pedump 0.4.0 → 0.5.0

data/lib/pedump/loader/minidump.rb

@@ -0,0 +1,187 @@
+#!/usr/bin/env ruby
+
+require 'iostruct'
+
+class PEdump
+
+  # http://msdn.microsoft.com/en-us/library/windows/desktop/ms680378(v=vs.85).aspx
+  class MINIDUMP_HEADER < IOStruct.new 'a4LLLLLQ',
+    :Signature,
+    :Version,
+    :NumberOfStreams,
+    :StreamDirectoryRva,
+    :CheckSum,
+    :TimeDateStamp,
+    :Flags
+
+    def valid?
+      self.Signature == 'MDMP'
+    end
+  end
+
+  MINIDUMP_LOCATION_DESCRIPTOR = IOStruct.new 'LL', :DataSize, :Rva
+
+  class MINIDUMP_DIRECTORY < IOStruct.new 'L', :StreamType, :Location
+    def self.read io
+      r = super
+      r.Location = MINIDUMP_LOCATION_DESCRIPTOR.read(io)
+      r
+    end
+  end
+
+  MINIDUMP_MEMORY_INFO = IOStruct.new 'QQLLQLLLL',
+    :BaseAddress,
+    :AllocationBase,
+    :AllocationProtect,
+    :__alignment1,
+    :RegionSize,
+    :State,
+    :Protect,
+    :Type,
+    :__alignment2
+
+  class MINIDUMP_MEMORY_INFO_LIST < IOStruct.new 'LLQ',
+    :SizeOfHeader,
+    :SizeOfEntry,
+    :NumberOfEntries,
+    :entries
+
+    def self.read io
+      r = super
+      r.entries = r.NumberOfEntries.times.map{ MINIDUMP_MEMORY_INFO.read(io) }
+      r
+    end
+  end
+
+  MINIDUMP_MEMORY_DESCRIPTOR64 = IOStruct.new 'QQ',
+    :StartOfMemoryRange,
+    :DataSize
+
+  class MINIDUMP_MEMORY64_LIST < IOStruct.new 'QQ',
+    :NumberOfMemoryRanges,
+    :BaseRva,
+    :MemoryRanges
+
+    def self.read io
+      r = super
+      r.MemoryRanges = r.NumberOfMemoryRanges.times.map{ MINIDUMP_MEMORY_DESCRIPTOR64.read(io) }
+      r
+    end
+
+    def entries; self.MemoryRanges; end
+  end
+
+  # http://msdn.microsoft.com/en-us/library/windows/desktop/ms680394(v=vs.85).aspx
+  MINIDUMP_STREAM_TYPE = {
+         0 => :UnusedStream,
+         1 => :ReservedStream0,
+         2 => :ReservedStream1,
+         3 => :ThreadListStream,
+         4 => :ModuleListStream,
+         5 => :MemoryListStream,
+         6 => :ExceptionStream,
+         7 => :SystemInfoStream,
+         8 => :ThreadExListStream,
+         9 => :Memory64ListStream,           # MINIDUMP_MEMORY64_LIST
+        10 => :CommentStreamA,
+        11 => :CommentStreamW,
+        12 => :HandleDataStream,
+        13 => :FunctionTableStream,
+        14 => :UnloadedModuleListStream,
+        15 => :MiscInfoStream,
+        16 => :MemoryInfoListStream,         # MINIDUMP_MEMORY_INFO_LIST
+        17 => :ThreadInfoListStream,
+        18 => :HandleOperationListStream,
+    0xffff => :LastReservedStream
+  }
+
+  class Loader
+    class Minidump
+      attr_accessor :hdr, :streams, :io
+
+      def initialize io
+        @io = io
+        @hdr = MINIDUMP_HEADER.read(@io)
+        raise "invalid minidump" unless @hdr.valid?
