUninitializedData, :AddressOfEntryPoint, :BaseOfCode, # 5dw
@@ -287,7 +207,7 @@ class PEdump
     include IMAGE_OPTIONAL_HEADER
   end
 
-  IMAGE_DATA_DIRECTORY = create_struct( "VV", :va, :size, :type )
+  IMAGE_DATA_DIRECTORY = IOStruct.new( "VV", :va, :size, :type )
   IMAGE_DATA_DIRECTORY::TYPES =
     %w'EXPORT IMPORT RESOURCE EXCEPTION SECURITY BASERELOC DEBUG ARCHITECTURE GLOBALPTR TLS LOAD_CONFIG
     Bound_IAT IAT Delay_IAT CLR_Header'
@@ -295,7 +215,7 @@ class PEdump
     IMAGE_DATA_DIRECTORY.const_set(type,idx)
   end
 
-  IMAGE_SECTION_HEADER = create_struct( 'A8V6v2V',
+  IMAGE_SECTION_HEADER = IOStruct.new( 'A8V6v2V',
     :Name, # A8 6dw
     :VirtualSize, :VirtualAddress, :SizeOfRawData, :PointerToRawData, :PointerToRelocations, :PointerToLinenumbers,
     :NumberOfRelocations, :NumberOfLinenumbers, # 2w
@@ -303,6 +223,7 @@ class PEdump
   )
   class IMAGE_SECTION_HEADER
     alias :flags :Characteristics
+    alias :va    :VirtualAddress
     def flags_desc
       r = ''
       f = self.flags.to_i
@@ -321,6 +242,10 @@ class PEdump
       r << ' SHARED'      if f & 0x10000000 > 0
       r
     end
+
+    def pack
+      to_a.pack FORMAT.tr('A','a') # pad names with NULL bytes on pack()
+    end
   end
 
   # http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=VS.85).aspx
@@ -377,11 +302,19 @@ class PEdump
     @logger = @@logger = l
   end
 
-  def self.dump fname
-    new(fname).dump
+  def self.dump fname, params = {}
+    new(fname, params).dump
+  end
+
+  def self.quiet
+    oldlevel = @@logger.level
+    @@logger.level = ::Logger::FATAL
+    yield
+  ensure
+    @@logger.level = oldlevel
   end
 
-  def mz f=nil
+  def mz f=@io
     @mz ||= f && MZ.read(f).tap do |mz|
       if mz.signature != 'MZ' && mz.signature != 'ZM'
         if @force
@@ -394,13 +327,13 @@ class PEdump
     end
   end
 
-  def dos_stub f=nil
+  def dos_stub f=@io
     @dos_stub ||=
       begin
         return nil unless mz = mz(f)
         dos_stub_offset = mz.header_paragraphs.to_i * 0x10
         dos_stub_size   = mz.lfanew.to_i - dos_stub_offset
-        if dos_stub_offset <= 0
+        if dos_stub_offset < 0
           logger.warn "[?] invalid DOS stub offset #{dos_stub_offset}"
           nil
         elsif f && dos_stub_offset > f.size
@@ -416,6 +349,7 @@ class PEdump
           # no open file, it's ok
           nil
         else
+          return nil if dos_stub_size == MZ::SIZE && dos_stub_offset == 0
           if dos_stub_size > 0x1000
             logger.warn "[?] DOS stub size too big (#{dos_stub_size}), limiting to 0x1000"
             dos_stub_size = 0x1000
@@ -433,94 +367,102 @@ class PEdump
       end
   end
 
-  def rich_hdr f=nil
+  def rich_hdr f=@io
     dos_stub(f) && @rich_hdr
   end
   alias :rich_header :rich_hdr
   alias :rich        :rich_hdr
 
-  def pe f=nil
-    @pe ||=
-      begin
-        pe_offset = mz(f) && mz(f).lfanew
-        if pe_offset.nil?
-          logger.fatal "[!] NULL PE offset (e_lfanew). cannot continue."
-          nil
-        elsif pe_offset > f.size
-          logger.fatal "[!] PE offset beyond EOF. cannot continue."
-          nil
-        else
-          f.seek pe_offset
-          pe_sig = f.read 4
-          logger.error "[!] 'NE' format is not supported!" if pe_sig == "NE\x00\x00"
-          if pe_sig != "PE\x00\x00"
-            if @force
-              logger.warn  "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect})"
-            else
-              logger.error "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect}). (not forced)"
-              return nil
-            end
-          end
-          PE.new(pe_sig).tap do |pe|
-            pe.image_file_header = IMAGE_FILE_HEADER.read(f)
-            if pe.ifh.SizeOfOptionalHeader > 0
-              if pe.x64?
-                pe.image_optional_header = IMAGE_OPTIONAL_HEADER64.read(f, pe.ifh.SizeOfOptionalHeader)
-              else
-                pe.image_optional_header = IMAGE_OPTIONAL_HEADER32.read(f, pe.ifh.SizeOfOptionalHeader)
-              end
-            end
+  def va2file va, h={}
+    return nil if va.nil?
 
