pedump 0.4.0 → 0.5.0

data/lib/pedump/comparer.rb

@@ -0,0 +1,147 @@
+require 'pedump'
+require 'pedump/loader'
+
+########################################################################
+# comparing 2 binaries
+########################################################################
+
+class PEdump::Comparer
+  attr_accessor :verbose
+  attr_accessor :ignored_data_dirs, :ignored_sections
+
+  METHODS = [:sections, :data_dirs, :imports, :resources, :pe_hdr]
+
+  def initialize ldr1, ldr2
+    @ldr1,@ldr2 = ldr1,ldr2
+    @ignored_data_dirs = []
+    @ignored_sections  = []
+  end
+
+  def equal?
+    METHODS.map{ |m| send("cmp_#{m}") }.uniq == [true]
+  end
+
+  def diff
+    METHODS.map{ |m| send("cmp_#{m}") ? nil : m }.compact
+  end
+
+  def cmp_pe_hdr
+    @ldr1.pe.ioh.AddressOfEntryPoint == @ldr2.pe.ioh.AddressOfEntryPoint &&
+    @ldr1.pe.ioh.ImageBase           == @ldr2.pe.ioh.ImageBase
+  end
+
+  def cmp_resources
+    PEdump.quiet do
+      #@ldr1.pedump.resources == @ldr2.pedump.resources
+      @ldr1.pedump.resources.each_with_index do |r1,idx|
+       r2 = @ldr2.pedump.resources[idx]
+       if (r1.to_a - [r1.file_offset]) != (r2.to_a - [r2.file_offset])
+         p r1
+         p r2
+         return false
+       end
+      end
+    end
+    true
+  end
+
+  def cmp_sections
+    r = true
+    @ldr1.sections.each_with_index do |s1,idx|
+      next if @ignored_sections.include?(s1.name)
+      s2 = @ldr2.sections[idx]
+
+      if !s2
+        r = false
+        printf "[!] extra section %-12s in %s\n".red, s1.name.inspect, f1
+      elsif s1.data == s2.data
+        printf "[.] section: %s == %s\n".green, s1.name, s2.name if @verbose
+      else
+        r = false
+        printf "[!] section: %s != %s\n".red, s1.name, s2.name
+        self.class.cmp_ios *[s1,s2].map{ |section| StringIO.new(section.data) }
+      end
+    end
+    r
+  end
+
+  def cmp_data_dirs
+    r = true
+    @ldr1.pe.ioh.DataDirectory.each_with_index do |d1,idx|
+      break if idx == 15
+      d2 = @ldr2.pe.ioh.DataDirectory[idx]
+
+      case idx
+        when PEdump::IMAGE_DATA_DIRECTORY::BASERELOC
+          # total 8-byte size relocs == no relocs at all
+          next if [d1.va, d2.va].min == 0 && [d1.size, d2.size].max == 8
+      end
+
+      next if @ignored_data_dirs.include?(idx)
+
+      if d1.va != d2.va && d1.size != d2.size
+        r = false
+        printf "[!] data_dir: %-12s:  SIZE & VA: %6x %6x  |  %6x %6x\n".red, d1.type,
+          d1.va, d1.size, d2.va, d2.size
+      elsif d1.va != d2.va
+        r = false
+        printf "[!] data_dir: %-12s:  VA       : %x != %x\n".red, d1.type, d1.va, d2.va
+      elsif d1.size != d2.size
+        r = false
+        printf "[!] data_dir: %-12s:  SIZE     : %x != %x\n".red, d1.type, d1.size, d2.size
+      end
+    end
+    r
+  end
+
+  def cmp_imports
+    @ldr1.pedump.imports.each_with_index do |iid1,idx|
+      iid2 = @ldr2.pedump.imports[idx]
+      if iid1 != iid2
+        puts "[!] diff imports".red
+        return false
+      end
+    end
+    true
+  end
+
+  class << self
+    # arguments can be:
+    #   a) filenames
+    #   b) IO instances
+    #   c) PEdump::Loader instances
+    def cmp *args
+      handles = []
+      if args.all?{|x| x.is_a?(String)}
+        handles = args.map{|x| File.open(x,"rb")}
+        _cmp(*handles.map{|h| PEdump::Loader.new(h)})
+      else
+        _cmp(*args)
+      end
+    ensure
+      handles.each(&:close)
+    end
+
+    # each arg is a PEdump::Loader
+    def _cmp ldr1, ldr2
+      new(ldr1, ldr2).equal?
+    end
+
+    def cmp_ios *ios
+      ndiff = 0
+      while !ios.any?(&:eof)
+        bytes = ios.map(&:readbyte)
+        if bytes.uniq.size > 1
+          ndiff += 1
+          printf ("\t%08x:"+" %02x"*ios.size).yellow+"\n", ios[0].pos-1, *bytes
+          if ndiff >= 5
+            puts "\t...".yellow
+            break
+          end
+        end
+      end
+      puts if ndiff > 0
+    end
+
+  end
+end