+      end
+
+      def streams
+        @streams ||=
+          begin
+            @io.seek(@hdr.StreamDirectoryRva)
+            @hdr.NumberOfStreams.times.map do
+              dir = MINIDUMP_DIRECTORY.read(io)
+              dir.Location.empty? ? nil : dir
+            end.compact
+          end
+      end
+
+      def memory_info_list
+        # MINIDUMP_MEMORY_INFO_LIST
+        stream = streams.find{ |s| s.StreamType == 16 }
+        return nil unless stream
+        io.seek stream.Location.Rva
+        MINIDUMP_MEMORY_INFO_LIST.read io
+      end
+
+      def memory_list
+        # MINIDUMP_MEMORY64_LIST
+        stream = streams.find{ |s| s.StreamType == 9 }
+        return nil unless stream
+        io.seek stream.Location.Rva
+        MINIDUMP_MEMORY64_LIST.read io
+      end
+
+      MemoryRange = Struct.new :file_offset, :va, :size
+
+      # set options[:merge] = true to merge adjacent memory ranges
+      def memory_ranges options = {}
+        ml = memory_list
+        file_offset = ml.BaseRva
+        r = []
+        if options[:merge]
+          ml.entries.each do |x|
+            if r.last && r.last.va + r.last.size == x.StartOfMemoryRange
+              # if section VA == prev_section.VA + prev_section.SIZE
+              # then just increase the size of previous section
+              r.last.size += x.DataSize
+            else
+              r << MemoryRange.new( file_offset, x.StartOfMemoryRange, x.DataSize )
+            end
+            file_offset += x.DataSize
+          end
+        else
+          ml.entries.each do |x|
+            r << MemoryRange.new( file_offset, x.StartOfMemoryRange, x.DataSize )
+            file_offset += x.DataSize
+          end
+        end
+        r
+      end
+
+    end # class Minidump
+  end # class Loader
+end # module PEdump
+
+##############################################
+
+if $0 == __FILE__
+  require 'pp'
+
+  raise "gimme a fname" if ARGV.empty?
+  io = open(ARGV.first,"rb")
+
+  md = PEdump::Loader::Minidump.new io
+  pp md.hdr
+  puts
+  puts "[.] #{md.memory_ranges.size} memory ranges"
+  puts "[.] #{md.memory_ranges(:merge => true).size} merged memory ranges"
+  puts
+
+#  pp md.memory_info_list
+#  pp md.memory_list
+
+  md.memory_ranges(:merge => true).each do |mr|
+    printf "[.] %8x %8x %8x\n", mr.file_offset, mr.va, mr.size
+  end
+end

data/lib/pedump/loader/section.rb

@@ -0,0 +1,57 @@
+class PEdump::Loader
+  class Section
+    attr_accessor :hdr
+    attr_writer :data
+
+    EMPTY_DATA = ''.force_encoding('binary')
+
+    def initialize x = nil, args = {}
+      if x.is_a?(PEdump::IMAGE_SECTION_HEADER)
+        @hdr = x.dup
+      end
+      @data = EMPTY_DATA.dup
+      @deferred_load_io   = args[:deferred_load_io]
+      @deferred_load_pos  = args[:deferred_load_pos]  || (@hdr && @hdr.PointerToRawData)
+      @deferred_load_size = args[:deferred_load_size] || (@hdr && @hdr.SizeOfRawData)
+      @image_base = args[:image_base] || 0
+    end
+
+    def name;  @hdr.Name; end
+    def va  ;  @hdr.VirtualAddress + @image_base; end
+    def rva ;  @hdr.VirtualAddress; end
+    def vsize; @hdr.VirtualSize; end
+    def flags; @hdr.Characteristics; end
+    def flags= f; @hdr.Characteristics= f; end
+
+    def data
+      if @data.empty? && @deferred_load_io && @deferred_load_pos && @deferred_load_size.to_i > 0
+        begin
+          old_pos = @deferred_load_io.tell
+          @deferred_load_io.seek @deferred_load_pos
+          @data = @deferred_load_io.binmode.read(@deferred_load_size) || EMPTY_DATA.dup
+        ensure
+          if @deferred_load_io && old_pos
+            @deferred_load_io.seek old_pos
+            @deferred_load_io = nil # prevent read only on 1st access to data
+          end
+        end
+      end
+      @data
+    end
+
+    def range
+      va...(va+vsize)
+    end
+
+    def inspect
+      r = "#<Section"
+      r << (" name=%-10s" % name.inspect) if name
+      r << " va=%8x vsize=%8x rawsize=%8s" % [
+        va, vsize,
+        @data.size > 0 ? @data.size.to_s(16) : (@deferred_load_io ? "<defer>" : 0)
+      ]
+      r << (" dlpos=%8x" % @deferred_load_pos) if @deferred_load_pos
+      r << ">"
+    end
+  end