-            if (nToRead=pe.ifh.NumberOfSections) > 32
-              if @force.is_a?(Numeric) && @force > 1
-                logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). forced. reading all"
-              else
-                logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). not forced, reading first 32"
-                nToRead = 32
-              end
-            end
-            pe.section_table = nToRead.times.map do
-              IMAGE_SECTION_HEADER.read(f)
-            end
-          end
-        end
+    sections.each do |s|
+      if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
+        offset = va - s.VirtualAddress
+        return (s.PointerToRawData + offset) if offset < s.SizeOfRawData
       end
-  end
+    end
+
+    # not found with regular search. assume any of VirtualSize was 0, and try with RawSize
+    sections.each do |s|
+      if (s.VirtualAddress...(s.VirtualAddress+s.SizeOfRawData)).include?(va)
+        offset = va - s.VirtualAddress
+        return (s.PointerToRawData + offset) if offset < s.SizeOfRawData
+      end
+    end
+
+    # still not found, bad/zero VirtualSizes & RawSizes ?
 
-  def resource_directory f=nil
-    @resource_directory ||= _read_resource_directory_tree(f)
+    # a special case - PE without sections
+    return va if sections.empty?
+
+    # check if only one section
+    if sections.size == 1 || sections.all?{ |s| s.VirtualAddress.to_i == 0 }
+      s = sections.first
+      offset = va - s.VirtualAddress
+      return (s.PointerToRawData + offset) if offset < s.SizeOfRawData
+      #return va - s.VirtualAddress + s.PointerToRawData
+    end
+
+    # TODO: not all VirtualAdresses == 0 case
+
+    if h[:quiet]
+      logger.debug "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)} (quiet=true)"
+    else
+      logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
+    end
+    nil
   end
 
   # OPTIONAL: assigns @mz, @rich_hdr, @pe, etc
-  def dump f=nil
-    f ? _dump_handle(f) : File.open(@fname,'rb'){ |f| _dump_handle(f) }
+  def dump f=@io
+    if f.is_a?(String)
+      File.open(f,'rb'){ |f| _dump_handle(f) }
+    elsif f.is_a?(::IO)
+      _dump_handle f
+    elsif @io
+      _dump_handle @io
+    end
     self
   end
 
   def _dump_handle h
-    rich_hdr(h)  # includes mz(h)
-    resources(h) # includes pe(h)
-    imports h
+    return unless pe(h) # also calls mz(h)
+    rich_hdr h
+    resources h
+    imports h   # also calls tls(h)
     exports h
-    packer  h
+    packer h
   end
 
-  def data_directory f=nil
+  def data_directory f=@io
     pe(f) && pe.ioh && pe.ioh.DataDirectory
   end
 
-  def sections f=nil
-    pe(f) && pe.section_table
+  def sections f=@io
+    if pe(f)
+      pe.section_table
+    elsif ne(f)
+      ne.segments
+    end
   end
   alias :section_table :sections
 
+  def ne?
+    @pe ? false : (@ne ? true : (pe ? false : (ne ? true : false)))
+  end
+
+  def pe?
+    @pe ? true  : (@ne ? false : (pe ? true : false ))
+  end
+
   ##############################################################################
   # imports
   ##############################################################################
 
   # http://sandsprite.com/CodeStuff/Understanding_imports.html
   # http://stackoverflow.com/questions/5631317/import-table-it-vs-import-address-table-iat
-  IMAGE_IMPORT_DESCRIPTOR = create_struct 'V5',
+  IMAGE_IMPORT_DESCRIPTOR = IOStruct.new 'V5',
     :OriginalFirstThunk,
     :TimeDateStamp,
     :ForwarderChain,
@@ -531,58 +473,134 @@ class PEdump
     :original_first_thunk,
     :first_thunk
 
-  ImportedFunction = Struct.new(:hint, :name, :ordinal)
+  class ImportedFunction < Struct.new(:hint, :name, :ordinal, :va, :module_name)
+#    def == x
+#      self.hint == x.hint && self.name == x.name && self.ordinal == x.ordinal
+#    end
+#    def <=> x
+#      self.to_a[0..-2] <=> x.to_a[0..-2]
+#    end
+
+    # magic to be able to easy merge :first_thunk & :original_first_thunk arrays
+    # (keeping va different)
+    def hash
+      [hint,name,ordinal,module_name].hash
+    end
+    def eql? x
+      self.hint == x.hint && self.name == x.name && self.ordinal == x.ordinal &&
+        self.module_name == x.module_name
+    end
+  end
 
