pedump 0.4.0 → 0.5.0

data/lib/pedump/cli.rb

@@ -1,11 +1,30 @@
 require 'pedump'
 require 'pedump/packer'
+require 'pedump/version_info'
 require 'optparse'
 
-unless Object.instance_methods.include?(:try)
-  class Object
-    def try(*x)
-      send(*x) if respond_to?(x.first)
+begin
+  require 'shellwords' # from ruby 1.9.3
+rescue LoadError
+  unless ''.respond_to?(:shellescape)
+    class String
+      # File shellwords.rb, line 72
+      def shellescape
+        # An empty argument will be skipped, so return empty quotes.
+        return "''" if self.empty?
+
+        str = self.dup
+
+        # Process as a single byte sequence because not all shell
+        # implementations are multibyte aware.
+        str.gsub!(/([^A-Za-z0-9_\-.,:\/@\n])/, "\\\\\\1")
+
+        # A LF cannot be escaped with a backslash because a backslash + LF
+        # combo is regarded as line continuation and simply ignored.
+        str.gsub!(/\n/, "'\n'")
+
+        str
+      end
     end
   end
 end
@@ -14,11 +33,11 @@ class PEdump::CLI
   attr_accessor :data, :argv
 
   KNOWN_ACTIONS = (
-    %w'mz dos_stub rich pe data_directory sections' +
-    %w'strings resources resource_directory imports exports version_info packer web packer_only'
+    %w'mz dos_stub rich pe ne data_directory sections tls security' +
+    %w'strings resources resource_directory imports exports version_info packer web console packer_only'
   ).map(&:to_sym)
 
-  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only'.map(&:to_sym)
+  DEFAULT_ALL_ACTIONS = KNOWN_ACTIONS - %w'resource_directory web packer_only console'.map(&:to_sym)
 
   URL_BASE = "http://pedump.me"
 
@@ -46,8 +65,8 @@ class PEdump::CLI
         @options[:force] ||= 0
         @options[:force] += 1
       end
-      opts.on "-f", "--format FORMAT", [:binary, :c, :dump, :hex, :inspect, :table],
-        "Output format: bin,c,dump,hex,inspect,table","(default: table)" do |v|
+      opts.on "-f", "--format FORMAT", [:binary, :c, :dump, :hex, :inspect, :table, :yaml],
+        "Output format: bin,c,dump,hex,inspect,table,yaml","(default: table)" do |v|
         @options[:format] = v
       end
       KNOWN_ACTIONS.each do |t|
@@ -70,15 +89,25 @@ class PEdump::CLI
         @actions << :packer_only
       end
 
+      opts.on '-r', "--recursive", "recurse dirs in packer detect" do
+        @options[:recursive] = true
+      end
+
       opts.on "--all", "Dump all but resource-directory (default)" do
         @actions = DEFAULT_ALL_ACTIONS
       end
       opts.on "--va2file VA", "Convert RVA to file offset" do |va|
         @actions << [:va2file,va]
       end
+
+      opts.separator ''
+
       opts.on "-W", "--web", "Uploads files to a #{URL_BASE}","for a nice HTML tables with image previews,","candies & stuff" do
         @actions << :web
       end
+      opts.on "-C", "--console", "opens IRB console with specified file loaded" do
+        @actions << :console
+      end
     end
 
     if (@argv = optparser.parse(@argv)).empty?
@@ -109,8 +138,9 @@ class PEdump::CLI
         next if !@options[:force] && !@pedump.mz(f)
 
         @actions.each do |action|
-          if action == :web
-            upload f
+          case action
+          when :web; upload f
+          when :console; console f
           else
             dump_action action,f
           end
@@ -145,12 +175,20 @@ class PEdump::CLI
   def dump_packer_only fnames
     max_fname_len = fnames.map(&:size).max
     fnames.each do |fname|
-      File.open(fname,'rb') do |f|
-        @pedump = create_pedump fname
-        packers = @pedump.packers(f)
-        pname = Array(packers).first.try(:packer).try(:name)
-        pname ||= "unknown" if @options[:verbose] > 0
-        printf("%-*s %s\n", max_fname_len+1, "#{fname}:", pname) if pname
+      if File.directory?(fname)
+        if @options[:recursive]
+          dump_packer_only(Dir[File.join(fname.shellescape,"*")])
+        else
+          STDERR.puts "[?] #{fname} is a directory, and recursive flag is not set"
+        end
+      else
+        File.open(fname,'rb') do |f|
+          @pedump = create_pedump fname
+          packers = @pedump.packers(f)
+          pname = Array(packers).first.try(:packer).try(:name)
+          pname ||= "unknown" if @options[:verbose] > 0
+          printf("%-*s %s\n", max_fname_len+1, "#{fname}:", pname) if pname
+        end
       end
     end
   end
@@ -172,7 +210,7 @@ class PEdump::CLI
       @file.send *args
     end
     def respond_to? *args
-      @file.respond_to?(*args) || super(*args)
+      @file.respond_to?(args.first) || super(*args)
     end
   end
 