+end

data/lib/pedump/logger.rb

@@ -0,0 +1,67 @@
+require 'awesome_print' # for colored tty logging
+
+class PEdump
+  class Logger < ::Logger
+    def initialize *args
+      super
+      @formatter = proc do |severity,_,_,msg|
+        # quick and dirty way to remove duplicate messages
+        if @prevmsg == msg && severity != 'DEBUG' && severity != 'INFO'
+          ''
+        else
+          @prevmsg = msg
+          "#{msg}\n"
+        end
+      end
+      @level = WARN
+    end
+  end
+
+  def Logger.create params
+    logger =
+      if params[:logger]
+        params[:logger]
+      else
+        logdev = params[:logdev] || STDERR
+        logger_class =
+          if params.key?(:color)
+            # forced color or not
+            params[:color] ? ColoredLogger : Logger
+          else
+            # set color if logdev is TTY
+            (logdev.respond_to?(:tty?) && logdev.tty?) ? ColoredLogger : Logger
+          end
+        logger_class.new(logdev)
+      end
+
+    logger.level = params[:log_level] if params[:log_level]
+    logger
+  end
+
+  class ColoredLogger < ::Logger
+    def initialize *args
+      super
+      @formatter = proc do |severity,_,_,msg|
+        # quick and dirty way to remove duplicate messages
+        if @prevmsg == msg && severity != 'DEBUG' && severity != 'INFO'
+          ''
+        else
+          @prevmsg = msg
+          color =
+            case severity
+            when 'FATAL'
+              :redish
+            when 'ERROR'
+              :red
+            when 'WARN'
+              :yellowish
+            when 'DEBUG'
+              :gray
+            end
+          "#{color ? msg.send(color) : msg}\n"
+        end
+      end
+      @level = WARN
+    end
+  end
+end

data/lib/pedump/ne.rb

@@ -0,0 +1,425 @@
+class PEdump
+  # from wine's winnt.h
+  class NE < IOStruct.new 'a2CCvvVv4VVv8Vv3CCv4',
+    :ne_magic,             # 00 NE signature 'NE'
+    :ne_ver,               # 02 Linker version number
+    :ne_rev,               # 03 Linker revision number
+    :ne_enttab,            # 04 Offset to entry table relative to NE
+    :ne_cbenttab,          # 06 Length of entry table in bytes
+    :ne_crc,               # 08 Checksum
+    :ne_flags,             # 0c Flags about segments in this file
+    :ne_autodata,          # 0e Automatic data segment number
+    :ne_heap,              # 10 Initial size of local heap
+    :ne_stack,             # 12 Initial size of stack
+    :ne_csip,              # 14 Initial CS:IP
+    :ne_sssp,              # 18 Initial SS:SP
+    :ne_cseg,              # 1c # of entries in segment table
+    :ne_cmod,              # 1e # of entries in module reference tab.
+    :ne_cbnrestab,         # 20 Length of nonresident-name table
+    :ne_segtab,            # 22 Offset to segment table
+    :ne_rsrctab,           # 24 Offset to resource table
+    :ne_restab,            # 26 Offset to resident-name table
+    :ne_modtab,            # 28 Offset to module reference table
+    :ne_imptab,            # 2a Offset to imported name table
+    :ne_nrestab,           # 2c Offset to nonresident-name table
+    :ne_cmovent,           # 30 # of movable entry points
+    :ne_align,             # 32 Logical sector alignment shift count
+    :ne_cres,              # 34 # of resource segments
+    :ne_exetyp,            # 36 Flags indicating target OS
+    :ne_flagsothers,       # 37 Additional information flags
+    :ne_pretthunks,        # 38 Offset to return thunks
+    :ne_psegrefbytes,      # 3a Offset to segment ref. bytes
+    :ne_swaparea,          # 3c Reserved by Microsoft
+    :ne_expver             # 3e Expected Windows version number
+
+    attr_accessor :io, :offset
+
+    DEFAULT_CP = 1252
+
+    def self.cp
+      @@cp || DEFAULT_CP
+    end
+
+    def self.cp= cp
+      @@cp = cp
+    end
+
+    def self.read io, *args
+      self.cp = DEFAULT_CP
+      offset = io.tell
+      super.tap do |x|
+        x.io, x.offset = io, offset
+      end
+    end
+
+    class Segment < IOStruct.new 'v4',
+      :offset, :size, :flags, :min_alloc_size,
+      # manual:
+      :file_offset, :relocs
+
+      FLAG_RELOCINFO = 0x100
+
+      def data?