data/lib/pedump/composite_io.rb

@@ -0,0 +1,56 @@
+class PEdump
+  class CompositeIO
+    def initialize(*ios)
+      @ios    = ios.flatten
+      @starts = ios.map(&:tell) # respect current position of each IO
+      @pos = 0
+    end
+
+    def read(amount = nil, buf = nil)
+      buf ||= ''; buf1 = ''
+
+      # truncates buffer to zero length if nothing read
+      @ios.first.read(amount,buf)
+
+      @ios[1..-1].each do |io|
+        break if amount && buf.size >= amount
+        io.read(amount ? (amount-buf.size) : nil, buf1)
+        buf << buf1
+      end
+
+      @pos += buf.size
+
+      buf.size > 0 ? buf : (amount ? nil : buf )
+    end
+
+    def tell
+      @pos
+    end
+
+    def seek pos
+      @pos = pos
+      @ios.each_with_index do |io,idx|
+        if pos > 0
+          sz = io.size-@starts[idx]
+          io.seek( @starts[idx] + (pos < sz ? pos : sz) )
+          pos -= sz
+        else
+          # seek all remaining IOs to 0
+          io.seek @starts[idx]
+        end
+      end
+    end
+
+    def rewind
+      seek(0)
+    end
+
+    def size
+      @ios.map(&:size).inject(&:+)
+    end
+
+    def eof?
+      @ios.all?(&:eof?)
+    end
+  end
+end

data/lib/pedump/core.rb

@@ -0,0 +1,38 @@
+require 'logger'
+require 'pedump/version'
+require 'pedump/logger'
+
+class String
+  def xor x
+    if x.is_a?(String)
+      r = ''
+      j = 0
+      0.upto(self.size-1) do |i|
+        r << (self[i].ord^x[j].ord).chr
+        j+=1
+        j=0 if j>= x.size
+      end
+      r
+    else
+      r = ''
+      0.upto(self.size-1) do |i|
+        r << (self[i].ord^x).chr
+      end
+      r
+    end
+  end
+end
+
+class File
+  def checked_seek newpos
+    @file_range ||= (0..size)
+    @file_range.include?(newpos) && (seek(newpos) || true)
+  end
+end
+
+class PEdump
+  class << self
+    def logger;    @@logger;   end
+    def logger= l; @@logger=l; end
+  end
+end

data/lib/pedump/core_ext/try.rb

@@ -0,0 +1,57 @@
+class Object
+  # Invokes the method identified by the symbol +method+, passing it any arguments
+  # and/or the block specified, just like the regular Ruby <tt>Object#send</tt> does.
+  #
+  # *Unlike* that method however, a +NoMethodError+ exception will *not* be raised
+  # and +nil+ will be returned instead, if the receiving object is a +nil+ object or NilClass.
+  #
+  # If try is called without a method to call, it will yield any given block with the object.
+  #
+  # Please also note that +try+ is defined on +Object+, therefore it won't work with
+  # subclasses of +BasicObject+. For example, using try with +SimpleDelegator+ will
+  # delegate +try+ to target instead of calling it on delegator itself.
+  #
+  # ==== Examples
+  #
+  # Without +try+
+  #   @person && @person.name
+  # or
+  #   @person ? @person.name : nil
+  #
+  # With +try+
+  #   @person.try(:name)
+  #
+  # +try+ also accepts arguments and/or a block, for the method it is trying
+  #   Person.try(:find, 1)
+  #   @people.try(:collect) {|p| p.name}
+  #
+  # Without a method argument try will yield to the block unless the receiver is nil.
+  #   @person.try { |p| "#{p.first_name} #{p.last_name}" }
+  #--
+  # +try+ behaves like +Object#send+, unless called on +NilClass+.
+  def try(*a, &b)
+    if a.empty? && block_given?
+      yield self
+    else
+      __send__(*a, &b)
+    end
+  end
+end
+
+class NilClass
+  # Calling +try+ on +nil+ always returns +nil+.
+  # It becomes specially helpful when navigating through associations that may return +nil+.
+  #
+  # === Examples
+  #
+  #   nil.try(:name) # => nil
+  #
+  # Without +try+
+  #   @person && !@person.children.blank? && @person.children.first.name
+  #
+  # With +try+
+  #   @person.try(:children).try(:first).try(:name)
+  def try(*args)
+    nil
+  end
+end

