pedump 0.4.16 → 0.5.0

data/lib/pedump/loader/minidump.rb

@@ -0,0 +1,187 @@
+#!/usr/bin/env ruby
+
+require 'iostruct'
+
+class PEdump
+
+  # http://msdn.microsoft.com/en-us/library/windows/desktop/ms680378(v=vs.85).aspx
+  class MINIDUMP_HEADER < IOStruct.new 'a4LLLLLQ',
+    :Signature,
+    :Version,
+    :NumberOfStreams,
+    :StreamDirectoryRva,
+    :CheckSum,
+    :TimeDateStamp,
+    :Flags
+
+    def valid?
+      self.Signature == 'MDMP'
+    end
+  end
+
+  MINIDUMP_LOCATION_DESCRIPTOR = IOStruct.new 'LL', :DataSize, :Rva
+
+  class MINIDUMP_DIRECTORY < IOStruct.new 'L', :StreamType, :Location
+    def self.read io
+      r = super
+      r.Location = MINIDUMP_LOCATION_DESCRIPTOR.read(io)
+      r
+    end
+  end
+
+  MINIDUMP_MEMORY_INFO = IOStruct.new 'QQLLQLLLL',
+    :BaseAddress,
+    :AllocationBase,
+    :AllocationProtect,
+    :__alignment1,
+    :RegionSize,
+    :State,
+    :Protect,
+    :Type,
+    :__alignment2
+
+  class MINIDUMP_MEMORY_INFO_LIST < IOStruct.new 'LLQ',
+    :SizeOfHeader,
+    :SizeOfEntry,
+    :NumberOfEntries,
+    :entries
+
+    def self.read io
+      r = super
+      r.entries = r.NumberOfEntries.times.map{ MINIDUMP_MEMORY_INFO.read(io) }
+      r
+    end
+  end
+
+  MINIDUMP_MEMORY_DESCRIPTOR64 = IOStruct.new 'QQ',
+    :StartOfMemoryRange,
+    :DataSize
+
+  class MINIDUMP_MEMORY64_LIST < IOStruct.new 'QQ',
+    :NumberOfMemoryRanges,
+    :BaseRva,
+    :MemoryRanges
+
+    def self.read io
+      r = super
+      r.MemoryRanges = r.NumberOfMemoryRanges.times.map{ MINIDUMP_MEMORY_DESCRIPTOR64.read(io) }
+      r
+    end
+
+    def entries; self.MemoryRanges; end
+  end
+
+  # http://msdn.microsoft.com/en-us/library/windows/desktop/ms680394(v=vs.85).aspx
+  MINIDUMP_STREAM_TYPE = {
+         0 => :UnusedStream,
+         1 => :ReservedStream0,
+         2 => :ReservedStream1,
+         3 => :ThreadListStream,
+         4 => :ModuleListStream,
+         5 => :MemoryListStream,
+         6 => :ExceptionStream,
+         7 => :SystemInfoStream,
+         8 => :ThreadExListStream,
+         9 => :Memory64ListStream,           # MINIDUMP_MEMORY64_LIST
+        10 => :CommentStreamA,
+        11 => :CommentStreamW,
+        12 => :HandleDataStream,
+        13 => :FunctionTableStream,
+        14 => :UnloadedModuleListStream,
+        15 => :MiscInfoStream,
+        16 => :MemoryInfoListStream,         # MINIDUMP_MEMORY_INFO_LIST
+        17 => :ThreadInfoListStream,
+        18 => :HandleOperationListStream,
+    0xffff => :LastReservedStream
+  }
+
+  class Loader
+    class Minidump
+      attr_accessor :hdr, :streams, :io
+
+      def initialize io
+        @io = io
+        @hdr = MINIDUMP_HEADER.read(@io)
+        raise "invalid minidump" unless @hdr.valid?
+      end
+
+      def streams
+        @streams ||=
+          begin
+            @io.seek(@hdr.StreamDirectoryRva)
+            @hdr.NumberOfStreams.times.map do
+              dir = MINIDUMP_DIRECTORY.read(io)
+              dir.Location.empty? ? nil : dir
+            end.compact
+          end
+      end
+
+      def memory_info_list
+        # MINIDUMP_MEMORY_INFO_LIST
+        stream = streams.find{ |s| s.StreamType == 16 }
+        return nil unless stream
+        io.seek stream.Location.Rva
+        MINIDUMP_MEMORY_INFO_LIST.read io
+      end
+
+      def memory_list
+        # MINIDUMP_MEMORY64_LIST
+        stream = streams.find{ |s| s.StreamType == 9 }
+        return nil unless stream
+        io.seek stream.Location.Rva
+        MINIDUMP_MEMORY64_LIST.read io
+      end
+
+      MemoryRange = Struct.new :file_offset, :va, :size
+
+      # set options[:merge] = true to merge adjacent memory ranges
+      def memory_ranges options = {}
+        ml = memory_list
+        file_offset = ml.BaseRva
+        r = []
+        if options[:merge]
+          ml.entries.each do |x|
+            if r.last && r.last.va + r.last.size == x.StartOfMemoryRange
+              # if section VA == prev_section.VA + prev_section.SIZE
+              # then just increase the size of previous section
+              r.last.size += x.DataSize
+            else
+              r << MemoryRange.new( file_offset, x.StartOfMemoryRange, x.DataSize )
+            end
+            file_offset += x.DataSize
+          end
+        else
+          ml.entries.each do |x|
+            r << MemoryRange.new( file_offset, x.StartOfMemoryRange, x.DataSize )
+            file_offset += x.DataSize
+          end
+        end
+        r
+      end
+
+    end # class Minidump
+  end # class Loader
+end # module PEdump
+
+##############################################
+
+if $0 == __FILE__
+  require 'pp'
+
+  raise "gimme a fname" if ARGV.empty?
+  io = open(ARGV.first,"rb")
+
+  md = PEdump::Loader::Minidump.new io
+  pp md.hdr
+  puts
+  puts "[.] #{md.memory_ranges.size} memory ranges"
+  puts "[.] #{md.memory_ranges(:merge => true).size} merged memory ranges"
+  puts
+
+#  pp md.memory_info_list
+#  pp md.memory_list
+
+  md.memory_ranges(:merge => true).each do |mr|
+    printf "[.] %8x %8x %8x\n", mr.file_offset, mr.va, mr.size
+  end
+end