@@ -184,6 +222,7 @@ class PEdump::CLI
 
     require 'digest/md5'
     require 'open-uri'
+    require 'net/http'
     require 'net/http/post/multipart'
     require 'progressbar'
 
@@ -194,16 +233,19 @@ class PEdump::CLI
     @pedump.logger.info "[.] md5: #{md5}"
     file_url = "#{URL_BASE}/#{md5}/"
 
-    @pedump.logger.info "[.] checking if file already uploaded.."
-    begin
-      if (r=open(file_url).read) == "OK"
+    @pedump.logger.warn "[.] checking if file already uploaded.."
+    Net::HTTP.start('pedump.me') do |http|
+      http.open_timeout = 10
+      http.read_timeout = 10
+      # doing HTTP HEAD is a lot faster than open-uri
+      h = http.head("/#{md5}/")
+      if h.code.to_i == 200 && h.content_type.to_s.strip.downcase == "text/html"
         @pedump.logger.warn "[.] file already uploaded: #{file_url}"
         return
-      else
-        raise "invalid server response: #{r}"
+      elsif h.code.to_i != 404 # 404 means that there's no such file and we're OK to upload
+        @pedump.logger.fatal "[!] invalid server response: \"#{h.code} #{h.msg}\" (#{h.content_type})"
+        exit(1)
       end
-    rescue OpenURI::HTTPError
-      raise unless $!.to_s == "404 Not Found"
     end
 
     f.rewind
@@ -228,6 +270,29 @@ class PEdump::CLI
     STDOUT.sync = stdout_sync
   end
 
+  def console f
+    require 'pedump/loader'
+    require 'pp'
+
+    ARGV.clear # clear ARGV so IRB is not confused
+    require 'irb'
+    f.rewind
+    ldr = @ldr = PEdump::Loader.new(f)
+
+    # override IRB.setup, called from IRB.start
+    m0 = IRB.method(:setup)
+    IRB.define_singleton_method :setup do |*args|
+      m0.call *args
+      conf[:IRB_RC] = Proc.new do |context|
+        context.main.instance_variable_set '@ldr', ldr
+        context.main.define_singleton_method(:ldr){ @ldr }
+      end
+    end
+
+    puts "[.] ldr = PEdump::Loader.new(open(#{f.path.inspect}))".gray
+    IRB.start
+  end
+
   def action_title action
     if @need_fname_header
       @need_fname_header = false
@@ -259,16 +324,14 @@ class PEdump::CLI
     data = @pedump.send(action, f)
     return if !data || (data.respond_to?(:empty?) && data.empty?)
 
-    puts action_title(action)
+    puts action_title(action) unless @options[:format] == :binary
 
-    return dump(data) if [:inspect, :table].include?(@options[:format])
+    return dump(data) if [:inspect, :table, :yaml].include?(@options[:format])
 
     dump_opts = {:name => action}
     case action
       when :pe
-        @pedump.pe.ifh.TimeDateStamp = @pedump.pe.ifh.TimeDateStamp.to_i
-        data = @pedump.pe.signature + (@pedump.pe.ifh.try(:pack)||'') + (@pedump.pe.ioh.try(:pack)||'')
-        @pedump.pe.ifh.TimeDateStamp = Time.at(@pedump.pe.ifh.TimeDateStamp)
+        data = @pedump.pe.pack
       when :resources
         return dump_resources(data)
       when :strings
@@ -292,7 +355,7 @@ class PEdump::CLI
   def dump data, opts = {}
     case opts[:format] || @options[:format] || :dump
     when :dump, :hexdump
-      puts hexdump(data)
+      data.hexdump
     when :hex
       puts data.each_byte.map{ |x| "%02x" % x }.join(' ')
     when :binary
@@ -310,6 +373,9 @@ class PEdump::CLI
       pp data
     when :table
       dump_table data
+    when :yaml
+      require 'yaml'
+      puts data.to_yaml
     end
   end
 
