pedump 0.4.5 → 0.4.6

data/Gemfile

@@ -4,6 +4,7 @@ source "http://rubygems.org"
 #   gem "activesupport", ">= 2.3.5"
 gem "multipart-post", "~> 1.1.4"
 gem "progressbar", "~> 0.9.2"
+gem "awesome_print"
 
 # Add dependencies to develop your gem here.
 # Include everything needed to run rake, tests, features, etc.
@@ -12,5 +13,6 @@ group :development do
   gem "bundler", "~> 1.0.0"
   gem "jeweler", "~> 1.6.4"
   gem "rcov", ">= 0"
-  gem "awesome_print"
+  gem "what_methods"
+  gem "looksee"
 end

data/Gemfile.lock

@@ -1,13 +1,14 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    awesome_print (0.4.0)
+    awesome_print (1.0.2)
     diff-lcs (1.1.3)
     git (1.2.5)
     jeweler (1.6.4)
       bundler (~> 1.0)
       git (>= 1.2.5)
       rake
+    looksee (1.0.3)
     multipart-post (1.1.4)
     progressbar (0.9.2)
     rake (0.9.2.2)
@@ -20,6 +21,7 @@ GEM
     rspec-expectations (2.3.0)
       diff-lcs (~> 1.1.2)
     rspec-mocks (2.3.0)
+    what_methods (1.0.1)
 
 PLATFORMS
   ruby
@@ -28,7 +30,9 @@ DEPENDENCIES
   awesome_print
   bundler (~> 1.0.0)
   jeweler (~> 1.6.4)
+  looksee
   multipart-post (~> 1.1.4)
   progressbar (~> 0.9.2)
   rcov
   rspec (~> 2.3.0)
+  what_methods

data/README.md

@@ -43,6 +43,7 @@ Usage
             --pe
             --data-directory
         -S, --sections
+            --tls
         -s, --strings
         -R, --resources
             --resource-directory
@@ -53,6 +54,7 @@ Usage
             --deep                       packer deep scan, significantly slower
         -P, --packer-only                packer/compiler detect only,
                                          mimics 'file' command output
+        -r, --recursive                  recurse dirs in packer detect
             --all                        Dump all but resource-directory (default)
             --va2file VA                 Convert RVA to file offset
         -W, --web                        Uploads files to a http://pedump.me
@@ -126,7 +128,7 @@ Usage
     # IMAGE_FILE_HEADER:
                            Machine:        332         0x14c  x86
                   NumberOfSections:          4             4
-                     TimeDateStamp:    "2008-09-14 11:28:52"
+                     TimeDateStamp:    "2008-09-14 07:28:52"
               PointerToSymbolTable:          0             0
                    NumberOfSymbols:          0             0
               SizeOfOptionalHeader:        224          0xe0
@@ -315,7 +317,7 @@ Usage
     === EXPORTS ===
     
     # module "zlib.dll"
-    # flags=0x0  ts="1996-05-07 12:46:46"  version=0.0  ord_base=1
+    # flags=0x0  ts="1996-05-07 08:46:46"  version=0.0  ord_base=1
     # nFuncs=27  nNames=27
     
       ORD ENTRY_VA  NAME
@@ -328,24 +330,24 @@ Usage
         7     37f0  deflateInit2_
         8     37c0  deflateInit_
         9     3bc0  deflateParams
-       10     3b40  deflateReset
-       11     3a40  deflateSetDictionary
-       12     7510  gzclose
-       13     6f00  gzdopen
-       14     75a0  gzerror
-       15     73f0  gzflush
-       16     6c50  gzopen
-       17     7190  gzread
-       18     7350  gzwrite
-       19     4e50  inflate
-       20     4cc0  inflateEnd
-       21     4d20  inflateInit2_
-       22     4e30  inflateInit_
-       23     4c70  inflateReset
-       24     5260  inflateSetDictionary
-       25     52f0  inflateSync
-       26     4bd0  uncompress
-       27     e340  zlib_version
+        a     3b40  deflateReset
+        b     3a40  deflateSetDictionary
+        c     7510  gzclose
+        d     6f00  gzdopen
+        e     75a0  gzerror
+        f     73f0  gzflush
+       10     6c50  gzopen
+       11     7190  gzread
+       12     7350  gzwrite
+       13     4e50  inflate
+       14     4cc0  inflateEnd
+       15     4d20  inflateInit2_
+       16     4e30  inflateInit_
+       17     4c70  inflateReset
+       18     5260  inflateSetDictionary
+       19     52f0  inflateSync
+       1a     4bd0  uncompress
+       1b     e340  zlib_version
 