data/lib/pedump/loader.rb

@@ -0,0 +1,393 @@
+#!/usr/bin/env ruby
+
+require 'pedump'
+require 'stringio'
+require 'pedump/loader/section'
+require 'pedump/loader/minidump'
+
+# This class is kinda Virtual Machine that mimics executable loading as real OS does.
+# Can be used for unpacking, emulating, reversing, ...
+class PEdump::Loader
+  attr_accessor :mz_hdr, :dos_stub, :pe_hdr, :sections, :pedump, :image_base
+  attr_accessor :find_limit
+
+  DEFAULT_FIND_LIMIT = 2**64
+
+  # shortcuts
+  alias :pe :pe_hdr
+  def ep; @pe_hdr.ioh.AddressOfEntryPoint; end
+  def ep= v; @pe_hdr.ioh.AddressOfEntryPoint=v; end
+
+  ########################################################################
+  # constructors
+  ########################################################################
+
+  def initialize io = nil, params = {}
+    @pedump = PEdump.new(io, params)
+    if io
+      @mz_hdr     = @pedump.mz
+      @dos_stub   = @pedump.dos_stub
+      @pe_hdr     = @pedump.pe
+      @image_base = params[:image_base] || @pe_hdr.try(:ioh).try(:ImageBase) || 0
+      load_sections @pedump.sections, io
+    end
+    @find_limit = params[:find_limit] || DEFAULT_FIND_LIMIT
+  end
+
+  def load_sections section_hdrs, f = nil
+    if section_hdrs.is_a?(Array)
+      @sections = section_hdrs.map do |x|
+        raise "unknown section hdr: #{x.inspect}" unless x.is_a?(PEdump::IMAGE_SECTION_HEADER)
+        Section.new(x, :deferred_load_io => f, :image_base => @image_base )
+      end
+      if f.respond_to?(:seek) && f.respond_to?(:read)
+        #
+        # converted to deferred loading
+        #
+#        section_hdrs.each_with_index do |sect_hdr, idx|
+#          f.seek sect_hdr.PointerToRawData
+#          @sections[idx].data = f.read(sect_hdr.SizeOfRawData)
+#        end
+      elsif f
+        raise "invalid 2nd arg: #{f.inspect}"
+      end
+    else
+      raise "invalid arg: #{section_hdrs.inspect}"
+    end
+  end
+
+  # load MS Minidump (*.dmp) file, that can be created in Task Manager via
+  # right click on process -> save memory dump
+  def load_minidump io, options = {}
+    @sections ||= []
+    md = Minidump.new io
+    options[:merge] = true unless options.key?(:merge)
+    md.memory_ranges(options).each do |mr|
+      hdr = PEdump::IMAGE_SECTION_HEADER.new(
+        :VirtualAddress   => mr.va,
+        :PointerToRawData => mr.file_offset,
+        :SizeOfRawData    => mr.size,
+        :VirtualSize      => mr.size            # XXX may be larger than SizeOfRawData
+      )
+      @sections << Section.new( hdr, :deferred_load_io => io )
+    end
+  end
+
+  def self.load_minidump io
+    new.tap{ |ldr| ldr.load_minidump io }
+  end
+
+  ########################################################################
+  # VA conversion
+  ########################################################################
+
+  # VA to section
+  def va2section va
+    @sections.find{ |x| x.range.include?(va) }
+  end
+
+  # RVA (Relative VA) to section
+  def rva2section rva
+    va2section( rva + @image_base )
+  end
+
+  def va2stream va
+    return nil unless section = va2section(va)
+    StringIO.new(section.data).tap do |io|
+      io.seek va-section.va
+    end
+  end
+
+  def rva2stream rva
+    va2stream( rva + @image_base )
+  end
+
+  ########################################################################
+  # virtual memory read/write
+  ########################################################################
+
+  # read arbitrary string
+  def [] va, size, params = {}
+    section = va2section(va)
+    raise "no section for va=0x#{va.to_s 16}" unless section
+    offset = va - section.va
+    raise "negative offset #{offset}" if offset < 0
+    r = section.data[offset,size]
+    return nil if r.nil?
+    if r.size < size && params.fetch(:zerofill, true)
+      # append some empty data
+      r << ("\x00".force_encoding('binary')) * (size - r.size)