@@ -352,7 +418,7 @@ class PEdump::CLI
           printf "%30s: %24s\n", k.to_s.sub('Major',''), "#{v}.#{data[k.to_s.sub('Major','Minor')]}"
         when /\AMinor.*Version\Z/
         when /TimeDateStamp/
-          printf "%30s: %24s\n", k, Time.at(v).strftime('"%Y-%m-%d %H:%M:%S"')
+          printf "%30s: %24s\n", k, Time.at(v).utc.strftime('"%Y-%m-%d %H:%M:%S"')
         else
           comment = ''
           if COMMENTS[k]
@@ -394,17 +460,23 @@ class PEdump::CLI
         dump_resources data
       when PEdump::STRING
         dump_strings data
-      when PEdump::IMAGE_IMPORT_DESCRIPTOR
+      when PEdump::IMAGE_IMPORT_DESCRIPTOR, PEdump::ImportedFunction
         dump_imports data
       when PEdump::Packer::Match
         dump_packers data
-      when PEdump::VS_VERSIONINFO
+      when PEdump::VS_VERSIONINFO, PEdump::NE::VS_VERSIONINFO
         dump_version_info data
+      when PEdump::IMAGE_TLS_DIRECTORY32, PEdump::IMAGE_TLS_DIRECTORY64
+        dump_tls data
+      when PEdump::WIN_CERTIFICATE
+        dump_security data
+      when PEdump::NE::Segment
+        dump_ne_segments data
       else
         puts "[?] don't know how to dump: #{data.inspect[0,50]}" unless data.empty?
       end
     elsif data.is_a?(PEdump::DOSStub)
-      puts hexdump(data)
+      data.hexdump
     elsif data.is_a?(PEdump::RichHdr)
       dump_rich_hdr data
     else
@@ -412,6 +484,34 @@ class PEdump::CLI
     end
   end
 
+  def dump_security data
+    return unless data
+    data.each do |win_cert|
+      if win_cert.data.respond_to?(:certificates)
+        win_cert.data.certificates.each do |cert|
+          puts cert.to_text
+          puts
+        end
+      else
+        @pedump.logger.error "[?] no certificates in #{win_cert.class}"
+      end
+    end
+  end
+
+  def dump_tls data
+    fmt = "%10x %10x %8x  %8x  %8x  %8x\n"
+    printf fmt.tr('x','s'), *%w'RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS'
+    data.each do |tls|
+      printf fmt,
+        tls.StartAddressOfRawData.to_i,
+        tls.EndAddressOfRawData.to_i,
+        tls.AddressOfIndex.to_i,
+        tls.AddressOfCallBacks.to_i,
+        tls.SizeOfZeroFill.to_i,
+        tls.Characteristics.to_i
+    end
+  end
+
   def dump_version_info data
     if @options[:format] != :table
       File.open(@file_name,'rb') do |f|
@@ -429,38 +529,38 @@ class PEdump::CLI
       puts "# VS_FIXEDFILEINFO:"
 
       if @options[:verbose] > 0 || vi.Value.dwSignature != 0xfeef04bd
-        printf(fmt, "Signature", "0x#{vi.Value.dwSignature.to_s(16)}")
+        printf(fmt, "Signature", "0x#{vi.Value.dwSignature.to_i.to_s(16)}")
       end
 
       printf fmt, 'FileVersion', [
-        vi.Value.dwFileVersionMS >> 16,
-        vi.Value.dwFileVersionMS &  0xffff,
-        vi.Value.dwFileVersionLS >> 16,
-        vi.Value.dwFileVersionLS &  0xffff
+        vi.Value.dwFileVersionMS.to_i >> 16,
+        vi.Value.dwFileVersionMS.to_i &  0xffff,
+        vi.Value.dwFileVersionLS.to_i >> 16,
+        vi.Value.dwFileVersionLS.to_i &  0xffff
       ].join('.')
 
       printf fmt, 'ProductVersion', [
-        vi.Value.dwProductVersionMS >> 16,
-        vi.Value.dwProductVersionMS &  0xffff,
-        vi.Value.dwProductVersionLS >> 16,
-        vi.Value.dwProductVersionLS &  0xffff
+        vi.Value.dwProductVersionMS.to_i >> 16,
+        vi.Value.dwProductVersionMS.to_i &  0xffff,
+        vi.Value.dwProductVersionLS.to_i >> 16,
+        vi.Value.dwProductVersionLS.to_i &  0xffff
       ].join('.')
 
