pedump 0.4.4 → 0.4.5

data/Rakefile

@@ -25,7 +25,9 @@ Jeweler::Tasks.new do |gem|
   gem.files.include "lib/**/*.rb"
   gem.files.include "data/*.bin"
   gem.files.include "data/*.txt"
-  # dependencies defined in Gemfile
+
+  gem.files.exclude "samples/*", "README.md.tpl"
+  gem.extra_rdoc_files.exclude "README.md.tpl"
 end
 Jeweler::RubygemsDotOrgTasks.new
 

data/VERSION

@@ -1 +1 @@
-0.4.4
+0.4.5

data/lib/pedump.rb

@@ -21,7 +21,7 @@ class PEdump
   def initialize fname, params = {}
     @fname = fname
     @force = params[:force]
-    @logger = @@logger = params[:logger] || PEdump::Logger.new(STDERR)
+    @logger = @@logger = params[:logger] || PEdump::Logger.new(params[:logdev] || STDERR)
   end
 
   # http://www.delorie.com/djgpp/doc/exe/
@@ -282,8 +282,8 @@ class PEdump
     @logger = @@logger = l
   end
 
-  def self.dump fname
-    new(fname).dump
+  def self.dump fname, params = {}
+    new(fname, params).dump
   end
 
   def mz f=nil
@@ -305,7 +305,7 @@ class PEdump
         return nil unless mz = mz(f)
         dos_stub_offset = mz.header_paragraphs.to_i * 0x10
         dos_stub_size   = mz.lfanew.to_i - dos_stub_offset
-        if dos_stub_offset <= 0
+        if dos_stub_offset < 0
           logger.warn "[?] invalid DOS stub offset #{dos_stub_offset}"
           nil
         elsif f && dos_stub_offset > f.size
@@ -321,6 +321,7 @@ class PEdump
           # no open file, it's ok
           nil
         else
+          return nil if dos_stub_size == MZ::SIZE && dos_stub_offset == 0
           if dos_stub_size > 0x1000
             logger.warn "[?] DOS stub size too big (#{dos_stub_size}), limiting to 0x1000"
             dos_stub_size = 0x1000
@@ -361,7 +362,7 @@ class PEdump
       end
   end
 
-  def va2file va
+  def va2file va, h={}
     return nil if va.nil?
 
     sections.each do |s|
@@ -390,7 +391,7 @@ class PEdump
 
     # TODO: not all VirtualAdresses == 0 case
 
-    logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
+    logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}" unless h[:quiet]
     nil
   end
 
@@ -401,11 +402,12 @@ class PEdump
   end
 
   def _dump_handle h
-    rich_hdr(h)  # includes mz(h)
-    resources(h) # includes pe(h)
-    imports h
+    return unless pe(h) # also calls mz(h)
+    rich_hdr h
+    resources h
+    imports h   # also calls tls(h)
     exports h
-    packer  h
+    packer h
   end
 
   def data_directory f=nil
@@ -466,7 +468,6 @@ class PEdump
       break if t.Name.to_i == 0 # also catches EOF
       r << t
       file_offset += IMAGE_IMPORT_DESCRIPTOR::SIZE
-      break if r.size == 3
     end
 
     logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" unless t.empty?
@@ -488,11 +489,13 @@ class PEdump
         end
         cache = {}
         bits = pe.x64? ? 64 : 32
+        idx = -1
         x[tbl] && x[tbl].map! do |t|
+          idx += 1
           cache[t] ||=
             if t & (2**(bits-1)) > 0                            # 0x8000_0000(_0000_0000)
               ImportedFunction.new(nil,nil,t & (2**(bits-1)-1)) # 0x7fff_ffff(_ffff_ffff)
-            elsif va=va2file(t)
+            elsif va=va2file(t, :quiet => true)
               f.seek va
               if f.eof?
                 logger.warn "[?] import va 0x#{va.to_s(16)} beyond EOF"
@@ -500,18 +503,26 @@ class PEdump
               else
                 ImportedFunction.new(f.read(2).unpack('v').first, f.gets("\x00").chop)
               end
-            else
+            elsif tbl == :original_first_thunk
+              # OriginalFirstThunk entries can not be invalid, show a warning msg
+              logger.warn "[?] invalid VA 0x#{t.to_s(16)} in #{camel}[#{idx}] for #{x.module_name}"
+              nil
+            elsif tbl == :first_thunk
+              # FirstThunk entries can be invalid, so `info` msg only
+              logger.info "[?] invalid VA 0x#{t.to_s(16)} in #{camel}[#{idx}] for #{x.module_name}"
               nil
+            else
+              raise "You are not supposed to be here! O_o"
             end
         end
         x[tbl] && x[tbl].compact!
       end
       if x.original_first_thunk && !x.first_thunk
-        logger.warn "[?] import table: empty FirstThunk of #{x.module_name}"
+        logger.warn "[?] import table: empty FirstThunk for #{x.module_name}"
       elsif !x.original_first_thunk && x.first_thunk
-        logger.warn "[?] import table: empty OriginalFirstThunk of #{x.module_name}"
+        logger.info "[?] import table: empty OriginalFirstThunk for #{x.module_name}"
       elsif x.original_first_thunk != x.first_thunk
-        logger.warn "[?] import table: OriginalFirstThunk != FirstThunk of #{x.module_name}"
+        logger.debug "[?] import table: OriginalFirstThunk != FirstThunk for #{x.module_name}"
       end
     end
   end
@@ -620,17 +631,12 @@ class PEdump
           return nil
         end
 
-        start_offset = f.tell
-
         klass = @pe.x64? ? IMAGE_TLS_DIRECTORY64 : IMAGE_TLS_DIRECTORY32
+        nEntries = [1,dir.size / klass.const_get('SIZE')].max
         r = []
-        while !f.eof? && (entry = klass.read(f))
-          if entry.AddressOfCallBacks.to_i == 0
-            logger.warn "[?] non-empty TLS terminator: #{entry.inspect}" unless entry.empty?
-            break
-          end
+        nEntries.times do
+          break if f.eof? || !(entry = klass.read(f))
           r << entry
-          break if dir.size > 0 && f.tell >= (start_offset+dir.size)
         end
         r
       end

data/lib/pedump/version.rb

@@ -2,7 +2,7 @@ class PEdump
   module Version
     MAJOR = 0
     MINOR = 4
-    PATCH = 4
+    PATCH = 5
     BUILD = nil
 
     STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')

data/pedump.gemspec

@@ -5,7 +5,7 @@
 
 Gem::Specification.new do |s|
   s.name = "pedump"
-  s.version = "0.4.4"
+  s.version = "0.4.5"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andrey \"Zed\" Zaikin"]
@@ -15,8 +15,7 @@ Gem::Specification.new do |s|
   s.executables = ["pedump"]
   s.extra_rdoc_files = [
     "LICENSE.txt",
-    "README.md",
-    "README.md.tpl"
+    "README.md"
   ]
   s.files = [
     ".document",
@@ -25,7 +24,6 @@ Gem::Specification.new do |s|
     "Gemfile.lock",
     "LICENSE.txt",
     "README.md",
-    "README.md.tpl",
     "Rakefile",
     "VERSION",
     "bin/pedump",
@@ -45,9 +43,6 @@ Gem::Specification.new do |s|
     "lib/pedump/version.rb",
     "lib/pedump/version_info.rb",
     "pedump.gemspec",
-    "samples/calc.7z",
-    "samples/corkami.7z",
-    "samples/zlib.dll",
     "spec/65535sects_spec.rb",
     "spec/composite_io_spec.rb",
     "spec/dllord_spec.rb",