+    end
+    r
+  end
+
+  # write arbitrary string
+  def []= va, size, data
+    raise "data.size != size" if data.size != size
+    section = va2section(va)
+    raise "no section for va=0x#{va.to_s 16}" unless section
+    offset = va - section.va
+    raise "negative offset #{offset}" if offset < 0
+    if section.data.size < offset
+      # append some empty data
+      section.data << ("\x00".force_encoding('binary') * (offset-section.data.size))
+    end
+    section.data[offset, data.size] = data
+  end
+
+  # returns StringIO with section data, pre-seeked to specified VA
+  # TODO: make io cross sections
+  def io va
+    section = va2section(va)
+    raise "no section for va=0x#{va.to_s 16}" unless section
+    offset = va - section.va
+    raise "negative offset #{offset}" if offset < 0
+    StringIO.new(section.data).tap{ |io| io.seek offset }
+  end
+
+  # read single DWord (4 bytes) if no 'n' specified
+  # delegate to #dwords otherwise
+  def dw va, n=nil
+    n ? dwords(va,n) : self[va,4].unpack('L')[0]
+  end
+  alias :dword :dw
+
+  # read N DWords, returns array
+  def dwords va, n
+    self[va,4*n].unpack('L*')
+  end
+
+  # check if any section has specified VA in its range
+  def valid_va? va
+    @ranges ||= _merge_ranges
+    @ranges.any?{ |range| range.include?(va) }
+  end
+
+  # increasing max_diff speed ups the :valid_va? method, but may cause false positives
+  def _merge_ranges max_diff = nil
+    max_diff ||=
+      if sections.size > 100
+        1024*1024
+      else
+        0
+      end
+
+    ranges0 = sections.map(&:range).sort_by(&:begin)
+    #puts "[.] #{ranges0.size} ranges"
+    ranges1 = []
+    range = ranges0.shift
+    while ranges0.any?
+      while (ranges0.first.begin-range.end).abs <= max_diff
+        range = range.begin...ranges0.shift.end
+        break if ranges0.empty?
+      end
+      #puts "[.] diff #{ranges0.first.begin-range.end}"
+      ranges1 << range
+      range = ranges0.shift
+    end
+    ranges1 << range
+    #puts "[=] #{ranges1.size} ranges"
+    ranges1.uniq.compact
+  end
+
+  # find first occurence of string
+  # returns VA
+  def find needle, options = {}
+    options[:align] ||= 1
+    options[:limit] ||= @find_limit
+
+    if needle.is_a?(Fixnum)
+      # silently convert to DWORD
+      needle = [needle].pack('L')
+    end
+
+    if options[:align] == 1
+      # fastest find?
+      processed_bytes = 0
+      sections.each do |section|
+        next unless section.data # skip empty sections
+        pos = section.data.index(needle)
+        return section.va+pos if pos
+        processed_bytes += section.vsize
+        return nil if processed_bytes >= options[:limit]
+      end
+    end
+    nil
+  end
+
+  # find all occurences of string
+  # returns array of VAs or empty array
+  def find_all needle, options = {}
+    options[:align] ||= 1
+    options[:limit] ||= @find_limit
+
+    if needle.is_a?(Fixnum)
+      # silently convert to DWORD
+      needle = [needle].pack('L')
+    end
+
+    r = []
+    if options[:align] == 1
+      # fastest find?
+      processed_bytes = 0
+      sections.each do |section|
+        next unless section.data # skip empty sections
+        section.data.scan(needle) do
+          r << $~.begin(0) + section.va
+        end
+        processed_bytes += section.vsize
+        return r if processed_bytes >= options[:limit]
+      end
+    end
+    r
+  end
+
+  ########################################################################
+  # parsing names
+  ########################################################################
+
+  def names
+    return @names if @names
+    @names = {}
+    if oep = @pe_hdr.try(:ioh).try(:AddressOfEntryPoint)
+      oep += @image_base
+      @names[oep] = 'start'
+    end
+    _parse_imports
+    _parse_exports
+    #TODO: debug info
+    @names
+  end
+
+  def _parse_imports