       vi.Value.each_pair do |k,v|
         next if k[/[ML]S$/] || k == :valid || k == :dwSignature
-        printf fmt, k.to_s.sub(/^dw/,''), v > 9 ? "0x#{v.to_s(16)}" : v
+        printf fmt, k.to_s.sub(/^dw/,''), v.to_i > 9 ? "0x#{v.to_s(16)}" : v
       end
 
       vi.Children.each do |file_info|
         case file_info
-        when PEdump::StringFileInfo
+        when PEdump::StringFileInfo, PEdump::NE::StringFileInfo
           file_info.Children.each do |string_table|
             puts "\n# StringTable #{string_table.szKey}:"
             string_table.Children.each do |string|
               printf fmt, string.szKey, string.Value.inspect
             end
           end
-        when PEdump::VarFileInfo
+        when PEdump::VarFileInfo, PEdump::NE::VarFileInfo
           puts
           printf fmt, "VarFileInfo", '[ 0x' + file_info.Children.Value.map{|v| v.to_s(16)}.join(", 0x") + ' ]'
         else
@@ -482,57 +582,68 @@ class PEdump::CLI
   end
 
   def dump_exports data
-    printf "# module %s\n# flags=0x%x  ts=%s  version=%d.%d  ord_base=%d\n",
-      data.name.inspect,
-      data.Characteristics.to_i,
-      Time.at(data.TimeDateStamp.to_i).strftime('"%Y-%m-%d %H:%M:%S"'),
-      data.MajorVersion, data.MinorVersion,
-      data.Base
+    printf "# module %s\n", data.name.inspect
+    printf "# description %s\n", data.description.inspect if data.description
+
+    if data.Characteristics || data.TimeDateStamp || data.MajorVersion || data.MinorVersion || data.Base
+      printf "# flags=0x%x  ts=%s  version=%d.%d  ord_base=%d\n",
+        data.Characteristics.to_i,
+        Time.at(data.TimeDateStamp.to_i).utc.strftime('"%Y-%m-%d %H:%M:%S"'),
+        data.MajorVersion.to_i, data.MinorVersion.to_i,
+        data.Base.to_i
+    end
 
     if @options[:verbose] > 0
       [%w'Names', %w'EntryPoints Functions', %w'Ordinals NameOrdinals'].each do |x|
         va  = data["AddressOf"+x.last]
         ofs = @pedump.va2file(va) || '?'
-        printf "# %-12s rva=0x%08x  file_offset=%8s\n", x.first, va, ofs
+        printf("# %-12s rva=0x%08x  file_offset=%8s\n", x.first, va, ofs) if va
       end
     end
 
-    printf "# nFuncs=%d  nNames=%d\n",
-      data.NumberOfFunctions,
-      data.NumberOfNames
-
-    return unless data.name_ordinals.any? || data.entry_points.any? || data.names.any?
-
-    puts
-
-    ord2name = {}
-    data.NumberOfNames.times do |i|
-      ord2name[data.name_ordinals[i]] ||= []
-      ord2name[data.name_ordinals[i]] << data.names[i]
+    if data.NumberOfFunctions || data.NumberOfNames
+      printf "# nFuncs=%d  nNames=%d\n", data.NumberOfFunctions.to_i, data.NumberOfNames.to_i
     end
 
-    printf "%5s %8s  %s\n", "ORD", "ENTRY_VA", "NAME"
-    data.NumberOfFunctions.times do |i|
-      ep = data.entry_points[i]
-      names = ord2name[i+data.Base].try(:join,', ')
-      next if ep.to_i == 0 && names.nil?
-      printf "%5d %8x  %s\n", i + data.Base, ep, names
+    if data.functions && data.functions.any?
+      puts
+      if @pedump.ne?
+        printf "%5s %9s  %s\n", "ORD", "SEG:OFFS", "NAME"
+        data.functions.each do |f|
+          printf "%5x %4x:%04x  %s\n", f.ord, f.va>>16, f.va&0xffff, f.name
+        end
+      else
+        printf "%5s %8s  %s\n", "ORD", "ENTRY_VA", "NAME"
+        data.functions.each do |f|
+          printf "%5x %8x  %s\n", f.ord, f.va, f.name
+        end
+      end
     end
   end
 