-  def imports f=nil
+  def imports f=@io
+    if pe(f)
+      pe_imports(f)
+    elsif ne(f)
+      ne(f).imports
+    end
+  end
+
+  def pe_imports f=@io
     return @imports if @imports
     return nil unless pe(f) && pe(f).ioh && f
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT]
     return [] if !dir || (dir.va == 0 && dir.size == 0)
-    va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT].va
-    file_offset = va2file(va)
+    file_offset = va2file(dir.va)
     return nil unless file_offset
-    f.seek file_offset
-    r = []
-    until (t=IMAGE_IMPORT_DESCRIPTOR.read(f)).empty?
-      r << t
+
+    # scan TLS first, to catch many fake imports trick from
+    # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/manyimportsW7.asm
+    tls_aoi = nil
+    if (tls = tls(f)) && tls.any?
+      tls_aoi = tls.first.AddressOfIndex.to_i - @pe.ioh.ImageBase.to_i
+      tls_aoi = tls_aoi > 0 ? va2file(tls_aoi) : nil
+    end
+
+    r = []; t = nil
+    if f.checked_seek(file_offset)
+      while true
+        if tls_aoi && tls_aoi == file_offset+16
+          # catched the neat trick! :)
+          # f.tell + 12  =  offset of 'FirstThunk' field from start of IMAGE_IMPORT_DESCRIPTOR structure
+          logger.warn "[!] catched the 'imports terminator in TLS trick'"
+          # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/manyimportsW7.asm
+          break
+        end
+        t=IMAGE_IMPORT_DESCRIPTOR.read(f)
+        break if t.Name.to_i == 0 # also catches EOF
+        r << t
+        file_offset += IMAGE_IMPORT_DESCRIPTOR::SIZE
+      end
+    else
+      logger.warn "[?] imports info beyond EOF"
     end
+
+    logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" if t && !t.empty?
     @imports = r.each do |x|
-      if x.Name.to_i != 0 && (va = va2file(x.Name))
-        f.seek va
-        x.module_name = f.gets("\x00").chop
+      if x.Name.to_i != 0 && (ofs = va2file(x.Name))
+        begin
+        f.seek ofs
+        rescue
+          logger.warn "[?] cannot seek to #{ofs} (VA=0x#{x.Name.to_i.to_s(16)} for reading imports, skipped"
+          next
+        end
+        x.module_name = f.gets("\x00").to_s.chomp("\x00")
       end
       [:original_first_thunk, :first_thunk].each do |tbl|
         camel = tbl.capitalize.to_s.gsub(/_./){ |char| char[1..-1].upcase}
-        if x[camel].to_i != 0 && (va = va2file(x[camel]))
-          f.seek va
+        if x[camel].to_i != 0 && (ofs = va2file(x[camel])) && f.checked_seek(ofs)
           x[tbl] ||= []
           if pe.x64?
-            x[tbl] << t while (t = f.read(8).unpack('Q').first) != 0
+            x[tbl] << t while (t = f.read(8).to_s.unpack('Q').first).to_i != 0
           else
-            x[tbl] << t while (t = f.read(4).unpack('V').first) != 0
+            x[tbl] << t while (t = f.read(4).to_s.unpack('V').first).to_i != 0
           end
         end
         cache = {}
         bits = pe.x64? ? 64 : 32
+        mask = 2**(bits-1)
+        idx = -1
         x[tbl] && x[tbl].map! do |t|
+          idx += 1
+          va = x[camel].to_i + idx*4
           cache[t] ||=
-            if t & (2**(bits-1)) > 0                            # 0x8000_0000(_0000_0000)
-              ImportedFunction.new(nil,nil,t & (2**(bits-1)-1)) # 0x7fff_ffff(_ffff_ffff)
-            elsif va=va2file(t)
-              f.seek va
-              ImportedFunction.new(f.read(2).unpack('v').first, f.gets("\x00").chop)
-            else
+            if t & mask > 0                                 # 0x8000_0000(_0000_0000)
+              ImportedFunction.new(nil,nil,t & (mask-1),va) # 0x7fff_ffff(_ffff_ffff)
+            elsif ofs=va2file(t, :quiet => true)
+              if !f.checked_seek(ofs) || f.eof?
+                logger.warn "[?] import ofs 0x#{ofs.to_s(16)} VA=0x#{t.to_s(16)} beyond EOF"
+                nil
+              else
+                ImportedFunction.new(
+                  f.read(2).unpack('v').first,
+                  f.gets("\x00").chomp("\x00"),
+                  nil,
+                  va
+                )
+              end
+            elsif tbl == :original_first_thunk
+              # OriginalFirstThunk entries can not be invalid, show a warning msg
+              logger.warn "[?] invalid VA 0x#{t.to_s(16)} in #{camel}[#{idx}] for #{x.module_name}"
+              nil
+            elsif tbl == :first_thunk
+              # FirstThunk entries can be invalid, so `info` msg only
+              logger.info "[?] invalid VA 0x#{t.to_s(16)} in #{camel}[#{idx}] for #{x.module_name}"
               nil
+            else
+              raise "You are not supposed to be here! O_o"
             end
         end
         x[tbl] && x[tbl].compact!
       end
       if x.original_first_thunk && !x.first_thunk
-        logger.warn "[?] import table: empty FirstThunk of #{x.module_name}"
+        logger.warn "[?] import table: empty FirstThunk for #{x.module_name}"
       elsif !x.original_first_thunk && x.first_thunk
-        logger.warn "[?] import table: empty OriginalFirstThunk of #{x.module_name}"
-      elsif x.original_first_thunk != x.first_thunk
-        logger.warn "[?] import table: OriginalFirstThunk != FirstThunk of #{x.module_name}"
+        logger.info "[?] import table: empty OriginalFirstThunk for #{x.module_name}"
+      elsif logger.debug?
+        # compare all but VAs
+        if x.original_first_thunk != x.first_thunk
+          logger.debug "[?] import table: OriginalFirstThunk != FirstThunk for #{x.module_name}"
+        end
       end
     end
   end
@@ -592,464 +610,187 @@ class PEdump
   ##############################################################################
 