+        flags & 1 == 1
+      end
+
+      def code?
+        !data?
+      end
+
+      def flags_desc
+        r = code? ? 'CODE' : 'DATA'
+        r << ' ALLOC' if flags & 2 != 0
+        r << ' LOADED' if flags & 4 != 0
+        r << ((flags & 0x10 != 0) ? ' MOVABLE' : ' FIXED')
+        r << ((flags & 0x20 != 0) ? ' PURE' : '')
+        r << ((flags & 0x40 != 0) ? ' PRELOAD' : '')
+        if code?
+          r << ((flags & 0x80 != 0) ? ' EXECUTEONLY' : '')
+        else
+          r << ((flags & 0x80 != 0) ? ' READONLY' : '')
+        end
+        r << ((flags & FLAG_RELOCINFO != 0) ? ' RELOCINFO' : '')
+        r << ((flags & 0x200 != 0) ? ' DBGINFO' : '')
+        r << ((flags & 0x1000 != 0) ? ' DISCARD' : '')
+        r
+      end
+    end
+
+    class Reloc < IOStruct.new 'CCvvv',
+      :source, :type,
+      :offset,           # offset of the relocation item within the segment
+
+      # If the relocation type is imported ordinal,
+      # the fifth and sixth bytes specify an index to a module's reference table and
+      # the seventh and eighth bytes specify a function ordinal value.
+
+      # If the relocation type is imported name,
+      # the fifth and sixth bytes specify an index to a module's reference table and
+      # the seventh and eighth bytes specify an offset to an imported-name table.
+
+      :module_idx,
+      :func_idx
+
+      TYPE_IMPORTORDINAL = 1
+      TYPE_IMPORTNAME    = 2
+    end
+
+    def segments io=@io
+      @segments ||= io &&
+        begin
+          io.seek ne_segtab+@offset
+          ne_cseg.times.map{ Segment.read(io) }.each do |seg|
+            seg.file_offset = seg.offset << ne_align
+            seg.relocs = []
+            if (seg.flags & Segment::FLAG_RELOCINFO) != 0
+              io.seek seg.file_offset + seg.size
+              nRelocs = io.read(2).unpack('v').first
+              seg.relocs = nRelocs.times.map{ Reloc.read(io) }
+            end
+          end
+        end
+    end
+
+    class ResourceGroup < IOStruct.new 'vvV',
+      :type_id, :count, :reserved,
+      # manual:
+      :type, :children
+
+      def self.read io
+        super.tap do |g|
+          if g.type_id.to_i == 0
+            # type_id = 0 means end of resource groups
+            return nil
+          else
+            # read only if type_id is non-zero,
+            g.children = []
+            g.count.times do
+              break if io.eof?
