pedump 0.4.0

data/lib/pedump/version.rb

@@ -0,0 +1,10 @@
+class PEdump
+  module Version
+    MAJOR = 0
+    MINOR = 4
+    PATCH = 0
+    BUILD = nil
+
+    STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')
+  end
+end

data/lib/pedump/version_info.rb

@@ -0,0 +1,166 @@
+class PEdump
+  class VS_VERSIONINFO < PEdump.create_struct( 'v3a32v',
+    :wLength,
+    :wValueLength,
+    :wType,
+    :szKey,          # The Unicode string L"VS_VERSION_INFO".
+    :Padding1,
+    # manual:
+    :Value,          # VS_FIXEDFILEINFO
+    :Padding2,
+    :Children
+  )
+    def self.read f, size = SIZE
+      super.tap do |vi|
+        vi.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        vi.Padding1 = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        vi.Value = VS_FIXEDFILEINFO.read(f,vi.wValueLength)
+        # As many zero words as necessary to align the Children member on a 32-bit boundary.
+        # These bytes are not included in wValueLength. This member is optional.
+        vi.Padding2 = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        vi.Children = [] # An array of zero or one StringFileInfo structures,
+                         # and zero or one VarFileInfo structures
+
+        2.times do
+          pos = f.tell
+          f.seek(pos+6)  # seek 6 bytes forward
+          t = f.read(6)
+          f.seek(pos)    # return back
+          case t
+          when "V\x00a\x00r\x00"
+            vi.Children << VarFileInfo.read(f)
+          when "S\x00t\x00r\x00"
+            vi.Children << StringFileInfo.read(f)
+          else
+            PEdump.logger.warn "[?] invalid VS_VERSIONINFO child type #{t.inspect}"
+            break
+          end
+        end
+      end
+    end
+  end
+
+  class VS_FIXEDFILEINFO < PEdump.create_struct( 'V13',
+    :dwSignature,
+    :dwStrucVersion,
+    :dwFileVersionMS,
+    :dwFileVersionLS,
+    :dwProductVersionMS,
+    :dwProductVersionLS,
+    :dwFileFlagsMask,
+    :dwFileFlags,
+    :dwFileOS,
+    :dwFileType,
+    :dwFileSubtype,
+    :dwFileDateMS,
+    :dwFileDateLS,
+    # manual:
+    :valid
+  )
+    def self.read f, size = SIZE
+      super.tap do |ffi|
+        ffi.valid = (ffi.dwSignature == 0xFEEF04BD)
+      end
+    end
+  end
+
+  class StringFileInfo < PEdump.create_struct( 'v3a30',
+    :wLength,
+    :wValueLength,  # always 0
+    :wType,         # 1 => text data, 0 => binary data
+    :szKey,         # The Unicode string L"StringFileInfo"
+    :Padding,       # As many zero words as necessary to align the Children member on a 32-bit boundary
+    :Children       # An array of one or more StringTable structures
+  )
+    def self.read f, size = SIZE
+      pos0 = f.tell
+      super.tap do |x|
+        x.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        x.Padding = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        x.Children = []
+        while !f.eof? && f.tell < pos0+x.wLength
+          x.Children << StringTable.read(f)
+        end
+      end
+    end
+  end
+
+  class StringTable < PEdump.create_struct( 'v3a16v',
+    :wLength,       # The length, in bytes, of this StringTable structure,
+                    # including all structures indicated by the Children member.
+    :wValueLength,  # always 0
+    :wType,         # 1 => text data, 0 => binary data
+    :szKey,         # An 8-digit hexadecimal number stored as a Unicode string
+    :Padding,       # As many zero words as necessary to align the Children member on a 32-bit boundary
+    :Children       # An array of one or more String structures.
+  )
+    def self.read f, size = SIZE
+      pos0 = f.tell
+      super.tap do |x|
+        x.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        x.Padding = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        x.Children = []
+        while !f.eof? && f.tell < pos0+x.wLength
+          x.Children << VersionString.read(f)
+        end
+      end
+    end
+  end
+
+  class VersionString < PEdump.create_struct( 'v3',
+    :wLength,       # The length, in bytes, of this String structure.
+    :wValueLength,  # The size, in words, of the Value member
+    :wType,         # 1 => text data, 0 => binary data
+    :szKey,         # An arbitrary Unicode string
+    :Padding,       # As many zero words as necessary to align the Value member on a 32-bit boundary
+    :Value          # A zero-terminated string. See the szKey member description for more information
+  )
+    def self.read f, size = SIZE
+      super.tap do |x|
+        x.szKey   = ''
+        x.szKey << f.read(2) until x.szKey[-2..-1] == "\x00\x00" || f.eof?
+        x.Padding = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        x.Value   = f.read(x.wValueLength*2)
+        if f.tell%4 > 0
+          f.read(4-f.tell%4) # undoc padding?
+        end
+        x.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        x.Value.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+      end
+    end
+  end
+
+  class VarFileInfo < PEdump.create_struct( 'v3a24v',
+    :wLength,
+    :wValueLength,  # always 0
+    :wType,         # 1 => text data, 0 => binary data
+    :szKey,         # The Unicode string L"VarFileInfo"
+    :Padding,       # As many zero words as necessary to align the Children member on a 32-bit boundary
+    :Children       # Typically contains a list of languages that the application or DLL supports
+  )
+    def self.read f, size = SIZE
+      super.tap do |x|
+        x.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        x.Padding = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        x.Children = Var.read(f)
+      end
+    end
+  end
+
+  class Var < PEdump.create_struct( 'v3a24',
+    :wLength,
+    :wValueLength,  # The length, in bytes, of the Value member
+    :wType,         # 1 => text data, 0 => binary data
+    :szKey,         # The Unicode string L"Translation"
+    :Padding,       # As many zero words as necessary to align the Children member on a 32-bit boundary
+    :Value          # An array of one or more values that are language and code page identifier pairs
+  )
+    def self.read f, size = SIZE
+      super.tap do |x|
+        x.szKey.force_encoding('UTF-16LE').encode!('UTF-8').sub!(/\u0000$/,'') rescue nil
+        x.Padding = f.tell%4 > 0 ? f.read(4 - f.tell%4) : nil
+        x.Value = f.read(x.wValueLength).unpack('v*')
+      end
+    end
+  end
+end