data/lib/pedump/loader/section.rb

@@ -13,10 +13,12 @@ class PEdump::Loader
       @deferred_load_io   = args[:deferred_load_io]
       @deferred_load_pos  = args[:deferred_load_pos]  || (@hdr && @hdr.PointerToRawData)
       @deferred_load_size = args[:deferred_load_size] || (@hdr && @hdr.SizeOfRawData)
+      @image_base = args[:image_base] || 0
     end
 
     def name;  @hdr.Name; end
-    def va  ;  @hdr.VirtualAddress; end
+    def va  ;  @hdr.VirtualAddress + @image_base; end
+    def rva ;  @hdr.VirtualAddress; end
     def vsize; @hdr.VirtualSize; end
     def flags; @hdr.Characteristics; end
     def flags= f; @hdr.Characteristics= f; end
@@ -42,10 +44,14 @@ class PEdump::Loader
     end
 
     def inspect
-      "#<Section name=%-10s va=%8x vsize=%8x rawsize=%8s>" % [
-        name.inspect, va, vsize,
+      r = "#<Section"
+      r << (" name=%-10s" % name.inspect) if name
+      r << " va=%8x vsize=%8x rawsize=%8s" % [
+        va, vsize,
         @data.size > 0 ? @data.size.to_s(16) : (@deferred_load_io ? "<defer>" : 0)
       ]
+      r << (" dlpos=%8x" % @deferred_load_pos) if @deferred_load_pos
+      r << ">"
     end
   end
 end

data/lib/pedump/ne.rb

@@ -1,6 +1,6 @@
 class PEdump
   # from wine's winnt.h
-  class NE < PEdump.create_struct 'a2CCvvVv4VVv8Vv3CCv4',
+  class NE < IOStruct.new 'a2CCvvVv4VVv8Vv3CCv4',
     :ne_magic,             # 00 NE signature 'NE'
     :ne_ver,               # 02 Linker version number
     :ne_rev,               # 03 Linker revision number
@@ -52,7 +52,7 @@ class PEdump
       end
     end
 
-    class Segment < PEdump.create_struct 'v4',
+    class Segment < IOStruct.new 'v4',
       :offset, :size, :flags, :min_alloc_size,
       # manual:
       :file_offset, :relocs
@@ -86,7 +86,7 @@ class PEdump
       end
     end
 
-    class Reloc < PEdump.create_struct 'CCvvv',
+    class Reloc < IOStruct.new 'CCvvv',
       :source, :type,
       :offset,           # offset of the relocation item within the segment
 
@@ -121,7 +121,7 @@ class PEdump
         end
     end
 
-    class ResourceGroup < PEdump.create_struct 'vvV',
+    class ResourceGroup < IOStruct.new 'vvV',
       :type_id, :count, :reserved,
       # manual:
       :type, :children
@@ -143,7 +143,7 @@ class PEdump
       end
     end
 
-    class ResourceInfo < PEdump.create_struct 'v4V',
+    class ResourceInfo < IOStruct.new 'v4V',
       :offset, :size, :flags, :name_offset, :reserved,
       # manual:
       :name
@@ -338,11 +338,11 @@ class PEdump
     #   0xFE = the entry does not refer to a segment but refers to a constant defined within the module.
     #   else it is a segment index.
 