   def dump_imports data
     fmt = "%-15s %5s %5s  %s\n"
     printf fmt, "MODULE_NAME", "HINT", "ORD", "FUNCTION_NAME"
-    data.each do |iid|
-      # image import descriptor
-      (Array(iid.original_first_thunk) + Array(iid.first_thunk)).uniq.each do |f|
-        next unless f
-        # imported function
+    data.each do |x|
+      case x
+      when PEdump::IMAGE_IMPORT_DESCRIPTOR
+        (Array(x.original_first_thunk) + Array(x.first_thunk)).uniq.each do |f|
+          next unless f
+          # imported function
+          printf fmt,
+            x.module_name,
+            f.hint ? f.hint.to_s(16) : '',
+            f.ordinal ? f.ordinal.to_s(16) : '',
+            f.name
+        end
+      when PEdump::ImportedFunction
         printf fmt,
-          iid.module_name,
-          f.hint ? f.hint.to_s(16) : '',
-          f.ordinal ? f.ordinal.to_s(16) : '',
-          f.name
+          x.module_name,
+          x.hint ? x.hint.to_s(16) : '',
+          x.ordinal ? x.ordinal.to_s(16) : '',
+          x.name
+      else
+        raise "invalid #{x.inspect}"
       end
     end
   end
@@ -542,7 +653,7 @@ class PEdump::CLI
     prev_lang = nil
     data.sort_by{|s| [s.lang, s.id] }.each do |s|
       #puts if prev_lang && prev_lang != s.lang
-      printf "%5d %5x  %4x  %s\n", s.id, s.id, s.lang, s.value.inspect
+      printf "%5d %5x  %4s  %s\n", s.id, s.id, s.lang && s.lang.to_s(16), s.value.inspect
       prev_lang = s.lang
     end
   end
@@ -629,11 +740,15 @@ class PEdump::CLI
     printf fmt.join.tr('dx','s'), *keys.map(&:to_s).map(&:upcase)
     data.each do |res|
       fmt.each_with_index do |f,i|
-        v = res.send(keys[i])
-        if f['x']
-          printf f.tr('x','s'), v.to_i < 10 ? v.to_s : "0x#{v.to_s(16)}"
+        if v = res.send(keys[i])
+          if f['x']
+            printf f.tr('x','s'), v.to_i < 10 ? v.to_s : "0x#{v.to_s(16)}"
+          else
+            printf f, v
+          end
         else
-          printf f, v
+          # NULL value
+          printf f.tr('xd','s'), ''
         end
       end
     end
@@ -654,6 +769,16 @@ class PEdump::CLI
     end
   end
 
+  def dump_ne_segments data
+    fmt = "%2x %6x %6x %9x %9x %6x  %s\n"
+    printf fmt.tr('x','s'), *%w'# OFFSET SIZE MIN_ALLOC FILE_OFFS FLAGS', ''
+    data.each_with_index do |seg,idx|
+      printf fmt, idx+1, seg.offset, seg.size, seg.min_alloc_size, seg.file_offset, seg.flags,
+        seg.flags_desc
+    end
+  end
+
+
   def dump_data_dir data
     data.each do |row|
       printf "  %-12s  rva:0x%8x   size:0x %8x\n", row.type, row.va.to_i, row.size.to_i
@@ -669,35 +794,11 @@ class PEdump::CLI
       end
     else
       puts "# raw:"
-      puts hexdump(data)
+      data.hexdump
       puts
       puts "# dexored:"
-      puts hexdump(data.dexor)
+      data.dexor.hexdump
     end
   end
 
-  def hexdump data, h = {}
-    offset = h[:offset] || 0
-    add    = h[:add]    || 0
-    size   = h[:size]   || (data.size-offset)
-    tail   = h[:tail]   || "\n"
-    width  = h[:width]  || 0x10                 # row width, in bytes
-
-    size = data.size-offset if size+offset > data.size
-
-    r = ''; s = ''
-    r << "%08x: " % (offset + add)
-    ascii = ''
-    size.times do |i|
-      if i%width==0 && i>0
-        r << "%s |%s|\n%08x: " % [s, ascii, offset + add + i]
-        ascii = ''; s = ''
-      end
-      s << " " if i%width%8==0
-      c = data[offset+i].ord
-      s << "%02x " % c
-      ascii << ((32..126).include?(c) ? c.chr : '.')
-    end
-    r << "%-*s |%-*s|%s" % [width*3+width/8+(width%8==0?0:1), s, width, ascii, tail]
-  end
-end
+end # class PEdump::CLI