   #http://msdn.microsoft.com/en-us/library/ms809762.aspx
-  IMAGE_EXPORT_DIRECTORY = create_struct 'V2v2V7',
+  IMAGE_EXPORT_DIRECTORY = IOStruct.new 'V2v2V7',
     :Characteristics,
     :TimeDateStamp,
     :MajorVersion,          # These fields appear to be unused and are set to 0.
     :MinorVersion,          # These fields appear to be unused and are set to 0.
     :Name,
     :Base,                  # The starting ordinal number for exported functions
-    :NumberOfFunctions,
+    :NumberOfFunctions,     # UNSIGNED!, perfectly valid when = 0xffff_ffff, see corkami/dllord.dll
     :NumberOfNames,
     :AddressOfFunctions,
     :AddressOfNames,
     :AddressOfNameOrdinals,
     # manual:
-    :name, :entry_points, :names, :name_ordinals
+    :name, :entry_points, :names, :name_ordinals, :functions,
+    :description # NE only
 
-  def exports f=nil
+  ExportedFunction = Struct.new :name, :ord, :va, :file_offset
+
+  def exports f=@io
+    if pe(f)
+      pe_exports(f)
+    elsif ne(f)
+      ne(f).exports
+    end
+  end
+
+  def pe_exports f=@io
     return @exports if @exports
     return nil unless pe(f) && pe(f).ioh && f
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT]
-    return [] if !dir || (dir.va == 0 && dir.size == 0)
+    return nil if !dir || (dir.va == 0 && dir.size == 0)
     va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT].va
     file_offset = va2file(va)
     return nil unless file_offset
-    f.seek file_offset
+    if !f.checked_seek(file_offset) || f.eof?
+      logger.warn "[?] exports info beyond EOF"
+      return nil
+    end
     @exports = IMAGE_EXPORT_DIRECTORY.read(f).tap do |x|
       x.entry_points = []
       x.name_ordinals = []
       x.names = []
-      if x.Name.to_i != 0 && (va = va2file(x.Name))
-        f.seek va
-        x.name = f.gets("\x00").chop
-      end
-      if x.NumberOfFunctions.to_i != 0
-        if x.AddressOfFunctions.to_i !=0 && (va = va2file(x.AddressOfFunctions))
-          f.seek va
-          x.entry_points = f.read(x.NumberOfFunctions*4).unpack('V*')
-        end
-        if x.AddressOfNameOrdinals.to_i !=0 && (va = va2file(x.AddressOfNameOrdinals))
-          f.seek va
-          x.name_ordinals = f.read(x.NumberOfNames*2).unpack('v*').map{ |o| o+x.Base }
-        end
-      end
-      if x.NumberOfNames.to_i != 0 && x.AddressOfNames.to_i !=0 && (va = va2file(x.AddressOfNames))
-        f.seek va
-        x.names = f.read(x.NumberOfNames*4).unpack('V*').map do |va|
-          f.seek va2file(va)
-          f.gets("\x00").chop
+      if x.Name.to_i != 0 && (ofs = va2file(x.Name))
+        f.seek ofs
+        if f.eof?
+          logger.warn "[?] export ofs 0x#{ofs.to_s(16)} beyond EOF"
+          nil
+        else
+          x.name = f.gets("\x00").chomp("\x00")
         end
       end
-    end
-  end
-
-  ##############################################################################
-  # resources
-  ##############################################################################
-
-  IMAGE_RESOURCE_DIRECTORY = create_struct 'V2v4',
-    :Characteristics, :TimeDateStamp, # 2dw
-    :MajorVersion, :MinorVersion, :NumberOfNamedEntries, :NumberOfIdEntries, # 4w
-    :entries # manual
-  class IMAGE_RESOURCE_DIRECTORY
-    class << self
-      attr_accessor :base
-      alias :read_without_children :read
-      def read f, root=true
-        if root
-          @@loopchk1 = Hash.new(0)
-          @@loopchk2 = Hash.new(0)
-          @@loopchk3 = Hash.new(0)
-        elsif (@@loopchk1[f.tell] += 1) > 1
-          PEdump.logger.error "[!] #{self}: loop1 detected at file pos #{f.tell}" if @@loopchk1[f.tell] < 2
-          return nil
-        end
-        read_without_children(f).tap do |r|
-          nToRead = r.NumberOfNamedEntries.to_i + r.NumberOfIdEntries.to_i
-          r.entries = []
-          nToRead.times do |i|
+      if x.NumberOfFunctions.to_i > 0
+        if x.AddressOfFunctions.to_i !=0 && (ofs = va2file(x.AddressOfFunctions))
+          f.seek ofs
+          x.entry_points = []
+          x.NumberOfFunctions.times do
             if f.eof?
-              PEdump.logger.error "[!] #{self}: #{nToRead} entries in directory, but got EOF on #{i}-th."
+              logger.warn "[?] got EOF while reading exports entry_points"
               break
             end
-            if (@@loopchk2[f.tell] += 1) > 1
-              PEdump.logger.error "[!] #{self}: loop2 detected at file pos #{f.tell}" if @@loopchk2[f.tell] < 2
-              next
-            end
-            r.entries << IMAGE_RESOURCE_DIRECTORY_ENTRY.read(f)
+            x.entry_points << f.read(4).unpack('V').first