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.4.4
+  version: 0.4.5
   prerelease: 
 platform: ruby
 authors:
@@ -13,7 +13,7 @@ date: 2011-12-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multipart-post
-  requirement: &70245146676060 !ruby/object:Gem::Requirement
+  requirement: &70360993390840 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70245146676060
+  version_requirements: *70360993390840
 - !ruby/object:Gem::Dependency
   name: progressbar
-  requirement: &70245146675500 !ruby/object:Gem::Requirement
+  requirement: &70360993390100 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 0.9.2
   type: :runtime
   prerelease: false
-  version_requirements: *70245146675500
+  version_requirements: *70360993390100
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70245146674820 !ruby/object:Gem::Requirement
+  requirement: &70360993389180 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 2.3.0
   type: :development
   prerelease: false
-  version_requirements: *70245146674820
+  version_requirements: *70360993389180
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70245146674020 !ruby/object:Gem::Requirement
+  requirement: &70360993415340 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *70245146674020
+  version_requirements: *70360993415340
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70245146673180 !ruby/object:Gem::Requirement
+  requirement: &70360993414640 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70245146673180
+  version_requirements: *70360993414640
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70245146672260 !ruby/object:Gem::Requirement
+  requirement: &70360993414140 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70245146672260
+  version_requirements: *70360993414140
 - !ruby/object:Gem::Dependency
   name: awesome_print
-  requirement: &70245146671740 !ruby/object:Gem::Requirement
+  requirement: &70360993413580 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,7 +87,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70245146671740
+  version_requirements: *70360993413580
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -96,7 +96,6 @@ extensions: []
 extra_rdoc_files:
 - LICENSE.txt
 - README.md
-- README.md.tpl
 files:
 - .document
 - .rspec
@@ -104,7 +103,6 @@ files:
 - Gemfile.lock
 - LICENSE.txt
 - README.md
-- README.md.tpl
 - Rakefile
 - VERSION
 - bin/pedump
@@ -124,9 +122,6 @@ files:
 - lib/pedump/version.rb
 - lib/pedump/version_info.rb
 - pedump.gemspec
-- samples/calc.7z
-- samples/corkami.7z
-- samples/zlib.dll
 - spec/65535sects_spec.rb
 - spec/composite_io_spec.rb
 - spec/dllord_spec.rb
@@ -156,7 +151,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -576155968655045053
+      hash: 412789632490826090
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:

data/README.md.tpl

@@ -1,90 +0,0 @@
-pedump
-======
-
-Description
------------
-A pure ruby implementation of win32 PE binary files dumper, including:
-
- * MZ Header
- * DOS stub
- * ['Rich' Header](http://ntcore.com/files/richsign.htm)
- * PE Header
- * Data Directory
- * Sections
- * Resources
- * Strings
- * Imports & Exports
- * VS_VERSIONINFO parsing
- * PE Packer/Compiler detection
- * a convenient way to upload your PE's to http://pedump.me for a nice HTML tables with image previews, candies & stuff
-
-Installation
-------------
-    gem install pedump
-
-Usage
------
-
-% pedump -h
-
-### MZ Header
-
-% pedump --mz calc.exe
-
-### DOS stub
-
-% pedump --dos-stub calc.exe
-
-### 'Rich' Header
-
-% pedump --rich calc.exe
-
-### PE Header
-
-% pedump --pe calc.exe
-
-### Data Directory
-
-% pedump --data-directory calc.exe
-
-### Sections
-
-% pedump --sections calc.exe
-
-### Resources
-
-% pedump --resources calc.exe
-
-### Strings
-
-% pedump --strings calc.exe.mui
-
-### Imports
-
-% pedump --imports zlib.dll
-
-### Exports
-
-% pedump --exports zlib.dll
-
-### VS_VERSIONINFO parsing
-
-% pedump --version-info calc.exe
-
-### Packer / Compiler detection
-
-% pedump --packer zlib.dll
-
-#### pedump can mimic 'file' command output:
-
-    #pedump --packer-only -qqq samples/*
-    
-    samples/StringLoader.dll:                 Microsoft Visual C++ 6.0 DLL (Debug)
-    samples/control.exe:                      ASPack v2.12
-    samples/gms_v1_0_3.exe:                   UPX 2.90 [LZMA] (Markus Oberhumer, Laszlo Molnar & John Reiser)
-    samples/unpackme.exe:                     ASProtect 1.33 - 2.1 Registered (Alexey Solodovnikov)
-    samples/zlib.dll:                         Microsoft Visual C v2.0
-
-License
--------
-Released under the MIT License.  See the [LICENSE](https://github.com/zed-0xff/pedump/blob/master/LICENSE.txt) file for further details.