-    class Bundle < PEdump.create_struct 'CC', :num_entries, :seg_idx,
+    class Bundle < IOStruct.new 'CC', :num_entries, :seg_idx,
       :entries # manual
 
-      FixedEntry   = PEdump.create_struct 'Cv',   :flag, :offset
-      MovableEntry = PEdump.create_struct 'CvCv', :flag, :int3F, :seg_idx, :offset
+      FixedEntry   = IOStruct.new 'Cv',   :flag, :offset
+      MovableEntry = IOStruct.new 'CvCv', :flag, :int3F, :seg_idx, :offset
 
       def movable?
         seg_idx == 0xff

data/lib/pedump/ne/version_info.rb

@@ -1,7 +1,7 @@
 class PEdump; end
 
 class PEdump::NE
-  class VS_VERSIONINFO < PEdump.create_struct( 'v2a16',
+  class VS_VERSIONINFO < IOStruct.new( 'v2a16',
     :wLength,
     :wValueLength,
     :szKey,          # ASCII string "VS_VERSION_INFO".
@@ -41,7 +41,7 @@ class PEdump::NE
     end
   end
 
-  class VS_FIXEDFILEINFO < PEdump.create_struct( 'V13',
+  class VS_FIXEDFILEINFO < IOStruct.new( 'V13',
     :dwSignature,
     :dwStrucVersion,
     :dwFileVersionMS,
@@ -65,7 +65,7 @@ class PEdump::NE
     end
   end
 
-  class StringFileInfo < PEdump.create_struct( 'v2a15',
+  class StringFileInfo < IOStruct.new( 'v2a15',
     :wLength,
     :wValueLength,  # always 0
     :szKey,         # The ASCII string "StringFileInfo"
@@ -85,7 +85,7 @@ class PEdump::NE
     end
   end
 
-  class StringTable < PEdump.create_struct( 'v2a9',
+  class StringTable < IOStruct.new( 'v2a9',
     :wLength,       # The length, in bytes, of this StringTable structure,
                     # including all structures indicated by the Children member.
     :wValueLength,  # always 0
@@ -106,7 +106,7 @@ class PEdump::NE
     end
   end
 
-  class VersionString < PEdump.create_struct( 'v2',
+  class VersionString < IOStruct.new( 'v2',
     :wLength,       # The length, in bytes, of this String structure.
     :wValueLength,  # The size, in words, of the Value member
     :szKey,         # An arbitrary ASCII string
@@ -137,7 +137,7 @@ class PEdump::NE
     end
   end
 
-  class VarFileInfo < PEdump.create_struct( 'v2a12',
+  class VarFileInfo < IOStruct.new( 'v2a12',
     :wLength,
     :wValueLength,  # always 0
     :szKey,         # The ASCII string "VarFileInfo"
@@ -153,7 +153,7 @@ class PEdump::NE
     end
   end
 
-  class Var < PEdump.create_struct( 'v2a12',
+  class Var < IOStruct.new( 'v2a12',
     :wLength,
     :wValueLength,  # The length, in bytes, of the Value member
     :szKey,         # The ASCII string "Translation"

data/lib/pedump/pe.rb

@@ -8,7 +8,9 @@ class PEdump
     :section_table
   )
     alias :ifh       :image_file_header
+    alias :ifh=      :image_file_header=
     alias :ioh       :image_optional_header
+    alias :ioh=      :image_optional_header=
     alias :sections  :section_table
     alias :sections= :section_table=
     def x64?

data/lib/pedump/resources.rb

@@ -236,7 +236,7 @@ class PEdump
 
   # see also http://www.informit.com/articles/article.aspx?p=1186882 about icons format
 
-  class BITMAPINFOHEADER < create_struct 'V3v2V6',
+  class BITMAPINFOHEADER < IOStruct.new 'V3v2V6',
     :biSize,          # BITMAPINFOHEADER::SIZE
     :biWidth,
     :biHeight,
@@ -255,13 +255,13 @@ class PEdump
   end
 