           end
-          #r.entries.uniq!
-          r.entries.each do |entry|
-            entry.name =
-              if entry.Name.to_i & 0x8000_0000 > 0
-                # Name is an address of unicode string
-                f.seek base + entry.Name & 0x7fff_ffff
-                nChars = f.read(2).to_s.unpack("v").first.to_i
-                begin
-                  f.read(nChars*2).force_encoding('UTF-16LE').encode!('UTF-8')
-                rescue
-                  PEdump.logger.error "[!] #{self} failed to read entry name: #{$!}"
-                  "???"
-                end
-              else
-                # Name is a numeric id
-                "##{entry.Name}"
-              end
-            if entry.OffsetToData && f.checked_seek(base + entry.OffsetToData & 0x7fff_ffff)
-              if (@@loopchk3[f.tell] += 1) > 1
-                PEdump.logger.error "[!] #{self}: loop3 detected at file pos #{f.tell}" if @@loopchk3[f.tell] < 2
-                next
-              end
-              entry.data =
-                if entry.OffsetToData & 0x8000_0000 > 0
-                  # child is a directory
-                  IMAGE_RESOURCE_DIRECTORY.read(f,false)
-                else
-                  # child is a resource
-                  IMAGE_RESOURCE_DATA_ENTRY.read(f)
-                end
+        end
+        if x.AddressOfNameOrdinals.to_i !=0 && (ofs = va2file(x.AddressOfNameOrdinals))
+          f.seek ofs
+          x.name_ordinals = []
+          x.NumberOfNames.times do
+            if f.eof?
+              logger.warn "[?] got EOF while reading exports name_ordinals"
+              break
             end
+            x.name_ordinals << f.read(2).unpack('v').first + x.Base
           end
-          @@loopchk1 = @@loopchk2 = @@loopchk3 = nil if root # save some memory
         end
       end
-    end
-  end
-
-  IMAGE_RESOURCE_DIRECTORY_ENTRY = create_struct 'V2',
-    :Name, :OffsetToData,
-    :name, :data
-
-  IMAGE_RESOURCE_DATA_ENTRY = create_struct 'V4',
-    :OffsetToData, :Size, :CodePage, :Reserved
-
-  def va2file va
-    sections.each do |s|
-      if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
-        return va - s.VirtualAddress + s.PointerToRawData
-      end
-    end
-    # not found with regular search. assume any of VirtualSize was 0, and try with RawSize
-    sections.each do |s|
-      if (s.VirtualAddress...(s.VirtualAddress+s.SizeOfRawData)).include?(va)
-        return va - s.VirtualAddress + s.PointerToRawData
-      end
-    end
-    logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
-    nil
-  end
-
-  def _read_resource_directory_tree f
-    return nil unless pe(f) && pe(f).ioh && f
-    res_dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE]
-    return [] if !res_dir || (res_dir.va == 0 && res_dir.size == 0)
-    res_va = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::RESOURCE].va
-    res_section = @pe.section_table.find{ |t| t.VirtualAddress == res_va }
-    unless res_section
-      logger.warn "[?] can't find resource section for va=0x#{res_va.to_s(16)}"
-      return []
-    end
-    f.seek res_section.PointerToRawData
-    IMAGE_RESOURCE_DIRECTORY.base = res_section.PointerToRawData
-    #@resource_data_base = res_section.PointerToRawData - res_section.VirtualAddress
-    IMAGE_RESOURCE_DIRECTORY.read(f)
-  end
-
-  class Resource < Struct.new(:type, :name, :id, :lang, :file_offset, :size, :cp, :reserved, :data, :valid)
-    def bitmap_hdr
-      bmp_info_hdr = data.find{ |x| x.is_a?(BITMAPINFOHEADER) }
-      raise "no BITMAPINFOHEADER for #{self.type} #{self.name}" unless bmp_info_hdr
-
-      bmp_info_hdr.biHeight/=2 if %w'ICON CURSOR'.include?(type)
-
-      colors_used = bmp_info_hdr.biClrUsed
-      colors_used = 2**bmp_info_hdr.biBitCount if colors_used == 0 && bmp_info_hdr.biBitCount < 16
-
-      # XXX: one byte in each color is unused!
-      @palette_size = colors_used * 4 # each color takes 4 bytes
-
-      # scanlines are DWORD-aligned and padded to DWORD-align with zeroes
-      # XXX: some data may be hidden in padding bytes!
-      scanline_size = bmp_info_hdr.biWidth * bmp_info_hdr.biBitCount / 8
-      scanline_size += (4-scanline_size%4) if scanline_size % 4 > 0
-
-      @imgdata_size = scanline_size * bmp_info_hdr.biHeight
-      "BM" + [
-        BITMAPINFOHEADER::SIZE + 14 + @palette_size + @imgdata_size,
-        0,
-        BITMAPINFOHEADER::SIZE + 14 + @palette_size
-      ].pack("V3") + bmp_info_hdr.pack
-    ensure
-      bmp_info_hdr.biHeight*=2 if %w'ICON CURSOR'.include?(type)
-    end