 ### VS_VERSIONINFO parsing
 

data/Rakefile

@@ -190,3 +190,28 @@ task :readme do
   Dir.chdir '..'
   File.open('README.md','w'){ |f| f << result }
 end
+
+namespace :console do
+  desc "start console with PEdump::Loader with loaded file"
+  task :load do
+    raise "gimme a fname" unless fname = ENV['fname']
+    require './lib/pedump'
+    require './lib/pedump/loader'
+    require 'pp'
+    File.open(fname,"rb") do |f|
+      @ldr = PEdump::Loader.new f
+      puts "[.] loader is at @ldr"
+      pp @ldr.sections
+      Rake::Task["console"].execute
+    end
+  end
+end
+
+desc "compare two PE files"
+task :cmp do
+  raise "gimme a f1" unless f1 = ENV['f1']
+  raise "gimme a f2" unless f2 = ENV['f2']
+  require './lib/pedump'
+  require './lib/pedump/comparer'
+  PEdump::Comparer.cmp(f1,f2)
+end

data/VERSION

@@ -1 +1 @@
-0.4.5
+0.4.6

data/lib/pedump.rb

@@ -12,16 +12,20 @@ require 'pedump/tls'
 #   http://github.com/zed-0xff
 
 class PEdump
-  attr_accessor :fname, :logger, :force
+  attr_accessor :fname, :logger, :force, :io
 
   VERSION = Version::STRING
 
   @@logger = nil
 
-  def initialize fname, params = {}
-    @fname = fname
+  def initialize io = nil, params = {}
+    if io.is_a?(Hash)
+      @io, params = nil, io
+    else
+      @io = io
+    end
     @force = params[:force]
-    @logger = @@logger = params[:logger] || PEdump::Logger.new(params[:logdev] || STDERR)
+    @logger = @@logger = Logger.create(params)
   end
 
   # http://www.delorie.com/djgpp/doc/exe/
@@ -83,10 +87,10 @@ class PEdump
       0x8000 => 'BYTES_REVERSED_HI'         # The bytes of the word are reversed. This flag is obsolete.
     }
 
-    def initialize *args
-      super
-      self.TimeDateStamp = Time.at(self.TimeDateStamp).utc
-    end
+#    def initialize *args
+#      super
+#      self.TimeDateStamp = Time.at(self.TimeDateStamp).utc
+#    end
     def flags
       FLAGS.find_all{ |k,v| (self.Characteristics & k) != 0 }.map(&:last)
     end
@@ -226,6 +230,10 @@ class PEdump
       r << ' SHARED'      if f & 0x10000000 > 0
       r
     end
+
+    def pack
+      to_a.pack FORMAT.tr('A','a') # pad names with NULL bytes on pack()
+    end
   end
 
   # http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=VS.85).aspx
@@ -286,7 +294,15 @@ class PEdump
     new(fname, params).dump
   end
 
-  def mz f=nil
+  def self.quiet
+    oldlevel = @@logger.level
+    @@logger.level = ::Logger::FATAL
+    yield
+  ensure
+    @@logger.level = oldlevel
+  end
+
+  def mz f=@io
     @mz ||= f && MZ.read(f).tap do |mz|
       if mz.signature != 'MZ' && mz.signature != 'ZM'
         if @force
@@ -299,7 +315,7 @@ class PEdump
     end
   end
 
-  def dos_stub f=nil
+  def dos_stub f=@io
     @dos_stub ||=
       begin
         return nil unless mz = mz(f)
@@ -339,13 +355,13 @@ class PEdump
       end
   end
 
-  def rich_hdr f=nil
+  def rich_hdr f=@io
     dos_stub(f) && @rich_hdr
   end
   alias :rich_header :rich_hdr
   alias :rich        :rich_hdr
 