+              g.children << ResourceInfo.read(io)
+            end
+          end
+        end
+      end
+    end
+
+    class ResourceInfo < IOStruct.new 'v4V',
+      :offset, :size, :flags, :name_offset, :reserved,
+      # manual:
+      :name
+    end
+
+    class Resource < PEdump::Resource
+      # NE strings use 8-bit characters
+      def parse f, h={}
+        self.data = []
+        case type
+        when 'STRING'
+          f.seek file_offset
+          16.times do
+            break if f.tell >= file_offset+self.size
+            nChars = f.getc.ord
+            t =
+              if nChars + 1 > self.size
+                # TODO: if it's not 1st string in table then truncated size must be less
+                PEdump.logger.error "[!] string size(#{nChars*2}) > stringtable size(#{self.size}). truncated to #{self.size-2}"
+                f.read(self.size-1)
+              else
+                f.read(nChars)
+              end
+            data <<
+              begin
+                t.force_encoding("CP#{h[:cp]}").encode!('UTF-8')
+              rescue
+                t.force_encoding('ASCII')
+              end
+          end
+        when 'VERSION'
+          f.seek file_offset
+          data << PEdump::NE::VS_VERSIONINFO.read(f)
+        else
+          super(f)
+        end
+      end
+    end
+
+    def _id2string id, io, res_base
+      if id & 0x8000 == 0
+        # offset to name
+        io.seek id + res_base
+        namesize = (io.getc || 0.chr).ord
+        io.read(namesize)
+      else
+        # numerical id
+        "##{id & 0x7fff}"
+      end
+    end
+
+    def resource_directory io=@io
+      @resource_directory ||=
+        begin
+          res_base = ne_rsrctab+@offset
+          io.seek res_base
+          res_shift = io.read(2).unpack('v').first
+          unless (0..16).include?(res_shift)
+            PEdump.logger.error "[!] invalid res_shift = %d" % res_shift
+            return []
+          end
+          PEdump.logger.info "[.] res_shift = %d" % res_shift
+          r = []
+          while !io.eof? && (g = ResourceGroup.read(io))
+            r << g
+          end
+          r.each do |g|
+            g.type = (g.type_id & 0x8000 != 0) && PEdump::ROOT_RES_NAMES[g.type_id & 0x7fff]
+            g.type ||= _id2string( g.type_id, io, res_base)
+            g.children.each do |res|
+              res.name = _id2string(res.name_offset, io, res_base)
+              res.offset ||= 0
+              res.offset <<= res_shift
+              res.size   ||= 0
+              res.size   <<= res_shift
+            end
+          end
+          r
+        end
+    end
+
+    def _detect_codepage a, io=@io
+      a.find_all{ |res| res.type == 'VERSION' }.each do |res|
+        res.parse(io)
+        res.data.each do |vi|
+          if vi.respond_to?(:Children) && vi.Children.respond_to?(:each)
+            # vi is PEdump::NE::VS_VERSIONINFO
+            vi.Children.each do |vfi|
+              if vfi.is_a?(PEdump::NE::VarFileInfo) && vfi.Children.is_a?(PEdump::NE::Var)
+                var = vfi.Children
+                # var is PEdump::NE::Var
+                if var.respond_to?(:Value) && var.Value.is_a?(Array) && var.Value.size == 2
+                  return var.Value.last
+                end
+              end
+            end
+          end
+        end
+      end
+      nil
+    end
+
+    def resources io=@io
+      a = []
+      resource_directory(io).each do |grp|
+        grp.children.each do |res|
+          a << (r = Resource.new)
+          r.id   = (res.name_offset & 0x7fff) if (res.name_offset & 0x8000) != 0
+          r.type = grp.type
+          r.size = res.size
+          r.name = res.name
+          r.file_offset = res.offset
+          r.reserved = res.reserved
+        end
+      end
+
+      # try to detect codepage
+      cp = _detect_codepage(a, io)
+      if cp
+        PEdump::NE.cp = cp # XXX HACK
+        PEdump.logger.info "[.] detect_codepage: #{cp.inspect}"
+      else
+        cp = DEFAULT_CP
+        PEdump.logger.info "[.] detect_codepage failed, using default #{cp}"
+      end
+
+      a.each{ |r| r.parse(io, :cp => cp) }
+      a
+    end
+
+    def imports io=@io
+      @imports ||=
+        begin
+          io.seek @offset+ne_modtab
+          modules = io.read(2*ne_cmod).unpack('v*')
+          modules.map! do |ofs|
+            io.seek @offset+ne_imptab+ofs
+            namelen = io.getc.ord
+            io.read(namelen)
+          end
+
+          r = []
+          segments(io).each do |seg|
+            seg.relocs.each do |rel|
+              if rel.type == Reloc::TYPE_IMPORTORDINAL
+                r << (f = PEdump::ImportedFunction.new)
+                f.module_name = modules[rel.module_idx-1]
+                f.ordinal = rel.func_idx
+              elsif rel.type == Reloc::TYPE_IMPORTNAME
+                r << (f = PEdump::ImportedFunction.new)
+                f.module_name = modules[rel.module_idx-1]
+                io.seek @offset+ne_imptab+rel.func_idx
+                namelen = io.getc.ord
+                f.name = io.read(namelen)
+              end
+            end
+          end
+          r
+        end
+    end
+
+    # first string with ordinal 0 is a module name
+    def exports io=@io
+      exp_dir = IMAGE_EXPORT_DIRECTORY.new
+      exp_dir.functions = []
+
+      io.seek @offset+ne_restab
+      while !io.eof && (namelen = io.getc.ord) > 0
+        exp_dir.functions << ExportedFunction.new( io.read(namelen), io.read(2).unpack('v').first, 0 )
+      end
+      exp_dir.name = exp_dir.functions.shift.name if exp_dir.functions.any?