-
-    # only valid for types BITMAP, ICON & CURSOR
-    def restore_bitmap src_fname
-      File.open(src_fname, "rb") do |f|
-        parse f
-        if data.first == "PNG"
-          "\x89PNG" +f.read(self.size-4)
-        else
-          bitmap_hdr + f.read(@palette_size + @imgdata_size)
-        end
-      end
-    end
-
-    def bitmap_mask src_fname
-      File.open(src_fname, "rb") do |f|
-        parse f
-        bmp_info_hdr = bitmap_hdr
-        bitmap_size = BITMAPINFOHEADER::SIZE + @palette_size + @imgdata_size
-        return nil if bitmap_size >= self.size
-
-        mask_size = self.size - bitmap_size
-        f.seek file_offset + bitmap_size
-
-        bmp_info_hdr = BITMAPINFOHEADER.new(*bmp_info_hdr[14..-1].unpack(BITMAPINFOHEADER::FORMAT))
-        bmp_info_hdr.biBitCount = 1
-        bmp_info_hdr.biCompression = bmp_info_hdr.biSizeImage = 0
-        bmp_info_hdr.biClrUsed = bmp_info_hdr.biClrImportant = 2
-
-        palette = [0,0xffffff].pack('V2')
-        @palette_size = palette.size
-
-        "BM" + [
-          BITMAPINFOHEADER::SIZE + 14 + @palette_size + mask_size,
-          0,
-          BITMAPINFOHEADER::SIZE + 14 + @palette_size
-        ].pack("V3") + bmp_info_hdr.pack + palette + f.read(mask_size)
-      end
-    end
-
-    # also sets the file position for restore_bitmap next call
-    def parse f
-      raise "called parse with type not set" unless self.type
-      #return if self.data
-
-      self.data = []
-      case type
-      when 'BITMAP','ICON'
-        f.seek file_offset
-        if f.read(4) == "\x89PNG"
-          data << 'PNG'
-        else
-          f.seek file_offset
-          data << BITMAPINFOHEADER.read(f)
-        end
-      when 'CURSOR'
-        f.seek file_offset
-        data << CURSOR_HOTSPOT.read(f)
-        data << BITMAPINFOHEADER.read(f)
-      when 'GROUP_CURSOR'
-        f.seek file_offset
-        data << CUR_ICO_HEADER.read(f)
-        nRead = CUR_ICO_HEADER::SIZE
-        data.last.wNumImages.to_i.times do
-          if nRead >= self.size
-            PEdump.logger.error "[!] refusing to read CURDIRENTRY beyond resource size"
+      if x.NumberOfNames.to_i > 0 && x.AddressOfNames.to_i !=0 && (ofs = va2file(x.AddressOfNames))
+        f.seek ofs
+        x.names = []
+        x.NumberOfNames.times do
+          if f.eof?
+            logger.warn "[?] got EOF while reading exports names"
             break
           end
-          data  << CURDIRENTRY.read(f)
-          nRead += CURDIRENTRY::SIZE
+          x.names << f.read(4).unpack('V').first
         end
-      when 'GROUP_ICON'
-        f.seek file_offset
-        data << CUR_ICO_HEADER.read(f)
-        nRead = CUR_ICO_HEADER::SIZE
-        data.last.wNumImages.to_i.times do
-          if nRead >= self.size
-            PEdump.logger.error "[!] refusing to read ICODIRENTRY beyond resource size"
-            break
-          end
-          data  << ICODIRENTRY.read(f)
-          nRead += ICODIRENTRY::SIZE
-        end
-      when 'STRING'
-        f.seek file_offset
-        16.times do
-          break if f.tell >= file_offset+self.size
-          nChars = f.read(2).to_s.unpack('v').first.to_i
-          t =
-            if nChars*2 + 1 > self.size
-              # TODO: if it's not 1st string in table then truncated size must be less
-              PEdump.logger.error "[!] string size(#{nChars*2}) > stringtable size(#{self.size}). truncated to #{self.size-2}"
-              f.read(self.size-2)
-            else
-              f.read(nChars*2)
-            end
-          data <<
-            begin
-              t.force_encoding('UTF-16LE').encode!('UTF-8')
-            rescue
-              t.force_encoding('ASCII')
-              tt = t.size > 0x10 ? t[0,0x10].inspect+'...' : t.inspect
-              PEdump.logger.error "[!] cannot convert #{tt} to UTF-16"
-              [nChars,t].pack('va*')
+        nErrors = 0
+        x.names.size.times do |i|
+          begin
+            f.seek va2file(x.names[i])
+            x.names[i] = f.gets("\x00").to_s.chomp("\x00")
+          rescue
+            nErrors += 1
+            if nErrors > MAX_ERRORS
+              logger.warn "[?] too many errors getting export names, stopped on #{i} of #{x.names.size}"
+              x.names = x.names[0,i]
+              break
             end
+            nil
+          end
         end
-        # XXX: check if readed strings summary length is less than resource data length
-      when 'VERSION'
-        require 'pedump/version_info'
-        f.seek file_offset
-        data << PEdump::VS_VERSIONINFO.read(f)
       end
 