-  def pe f=nil
+  def pe f=@io
     @pe ||=
       begin
         pe_offset = mz(f) && mz(f).lfanew
@@ -396,8 +412,14 @@ class PEdump
   end
 
   # OPTIONAL: assigns @mz, @rich_hdr, @pe, etc
-  def dump f=nil
-    f ? _dump_handle(f) : File.open(@fname,'rb'){ |f| _dump_handle(f) }
+  def dump f=@io
+    if f.is_a?(String)
+      File.open(f,'rb'){ |f| _dump_handle(f) }
+    elsif f.is_a?(::IO)
+      _dump_handle f
+    elsif @io
+      _dump_handle @io
+    end
     self
   end
 
@@ -410,11 +432,11 @@ class PEdump
     packer h
   end
 
-  def data_directory f=nil
+  def data_directory f=@io
     pe(f) && pe.ioh && pe.ioh.DataDirectory
   end
 
-  def sections f=nil
+  def sections f=@io
     pe(f) && pe.section_table
   end
   alias :section_table :sections
@@ -436,9 +458,25 @@ class PEdump
     :original_first_thunk,
     :first_thunk
 
-  ImportedFunction = Struct.new(:hint, :name, :ordinal)
+  class ImportedFunction < Struct.new(:hint, :name, :ordinal, :va)
+#    def == x
+#      self.hint == x.hint && self.name == x.name && self.ordinal == x.ordinal
+#    end
+#    def <=> x
+#      self.to_a[0..-2] <=> x.to_a[0..-2]
+#    end
+
+    # magic to be able to easy merge :first_thunk & :original_first_thunk arrays
+    # (keeping va different)
+    def hash
+      self.to_a[0..-2].hash
+    end
+    def eql? x
+      self.hint == x.hint && self.name == x.name && self.ordinal == x.ordinal
+    end
+  end
 
-  def imports f=nil
+  def imports f=@io
     return @imports if @imports
     return nil unless pe(f) && pe(f).ioh && f
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::IMPORT]
@@ -472,14 +510,14 @@ class PEdump
 
     logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" unless t.empty?
     @imports = r.each do |x|
-      if x.Name.to_i != 0 && (va = va2file(x.Name))
-        f.seek va
-        x.module_name = f.gets("\x00").chomp("\x00")
+      if x.Name.to_i != 0 && (ofs = va2file(x.Name))
+        f.seek ofs
+        x.module_name = f.gets("\x00").to_s.chomp("\x00")
       end
       [:original_first_thunk, :first_thunk].each do |tbl|
         camel = tbl.capitalize.to_s.gsub(/_./){ |char| char[1..-1].upcase}
-        if x[camel].to_i != 0 && (va = va2file(x[camel]))
-          f.seek va
+        if x[camel].to_i != 0 && (ofs = va2file(x[camel]))
+          f.seek ofs
           x[tbl] ||= []
           if pe.x64?
             x[tbl] << t while (t = f.read(8).unpack('Q').first) != 0
@@ -492,16 +530,22 @@ class PEdump
         idx = -1
         x[tbl] && x[tbl].map! do |t|
           idx += 1
+          va = x[camel].to_i + idx*4
           cache[t] ||=
-            if t & (2**(bits-1)) > 0                            # 0x8000_0000(_0000_0000)
-              ImportedFunction.new(nil,nil,t & (2**(bits-1)-1)) # 0x7fff_ffff(_ffff_ffff)
-            elsif va=va2file(t, :quiet => true)
-              f.seek va
+            if t & (2**(bits-1)) > 0                               # 0x8000_0000(_0000_0000)
+              ImportedFunction.new(nil,nil,t & (2**(bits-1)-1),va) # 0x7fff_ffff(_ffff_ffff)
+            elsif ofs=va2file(t, :quiet => true)
+              f.seek ofs
               if f.eof?
-                logger.warn "[?] import va 0x#{va.to_s(16)} beyond EOF"
+                logger.warn "[?] import ofs 0x#{ofs.to_s(16)} beyond EOF"
                 nil
               else
-                ImportedFunction.new(f.read(2).unpack('v').first, f.gets("\x00").chop)
+                ImportedFunction.new(
+                  f.read(2).unpack('v').first,
+                  f.gets("\x00").chomp("\x00"),
+                  nil,
+                  va
+                )
               end
             elsif tbl == :original_first_thunk
               # OriginalFirstThunk entries can not be invalid, show a warning msg
@@ -521,8 +565,11 @@ class PEdump
         logger.warn "[?] import table: empty FirstThunk for #{x.module_name}"
       elsif !x.original_first_thunk && x.first_thunk
         logger.info "[?] import table: empty OriginalFirstThunk for #{x.module_name}"
-      elsif x.original_first_thunk != x.first_thunk
-        logger.debug "[?] import table: OriginalFirstThunk != FirstThunk for #{x.module_name}"
+      elsif logger.debug?
+        # compare all but VAs
+        if x.original_first_thunk != x.first_thunk
+          logger.debug "[?] import table: OriginalFirstThunk != FirstThunk for #{x.module_name}"
+        end
       end
     end
   end
@@ -547,7 +594,7 @@ class PEdump
     # manual:
     :name, :entry_points, :names, :name_ordinals
 