data/pedump.gemspec

@@ -0,0 +1,87 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = "pedump"
+  s.version = "0.4.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Andrey \"Zed\" Zaikin"]
+  s.date = "2011-12-17"
+  s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
+  s.email = "zed.0xff@gmail.com"
+  s.executables = ["pedump"]
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.md",
+    "README.md.tpl"
+  ]
+  s.files = [
+    ".document",
+    ".rspec",
+    "Gemfile",
+    "Gemfile.lock",
+    "LICENSE.txt",
+    "README.md",
+    "README.md.tpl",
+    "Rakefile",
+    "VERSION",
+    "bin/pedump",
+    "data/fs.txt",
+    "data/sig.bin",
+    "data/signatures.txt",
+    "data/userdb.txt",
+    "lib/pedump.rb",
+    "lib/pedump/cli.rb",
+    "lib/pedump/packer.rb",
+    "lib/pedump/sig_parser.rb",
+    "lib/pedump/version.rb",
+    "lib/pedump/version_info.rb",
+    "pedump.gemspec",
+    "samples/calc.7z",
+    "samples/zlib.dll",
+    "spec/pedump_spec.rb",
+    "spec/resource_spec.rb",
+    "spec/sig_all_packers_spec.rb",
+    "spec/sig_spec.rb",
+    "spec/spec_helper.rb"
+  ]
+  s.homepage = "http://github.com/zed-0xff/pedump"
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = "1.8.10"
+  s.summary = "dump win32 PE executable files with a pure ruby"
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<multipart-post>, ["~> 1.1.4"])
+      s.add_runtime_dependency(%q<progressbar>, ["~> 0.9.2"])
+      s.add_development_dependency(%q<rspec>, ["~> 2.3.0"])
+      s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_development_dependency(%q<jeweler>, ["~> 1.6.4"])
+      s.add_development_dependency(%q<rcov>, [">= 0"])
+      s.add_development_dependency(%q<awesome_print>, [">= 0"])
+    else
+      s.add_dependency(%q<multipart-post>, ["~> 1.1.4"])
+      s.add_dependency(%q<progressbar>, ["~> 0.9.2"])
+      s.add_dependency(%q<rspec>, ["~> 2.3.0"])
+      s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_dependency(%q<jeweler>, ["~> 1.6.4"])
+      s.add_dependency(%q<rcov>, [">= 0"])
+      s.add_dependency(%q<awesome_print>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<multipart-post>, ["~> 1.1.4"])
+    s.add_dependency(%q<progressbar>, ["~> 0.9.2"])
+    s.add_dependency(%q<rspec>, ["~> 2.3.0"])
+    s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+    s.add_dependency(%q<jeweler>, ["~> 1.6.4"])
+    s.add_dependency(%q<rcov>, [">= 0"])
+    s.add_dependency(%q<awesome_print>, [">= 0"])
+  end
+end
+

data/spec/pedump_spec.rb

@@ -0,0 +1,7 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "Pedump" do
+#  it "fails" do
+#    fail "hey buddy, you should probably rename this file and start specing for real"
+#  end
+end

data/spec/resource_spec.rb

@@ -0,0 +1,13 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
+
+describe 'PEdump' do
+  it "should get all resources" do
+    fname = File.expand_path(File.dirname(__FILE__) + '/../samples/calc.exe')
+    File.open(fname,"rb") do |f|
+      @pedump = PEdump.new(fname)
+      @resources = @pedump.resources(f)
+    end
+    @resources.size.should == 71
+  end
+end