-      data.delete_if do |x|
-        valid = !x.respond_to?(:valid?) || x.valid?
-        PEdump.logger.warn "[?] ignoring invalid #{x.class}" unless valid
-        !valid
+      ord2name = {}
+      if x.names && x.names.any?
+        n = x.NumberOfNames
+        if n > 2048
+          logger.warn "[?] NumberOfNames too big (#{x.NumberOfNames}), limiting to 2048"
+          n = 2048
+        end
+        n.times do |i|
+          ord2name[x.name_ordinals[i]] ||= []
+          ord2name[x.name_ordinals[i]] << x.names[i]
+        end
       end
-    ensure
-      validate
-    end
 
-    def validate
-      self.valid =
-        case type
-        when 'BITMAP','ICON','CURSOR'
-          data.any?{ |x| x.is_a?(BITMAPINFOHEADER) && x.valid? } || data.first == 'PNG'
-        else
-          true
-        end
+      x.functions = []
+      x.entry_points.each_with_index do |ep,i|
+        names = ord2name[i+x.Base]
+        names = names.join(', ') if names
+        next if ep.to_i == 0 && names.nil?
+        x.functions << ExportedFunction.new(names, i+x.Base, ep)
+      end
     end
   end
 
-  STRING = Struct.new(:id, :lang, :value)
+  ##############################################################################
+  # TLS
+  ##############################################################################
 
-  def strings f=nil
-    r = []
-    Array(resources(f)).find_all{ |x| x.type == 'STRING'}.each do |res|
-      res.data.each_with_index do |string,idx|
-        r << STRING.new( ((res.id-1)<<4) + idx, res.lang, string ) unless string.empty?
-      end
-    end
-    r
-  end
+  def tls f=@io
+    @tls ||= pe(f) && pe(f).ioh && f &&
+      begin
+        dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::TLS]
+        return nil if !dir || dir.va == 0
+        return nil unless file_offset = va2file(dir.va)
+        f.seek file_offset
+        if f.eof?
+          logger.info "[?] TLS info beyond EOF"
+          return nil
+        end
 
-  # see also http://www.informit.com/articles/article.aspx?p=1186882 about icons format
-
-  class BITMAPINFOHEADER < create_struct 'V3v2V6',
-    :biSize,          # BITMAPINFOHEADER::SIZE
-    :biWidth,
-    :biHeight,
-    :biPlanes,
-    :biBitCount,
-    :biCompression,
-    :biSizeImage,
-    :biXPelsPerMeter,
-    :biYPelsPerMeter,
-    :biClrUsed,
-    :biClrImportant
-
-    def valid?
-      self.biSize == 40
-    end
+        klass = @pe.x64? ? IMAGE_TLS_DIRECTORY64 : IMAGE_TLS_DIRECTORY32
+        nEntries = [1,dir.size / klass.const_get('SIZE')].max
+        r = []
+        nEntries.times do
+          break if f.eof? || !(entry = klass.read(f))
+          r << entry
+        end
+        r
+      end
   end
 
-  # http://www.devsource.com/c/a/Architecture/Resources-From-PE-I/2/
-  CUR_ICO_HEADER = create_struct('v3',
-    :wReserved, # always 0
-    :wResID,    # always 2
-    :wNumImages # Number of cursor images/directory entries
-  )
+  ##############################################################################
+  # resources
+  ##############################################################################
 