   # http://www.devsource.com/c/a/Architecture/Resources-From-PE-I/2/
-  CUR_ICO_HEADER = create_struct('v3',
+  CUR_ICO_HEADER = IOStruct.new('v3',
     :wReserved, # always 0
     :wResID,    # always 2
     :wNumImages # Number of cursor images/directory entries
   )
 
-  CURDIRENTRY = create_struct 'v4Vv',
+  CURDIRENTRY = IOStruct.new 'v4Vv',
     :wWidth,
     :wHeight, # Divide by 2 to get the actual height.
     :wPlanes,
@@ -269,9 +269,9 @@ class PEdump
     :dwBytesInImage,
     :wID
 
-  CURSOR_HOTSPOT = create_struct 'v2', :x, :y
+  CURSOR_HOTSPOT = IOStruct.new 'v2', :x, :y
 
-  ICODIRENTRY = create_struct 'C4v2Vv',
+  ICODIRENTRY = IOStruct.new 'C4v2Vv',
     :bWidth,
     :bHeight,
     :bColors,
@@ -286,14 +286,14 @@ class PEdump
     %w'MESSAGETABLE GROUP_CURSOR' + [nil] + %w'GROUP_ICON' + [nil] +
     %w'VERSION DLGINCLUDE' + [nil] + %w'PLUGPLAY VXD ANICURSOR ANIICON HTML MANIFEST'
 
-  IMAGE_RESOURCE_DIRECTORY_ENTRY = create_struct 'V2',
+  IMAGE_RESOURCE_DIRECTORY_ENTRY = IOStruct.new 'V2',
     :Name, :OffsetToData,
     :name, :data
 
-  IMAGE_RESOURCE_DATA_ENTRY = create_struct 'V4',
+  IMAGE_RESOURCE_DATA_ENTRY = IOStruct.new 'V4',
     :OffsetToData, :Size, :CodePage, :Reserved
 
-  IMAGE_RESOURCE_DIRECTORY = create_struct 'V2v4',
+  IMAGE_RESOURCE_DIRECTORY = IOStruct.new 'V2v4',
     :Characteristics, :TimeDateStamp, # 2dw
     :MajorVersion, :MinorVersion, :NumberOfNamedEntries, :NumberOfIdEntries, # 4w
     :entries # manual

data/lib/pedump/security.rb

@@ -27,7 +27,7 @@ class PEdump
   # WIN_CERT_TYPE_PKCS1_SIGN       (0x0009) bCertificate contains PKCS1_MODULE_SIGN fields.
 
   # http://msdn.microsoft.com/en-us/library/aa447037.aspx
-  class WIN_CERTIFICATE < create_struct 'Vvv',
+  class WIN_CERTIFICATE < IOStruct.new 'Vvv',
     :dwLength,
     :wRevision,
     :wCertificateType,

data/lib/pedump/tls.rb

@@ -1,5 +1,5 @@
 class PEdump
-  IMAGE_TLS_DIRECTORY32 = create_struct 'V6',
+  IMAGE_TLS_DIRECTORY32 = IOStruct.new 'V6',
     :StartAddressOfRawData,
     :EndAddressOfRawData,
     :AddressOfIndex,
@@ -7,7 +7,7 @@ class PEdump
     :SizeOfZeroFill,
     :Characteristics
 
-  IMAGE_TLS_DIRECTORY64 = create_struct 'Q4V2',
+  IMAGE_TLS_DIRECTORY64 = IOStruct.new 'Q4V2',
     :StartAddressOfRawData,
     :EndAddressOfRawData,
     :AddressOfIndex,

data/lib/pedump/unpacker/aspack.rb

@@ -22,7 +22,12 @@ class PEdump::Unpacker::ASPack
   attr_accessor :logger
 
   def initialize io, params = {}
-    params[:logger] ||= PEdump::Logger.create(params)
+    params[:logger]     ||= PEdump::Logger.create(params)
+
+    # XXX aspack unpacker code does not distinguish RVA from VA, so set
+    # image base to zero for RVA be equal VA
+    params[:image_base] ||= 0
+
     @logger = params[:logger]
     @ldr = PEdump::Loader.new(io, params)
     @io = io
@@ -311,7 +316,7 @@ class PEdump::Unpacker::ASPack
     74                      jz      short exit_relocs_loop
   EOC
 
-  SECTION_INFO = PEdump.create_struct 'VlV', :va, :size, :flags
+  SECTION_INFO = IOStruct.new 'VlV', :va, :size, :flags
 
   ########################################################################