+    @pedump.imports.each do |iid| # Image Import Descriptor
+      va = iid.FirstThunk + @image_base
+      (Array(iid.original_first_thunk) + Array(iid.first_thunk)).uniq.each do |func|
+        name = func.name || "##{func.ordinal}"
+        @names[va] = name
+        va += 4
+      end
+    end
+  end
+
+  def _parse_exports
+    return {} unless @pedump.exports
+    @pedump.exports.functions.each do |func|
+      @names[@image_base + func.va] = func.name || "##{func.ordinal}"
+    end
+  end
+
+  ########################################################################
+  # generating PE binary
+  ########################################################################
+
+  def section_table
+    @sections.map do |section|
+      section.hdr.SizeOfRawData = section.data.size
+      section.hdr.PointerToRelocations ||= 0
+      section.hdr.PointerToLinenumbers ||= 0
+      section.hdr.NumberOfRelocations  ||= 0
+      section.hdr.NumberOfLinenumbers  ||= 0
+      section.hdr.Characteristics      ||= 0
+      section.hdr.pack
+    end.join
+  end
+
+  # save a new PE file to specified IO
+  def export io
+    @mz_hdr     ||= PEdump::MZ.new("MZ", *[0]*22)
+    @dos_stub   ||= ''
+    @pe_hdr     ||= PEdump::PE.new("PE\x00\x00")
+    @pe_hdr.ioh ||=
+      PEdump::IMAGE_OPTIONAL_HEADER32.read( StringIO.new("\x00" * 224) ).tap do |ioh|
+        ioh.Magic               = 0x10b # 32-bit executable
+        #ioh.NumberOfRvaAndSizes = 0x10
+      end
+    @pe_hdr.ifh ||= PEdump::IMAGE_FILE_HEADER.new(
+      :Machine              => 0x14c,          # x86
+      :NumberOfSections     => @sections.size,
+      :TimeDateStamp        => 0,
+      :PointerToSymbolTable => 0,
+      :NumberOfSymbols      => 0,
+      :SizeOfOptionalHeader => @pe_hdr.ioh.pack.size,
+      :Characteristics      => 0x102           # EXECUTABLE_IMAGE | 32BIT_MACHINE
+    )
+
+    if @pe_hdr.ioh.FileAlignment.to_i == 0
+      # default file align = 512 bytes
+      @pe_hdr.ioh.FileAlignment = 0x200
+    end
+    if @pe_hdr.ioh.SectionAlignment.to_i == 0
+      # default section align = 4k
+      @pe_hdr.ioh.SectionAlignment = 0x1000
+    end
+
+    mz_size = @mz_hdr.pack.size
+    raise "odd mz_size #{mz_size}" if mz_size % 0x10 != 0
+    @mz_hdr.header_paragraphs = mz_size / 0x10              # offset of dos_stub
+    @mz_hdr.lfanew = mz_size + @dos_stub.size               # offset of PE hdr
+    io.write @mz_hdr.pack
+    io.write @dos_stub
+    io.write @pe_hdr.pack
+    io.write @pe_hdr.ioh.DataDirectory.map(&:pack).join
+
+    section_tbl_offset = io.tell # store offset for 2nd write of section table
+    io.write section_table
+
+    align = @pe_hdr.ioh.FileAlignment
+    @sections.each do |section|
+      io.seek(align - (io.tell % align), IO::SEEK_CUR) if io.tell % align != 0
+      section.hdr.PointerToRawData = io.tell  # fix raw_ptr
+      io.write(section.data)
+    end
+
+    eof = io.tell
+
+    # 2nd write of section table with correct raw_ptr's
+    io.seek section_tbl_offset
+    io.write section_table
+
+    io.seek eof
+  end
+
+  alias :dump :export
+end
+
+###################################################################
+
+if $0 == __FILE__
+  require 'pp'
+  require 'zhexdump'
+
+  io = open ARGV.first
+  ldr = PEdump::Loader.load_minidump io
+
+  File.open(ARGV.first + ".exe", "wb") do |f|
+    ldr.sections[100..-1] = []
+    ldr.export f
+  end
+  exit
+
+  va = 0x3a10000+0xceb00-0x300+0x18c
+  ZHexdump.dump ldr[va, 0x200], :add => va
+  exit
+
+  #puts
+  #ZHexdump.dump ldr[x,0x100]
+
+  ldr.find_all(va, :limit => 100_000_000).each do |va0|
+    printf "[.] found at VA=%x\n", va0
+    5.times do |i|
+      puts
+      va = ldr.dw(va0+i*4)
+      ZHexdump.dump ldr[va,0x30], :add => va if va != 0
+    end
+  end
+
+  puts "---"
+  ldr.find_all(0x3dff970, :limit => 100_000_000).each do |va|
+    ldr[va,0x20].hexdump
+    puts
+  end
+
+end