RubyGems - pedump - Versions diffs - 0.4.5 → 0.4.6 - Mend

pedump 0.4.5 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

data/Gemfile +3 -1
data/Gemfile.lock +5 -1
data/README.md +22 -20
data/Rakefile +25 -0
data/VERSION +1 -1
data/lib/pedump.rb +92 -45
data/lib/pedump/cli.rb +56 -16
data/lib/pedump/comparer.rb +147 -0
data/lib/pedump/core.rb +12 -18
data/lib/pedump/loader.rb +131 -0
data/lib/pedump/loader/section.rb +51 -0
data/lib/pedump/logger.rb +67 -0
data/lib/pedump/pe.rb +3 -0
data/lib/pedump/resources.rb +3 -3
data/lib/pedump/unpacker.rb +26 -0
data/lib/pedump/unpacker/aspack.rb +853 -0
data/lib/pedump/unpacker/upx.rb +13 -0
data/lib/pedump/version.rb +1 -1
data/lib/pedump/version_info.rb +8 -3
data/misc/aspack/Makefile +3 -0
data/misc/aspack/aspack_unlzx.c +92 -0
data/misc/aspack/lzxdec.c +479 -0
data/misc/aspack/lzxdec.h +56 -0
data/pedump.gemspec +24 -5
data/spec/pe_spec.rb +61 -0
data/spec/unpackers/aspack_spec.rb +69 -0
data/spec/unpackers/find_spec.rb +17 -0
metadata +53 -18

data/lib/pedump/cli.rb CHANGED

@@ -3,6 +3,32 @@ require 'pedump/packer'
 require 'pedump/version_info'
 require 'optparse'
+begin
+  require 'shellwords' # from ruby 1.9.3
+rescue LoadError
+  unless ''.respond_to?(:shellescape)
+    class String
+      # File shellwords.rb, line 72
+      def shellescape
+        # An empty argument will be skipped, so return empty quotes.
+        return "''" if self.empty?
+        str = self.dup
+        # Process as a single byte sequence because not all shell
+        # implementations are multibyte aware.
+        str.gsub!(/([^A-Za-z0-9_\-.,:\/@\n])/, "\\\\\\1")
+        # A LF cannot be escaped with a backslash because a backslash + LF
+        # combo is regarded as line continuation and simply ignored.
+        str.gsub!(/\n/, "'\n'")
+        str
+      end
+    end
+  end
+end
 unless Object.instance_methods.include?(:try)
   class Object
     def try(*x)
@@ -71,6 +97,10 @@ class PEdump::CLI
         @actions << :packer_only
       end
+      opts.on '-r', "--recursive", "recurse dirs in packer detect" do
+        @options[:recursive] = true
+      end
       opts.on "--all", "Dump all but resource-directory (default)" do
         @actions = DEFAULT_ALL_ACTIONS
       end
@@ -146,12 +176,20 @@ class PEdump::CLI
   def dump_packer_only fnames
     max_fname_len = fnames.map(&:size).max
     fnames.each do |fname|
-      File.open(fname,'rb') do |f|
-        @pedump = create_pedump fname
-        packers = @pedump.packers(f)
-        pname = Array(packers).first.try(:packer).try(:name)
-        pname ||= "unknown" if @options[:verbose] > 0
-        printf("%-*s %s\n", max_fname_len+1, "#{fname}:", pname) if pname
+      if File.directory?(fname)
+        if @options[:recursive]
+          dump_packer_only(Dir[File.join(fname.shellescape,"*")])
+        else
+          STDERR.puts "[?] #{fname} is a directory, and recursive flag is not set"
+        end
+      else
+        File.open(fname,'rb') do |f|
+          @pedump = create_pedump fname
+          packers = @pedump.packers(f)
+          pname = Array(packers).first.try(:packer).try(:name)
+          pname ||= "unknown" if @options[:verbose] > 0
+          printf("%-*s %s\n", max_fname_len+1, "#{fname}:", pname) if pname
+        end
       end
     end
   end
@@ -267,9 +305,7 @@ class PEdump::CLI
     dump_opts = {:name => action}
     case action
       when :pe
-        @pedump.pe.ifh.TimeDateStamp = @pedump.pe.ifh.TimeDateStamp.to_i
-        data = @pedump.pe.signature + (@pedump.pe.ifh.try(:pack)||'') + (@pedump.pe.ioh.try(:pack)||'')
-        @pedump.pe.ifh.TimeDateStamp = Time.at(@pedump.pe.ifh.TimeDateStamp).utc
+        data = @pedump.pe.pack
       when :resources
         return dump_resources(data)
       when :strings
@@ -420,12 +456,12 @@ class PEdump::CLI
     printf fmt.tr('x','s'), *%w'RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS'
     data.each do |tls|
       printf fmt,
-        tls.StartAddressOfRawData,
-        tls.EndAddressOfRawData,
-        tls.AddressOfIndex,
-        tls.AddressOfCallBacks,
-        tls.SizeOfZeroFill,
-        tls.Characteristics
+        tls.StartAddressOfRawData.to_i,
+        tls.EndAddressOfRawData.to_i,
+        tls.AddressOfIndex.to_i,
+        tls.AddressOfCallBacks.to_i,
+        tls.SizeOfZeroFill.to_i,
+        tls.Characteristics.to_i
     end
   end
@@ -694,7 +730,11 @@ class PEdump::CLI
     end
   end
-  def hexdump data, h = {}
+  def hexdump *args
+    self.class.hexdump(*args)
+  end
+  def self.hexdump data, h = {}
     offset = h[:offset] || 0
     add    = h[:add]    || 0
     size   = h[:size]   || (data.size-offset)