+
+      a = []
+      io.seek ne_nrestab
+      while !io.eof && (namelen = io.getc.ord) > 0
+        a << ExportedFunction.new( io.read(namelen), io.read(2).unpack('v').first, 0 )
+      end
+      exp_dir.description = a.shift.name if a.any?
+      exp_dir.functions += a
+
+      exp_dir.functions.each do |f|
+        f.va = entrypoints[f.ord]
+      end
+
+      exp_dir
+    end
+
+    # The entry-table data is organized by bundle, each of which begins with a 2-byte header.
+    # The first byte of the header specifies the number of entries in the bundle ( 0 = end of the table).
+    # The second byte specifies whether the corresponding segment is movable or fixed.
+    #   0xFF = the segment is movable.
+    #   0xFE = the entry does not refer to a segment but refers to a constant defined within the module.
+    #   else it is a segment index.
+
+    class Bundle < IOStruct.new 'CC', :num_entries, :seg_idx,
+      :entries # manual
+
+      FixedEntry   = IOStruct.new 'Cv',   :flag, :offset
+      MovableEntry = IOStruct.new 'CvCv', :flag, :int3F, :seg_idx, :offset
+
+      def movable?
+        seg_idx == 0xff
+      end
+
+      def self.read io
+        super.tap do |bundle|
+          return nil if bundle.num_entries == 0
+          if bundle.num_entries == 0
+            @@eob ||= 0
+            @@eob += 1
+            return nil if @@eob == 2
+          end
+          bundle.entries = bundle.seg_idx == 0 ? [] :
+            if bundle.movable?
+              bundle.num_entries.times.map{ MovableEntry.read(io) }
+            else
+              bundle.num_entries.times.map{ FixedEntry.read(io) }
+            end
+        end
+      end
+    end
+
+    def bundles io=@io
+      io.seek @offset+ne_enttab
+      bundles = []
+      while bundle = Bundle.read(io)
+        bundles << bundle
+      end
+      bundles
+    end
+
+    def entrypoints io=@io
+      @entrypoints ||=
+        begin
+          r = [0] # entrypoint indexes are 1-based
+          bundles(io).each do |b|
+            if b.entries.empty?
+              b.num_entries.times{ r<<0 }
+            else
+              b.entries.each do |e|
+                if e.is_a?(Bundle::MovableEntry)
+                  r << (e.seg_idx<<16) + e.offset
+                elsif e.is_a?(Bundle::FixedEntry)
+                  r << (b.seg_idx<<16) + e.offset
+                else
+                  raise "invalid ep #{e.inspect}"
+                end
+              end
+            end
+          end
+          r
+        end
+    end
+  end
+
+  def ne f=@io
+    return @ne if defined?(@ne)
+    @ne ||=
+      begin
+        ne_offset = mz(f) && mz(f).lfanew
+        if ne_offset.nil?
+          logger.fatal "[!] NULL NE offset (e_lfanew)."
+          nil
+        elsif ne_offset > f.size
+          logger.fatal "[!] NE offset beyond EOF."
+          nil
+        else
+          f.seek ne_offset
+          if f.read(2) == 'NE'
+            f.seek ne_offset
+            NE.read f
+          else
+            nil
+          end
+        end
+      end
+  end
+
+end