-  CURDIRENTRY = create_struct 'v4Vv',
-    :wWidth,
-    :wHeight, # Divide by 2 to get the actual height.
-    :wPlanes,
-    :wBitCount,
-    :dwBytesInImage,
-    :wID
-
-  CURSOR_HOTSPOT = create_struct 'v2', :x, :y
-
-  ICODIRENTRY = create_struct 'C4v2Vv',
-    :bWidth,
-    :bHeight,
-    :bColors,
-    :bReserved,
-    :wPlanes,
-    :wBitCount,
-    :dwBytesInImage,
-    :wID
-
-  ROOT_RES_NAMES = [nil] + # numeration is started from 1
-    %w'CURSOR BITMAP ICON MENU DIALOG STRING FONTDIR FONT ACCELERATORS RCDATA' +
-    %w'MESSAGETABLE GROUP_CURSOR' + [nil] + %w'GROUP_ICON' + [nil] +
-    %w'VERSION DLGINCLUDE' + [nil] + %w'PLUGPLAY VXD ANICURSOR ANIICON HTML MANIFEST'
-
-  def resources f=nil
-    @resources ||= _scan_resources(f)
+  def resources f=@io
+    @resources ||=
+      if pe(f)
+        _scan_pe_resources(f)
+      elsif ne(f)
+        ne(f).resources(f)
+      end
   end
 
-  def version_info f=nil
+  def version_info f=@io
     resources(f) && resources(f).find_all{ |res| res.type == 'VERSION' }.map(&:data).flatten
   end
 
-  def _scan_resources f=nil, dir=nil
-    dir ||= resource_directory(f)
-    return nil unless dir
-    dir.entries.map do |entry|
-      case entry.data
-        when IMAGE_RESOURCE_DIRECTORY
-          if dir == @resource_directory # root resource directory
-            entry_type =
-              if entry.Name & 0x8000_0000 == 0
-                # root resource directory & entry name is a number
-                ROOT_RES_NAMES[entry.Name] || entry.name
-              else
-                entry.name
-              end
-            _scan_resources(f,entry.data).each do |res|
-              res.type = entry_type
-              res.parse f
-            end
-          else
-            _scan_resources(f,entry.data).each do |res|
-              res.name = res.name == "##{res.lang}" ? entry.name : "#{entry.name} / #{res.name}"
-              res.id ||= entry.Name if entry.Name.is_a?(Numeric) && entry.Name < 0x8000_0000
-            end
-          end
-        when IMAGE_RESOURCE_DATA_ENTRY
-          Resource.new(
-            nil,          # type
-            entry.name,
-            nil,          # id
-            entry.Name,   # lang
-            #entry.data.OffsetToData + @resource_data_base,
-            va2file(entry.data.OffsetToData),
-            entry.data.Size,
-            entry.data.CodePage,
-            entry.data.Reserved
-          )
-        else
-          logger.error "[!] invalid resource entry: #{entry.data.inspect}"
-          nil
-      end
-    end.flatten.compact
-  end
+  ##############################################################################
+  # packer / compiler detection
+  ##############################################################################
 
-  def packer f = nil
+  def packer f=@io
     @packer ||= pe(f) && @pe.ioh &&
       begin
-        if !(va=@pe.ioh.AddressOfEntryPoint)
-          logger.error "[?] can't find EntryPoint RVA"
-          nil
-        elsif va == 0 && @pe.dll?
-          logger.debug "[.] it's a DLL with no EntryPoint"
-          nil
-        elsif !(ofs = va2file(va))
-          logger.error "[?] can't find EntryPoint RVA (0x#{va.to_s(16)}) file offset"
+        if PEdump::Packer.all.size == 0
+          logger.error "[?] no packer definitions found"
           nil
         else
-          require 'pedump/packer'
-          if PEdump::Packer.all.size == 0
-            logger.error "[?] no packer definitions found"
-            nil
-          else
-            Packer.of f, :ep_offset => ofs
-          end
+          Packer.of f, :pedump => self
         end
       end
   end
@@ -1088,17 +829,13 @@ if $0 == __FILE__
     exit
   end
   p dump.mz
-  require './lib/hexdump_helper' if File.exist?("lib/hexdump_helper.rb")
-  if defined?(HexdumpHelper)
-    include HexdumpHelper
-    puts hexdump(dump.dos_stub) if dump.dos_stub
+  dump.dos_stub.hexdump if dump.dos_stub
+  puts
+  if dump.rich_hdr
+    dump.rich_hdr.hexdump
     puts
-    if dump.rich_hdr
-      puts hexdump(dump.rich_hdr)
-      puts
-      p(dump.rich_hdr.decode)
-      puts hexdump(dump.rich_hdr.dexor)
-    end
+    p(dump.rich_hdr.decode)
+    dump.rich_hdr.dexor.hexdump
   end
   pp dump.pe
   pp dump.resources