data/spec/sig_all_packers_spec.rb

@@ -0,0 +1,14 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump/packer')
+
+describe "PEdump::Packer" do
+  describe "matchers" do
+    PEdump::SigParser.parse(:raw => true).each do |sig|
+      data = sig.re.join
+      next if data == "This program cannot be run in DOS mo"
+      it "should find #{sig.name}" do
+        PEdump::Packer.of(data).map(&:name).should include(sig.name)
+      end
+    end
+  end
+end

data/spec/sig_spec.rb

@@ -0,0 +1,63 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump/packer')
+
+describe "PEdump::Packer" do
+  it "should have enough signatures" do
+    PEdump::Packer.count.should > 1000
+  end
+
+  it "should not match" do
+    maxlen = PEdump::Packer.map(&:size).max
+    s = 'x'*maxlen
+    PEdump::Packer.of_data(s).should be_nil
+  end
+
+  it "should parse" do
+    a = PEdump::SigParser.parse
+    a.should be_instance_of(Array)
+    a.map(&:class).uniq.should == [PEdump::Packer]
+  end
+
+  it "should not react to DOS signature" do
+    data = "This program cannot be run in DOS mode"
+    PEdump::Packer.of(data).should be_nil
+  end
+
+  it "should match sigs" do
+    n = 0
+    File.open('data/signatures.txt', 'r:cp1252') do |f|
+      while row = f.gets
+        row.strip!
+        next unless row =~ /^\[(.*)=(.*)\]$/
+        s = ''
+        title,hexstring = $1,$2
+        (hexstring.size/2).times do |i|
+          c = hexstring[i*2,2]
+          if c == '::'
+            s << '.'
+          else
+            s << c.to_i(16).chr
+          end
+        end
+        packers = PEdump::Packer.of(s)
+        if packers
+          names = packers.map(&:name)
+          next if names.any? do |name|
+            a = name.upcase.tr('V','')
+            b = title.upcase.tr('V','')
+            a[b] || b[a]
+          end
+#          puts "[.] #{title}"
+#          names.each do |x|
+#            puts "\t= #{x}"
+#          end
+        else
+          puts "[?] #{title}"
+          n += 1
+        end
+      end
+    end
+    #puts "[.] diff = #{n}"
+    n.should == 0
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,12 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'rspec'
+require 'pedump'
+
+# Requires supporting files with custom matchers and macros, etc,
+# in ./support/ and its subdirectories.
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+
+RSpec.configure do |config|
+  
+end

metadata

@@ -0,0 +1,157 @@
+--- !ruby/object:Gem::Specification
+name: pedump
+version: !ruby/object:Gem::Version
+  version: 0.4.0
+  prerelease: 
+platform: ruby
+authors:
+- Andrey "Zed" Zaikin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-12-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: multipart-post
+  requirement: &70304131999160 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.4
+  type: :runtime
+  prerelease: false
+  version_requirements: *70304131999160
+- !ruby/object:Gem::Dependency
+  name: progressbar
+  requirement: &70304131998620 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.9.2
+  type: :runtime
+  prerelease: false
+  version_requirements: *70304131998620
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &70304131998140 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.3.0
+  type: :development
+  prerelease: false
+  version_requirements: *70304131998140
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: &70304131997660 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+  type: :development
+  prerelease: false
+  version_requirements: *70304131997660
+- !ruby/object:Gem::Dependency
+  name: jeweler
+  requirement: &70304131997180 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.6.4
+  type: :development
+  prerelease: false
+  version_requirements: *70304131997180
+- !ruby/object:Gem::Dependency
+  name: rcov
+  requirement: &70304131996680 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70304131996680
+- !ruby/object:Gem::Dependency
+  name: awesome_print
+  requirement: &70304131996200 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70304131996200
+description: dump headers, sections, extract resources of win32 PE exe,dll,etc
+email: zed.0xff@gmail.com
+executables:
+- pedump
+extensions: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.md
+- README.md.tpl
+files:
+- .document
+- .rspec
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- README.md.tpl
+- Rakefile
+- VERSION
+- bin/pedump
+- data/fs.txt
+- data/sig.bin
+- data/signatures.txt
+- data/userdb.txt
+- lib/pedump.rb
+- lib/pedump/cli.rb
+- lib/pedump/packer.rb
+- lib/pedump/sig_parser.rb
+- lib/pedump/version.rb
+- lib/pedump/version_info.rb
+- pedump.gemspec
+- samples/calc.7z
+- samples/zlib.dll
+- spec/pedump_spec.rb
+- spec/resource_spec.rb
+- spec/sig_all_packers_spec.rb
+- spec/sig_spec.rb
+- spec/spec_helper.rb
+homepage: http://github.com/zed-0xff/pedump
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 2685694954412936403
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: dump win32 PE executable files with a pure ruby
+test_files: []