-  def exports f=nil
+  def exports f=@io
     return @exports if @exports
     return nil unless pe(f) && pe(f).ioh && f
     dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::EXPORT]
@@ -564,18 +611,18 @@ class PEdump
       x.entry_points = []
       x.name_ordinals = []
       x.names = []
-      if x.Name.to_i != 0 && (va = va2file(x.Name))
-        f.seek va
+      if x.Name.to_i != 0 && (ofs = va2file(x.Name))
+        f.seek ofs
         if f.eof?
-          logger.warn "[?] export va 0x#{va.to_s(16)} beyond EOF"
+          logger.warn "[?] export ofs 0x#{ofs.to_s(16)} beyond EOF"
           nil
         else
           x.name = f.gets("\x00").chomp("\x00")
         end
       end
       if x.NumberOfFunctions.to_i != 0
-        if x.AddressOfFunctions.to_i !=0 && (va = va2file(x.AddressOfFunctions))
-          f.seek va
+        if x.AddressOfFunctions.to_i !=0 && (ofs = va2file(x.AddressOfFunctions))
+          f.seek ofs
           x.entry_points = []
           x.NumberOfFunctions.times do
             if f.eof?
@@ -585,8 +632,8 @@ class PEdump
             x.entry_points << f.read(4).unpack('V').first
           end
         end
-        if x.AddressOfNameOrdinals.to_i !=0 && (va = va2file(x.AddressOfNameOrdinals))
-          f.seek va
+        if x.AddressOfNameOrdinals.to_i !=0 && (ofs = va2file(x.AddressOfNameOrdinals))
+          f.seek ofs
           x.name_ordinals = []
           x.NumberOfNames.times do
             if f.eof?
@@ -597,8 +644,8 @@ class PEdump
           end
         end
       end
-      if x.NumberOfNames.to_i != 0 && x.AddressOfNames.to_i !=0 && (va = va2file(x.AddressOfNames))
-        f.seek va
+      if x.NumberOfNames.to_i != 0 && x.AddressOfNames.to_i !=0 && (ofs = va2file(x.AddressOfNames))
+        f.seek ofs
         x.names = []
         x.NumberOfNames.times do
           if f.eof?
@@ -619,7 +666,7 @@ class PEdump
   # TLS
   ##############################################################################
 
-  def tls f=nil
+  def tls f=@io
     @tls ||= pe(f) && pe(f).ioh && f &&
       begin
         dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::TLS]
@@ -646,11 +693,11 @@ class PEdump
   # resources
   ##############################################################################
 
-  def resources f=nil
+  def resources f=@io
     @resources ||= _scan_resources(f)
   end
 
-  def version_info f=nil
+  def version_info f=@io
     resources(f) && resources(f).find_all{ |res| res.type == 'VERSION' }.map(&:data).flatten
   end
 
@@ -658,7 +705,7 @@ class PEdump
   # packer / compiler detection
   ##############################################################################
 
-  def packer f = nil
+  def packer f=@io
     @packer ||= pe(f) && @pe.ioh &&
       begin
         if !(va=@pe.ioh.AddressOfEntryPoint)