data/lib/pedump/comparer.rb ADDED

@@ -0,0 +1,147 @@
+require 'pedump'
+require 'pedump/loader'
+########################################################################
+# comparing 2 binaries
+########################################################################
+class PEdump::Comparer
+  attr_accessor :verbose
+  attr_accessor :ignored_data_dirs, :ignored_sections
+  METHODS = [:sections, :data_dirs, :imports, :resources, :pe_hdr]
+  def initialize ldr1, ldr2
+    @ldr1,@ldr2 = ldr1,ldr2
+    @ignored_data_dirs = []
+    @ignored_sections  = []
+  end
+  def equal?
+    METHODS.map{ |m| send("cmp_#{m}") }.uniq == [true]
+  end
+  def diff
+    METHODS.map{ |m| send("cmp_#{m}") ? nil : m }.compact
+  end
+  def cmp_pe_hdr
+    @ldr1.pe.ioh.AddressOfEntryPoint == @ldr2.pe.ioh.AddressOfEntryPoint &&
+    @ldr1.pe.ioh.ImageBase           == @ldr2.pe.ioh.ImageBase
+  end
+  def cmp_resources
+    PEdump.quiet do
+      #@ldr1.pedump.resources == @ldr2.pedump.resources
+      @ldr1.pedump.resources.each_with_index do |r1,idx|
+       r2 = @ldr2.pedump.resources[idx]
+       if (r1.to_a - [r1.file_offset]) != (r2.to_a - [r2.file_offset])
+         p r1
+         p r2
+         return false
+       end
+      end
+    end
+    true
+  end
+  def cmp_sections
+    r = true
+    @ldr1.sections.each_with_index do |s1,idx|
+      next if @ignored_sections.include?(s1.name)
+      s2 = @ldr2.sections[idx]
+      if !s2
+        r = false
+        printf "[!] extra section %-12s in %s\n".red, s1.name.inspect, f1
+      elsif s1.data == s2.data
+        printf "[.] section: %s == %s\n".green, s1.name, s2.name if @verbose
+      else
+        r = false
+        printf "[!] section: %s != %s\n".red, s1.name, s2.name
+        self.class.cmp_ios *[s1,s2].map{ |section| StringIO.new(section.data) }
+      end
+    end
+    r
+  end
+  def cmp_data_dirs
+    r = true
+    @ldr1.pe.ioh.DataDirectory.each_with_index do |d1,idx|
+      break if idx == 15
+      d2 = @ldr2.pe.ioh.DataDirectory[idx]
+      case idx
+        when PEdump::IMAGE_DATA_DIRECTORY::BASERELOC
+          # total 8-byte size relocs == no relocs at all
+          next if [d1.va, d2.va].min == 0 && [d1.size, d2.size].max == 8
+      end
+      next if @ignored_data_dirs.include?(idx)
+      if d1.va != d2.va && d1.size != d2.size
+        r = false
+        printf "[!] data_dir: %-12s:  SIZE & VA: %6x %6x  |  %6x %6x\n".red, d1.type,
+          d1.va, d1.size, d2.va, d2.size
+      elsif d1.va != d2.va
+        r = false
+        printf "[!] data_dir: %-12s:  VA       : %x != %x\n".red, d1.type, d1.va, d2.va
+      elsif d1.size != d2.size
+        r = false
+        printf "[!] data_dir: %-12s:  SIZE     : %x != %x\n".red, d1.type, d1.size, d2.size
+      end
+    end
+    r
+  end
+  def cmp_imports
+    @ldr1.pedump.imports.each_with_index do |iid1,idx|
+      iid2 = @ldr2.pedump.imports[idx]
+      if iid1 != iid2
+        puts "[!] diff imports".red
+        return false
+      end
+    end
+    true
+  end
+  class << self
+    # arguments can be:
+    #   a) filenames
+    #   b) IO instances
+    #   c) PEdump::Loader instances
+    def cmp *args
+      handles = []
+      if args.all?{|x| x.is_a?(String)}
+        handles = args.map{|x| File.open(x,"rb")}
+        _cmp(*handles.map{|h| PEdump::Loader.new(h)})
+      else
+        _cmp(*args)
+      end
+    ensure
+      handles.each(&:close)
+    end
+    # each arg is a PEdump::Loader
+    def _cmp ldr1, ldr2
+      new(ldr1, ldr2).equal?
+    end
+    def cmp_ios *ios
+      ndiff = 0
+      while !ios.any?(&:eof)
+        bytes = ios.map(&:readbyte)
+        if bytes.uniq.size > 1
+          ndiff += 1
+          printf ("\t%08x:"+" %02x"*ios.size).yellow+"\n", ios[0].pos-1, *bytes
+          if ndiff >= 5
+            puts "\t...".yellow
+            break
+          end
+        end
+      end
+      puts if ndiff > 0
+    end
+  end
+end

data/lib/pedump/core.rb CHANGED

@@ -1,5 +1,6 @@
 require 'logger'
 require 'pedump/version'
+require 'pedump/logger'
 class String
   def xor x
@@ -30,26 +31,19 @@ class File
 end
 class PEdump
-  class Logger < ::Logger
-    def initialize *args
-      super
-      @formatter = proc do |severity,_,_,msg|
-        # quick and dirty way to remove duplicate messages
-        if @prevmsg == msg && severity != 'DEBUG' && severity != 'INFO'
-          ''
-        else
-          @prevmsg = msg
-          "#{msg}\n"
-        end
-      end
-      @level = Logger::WARN
-    end
-  end
   module Readable
-    def read file, size = nil
+    # src can be IO or String, or anything that responds to :read or :unpack
+    def read src, size = nil
       size ||= const_get 'SIZE'
-      data = file.read(size).to_s
+      data =
+        if src.respond_to?(:read)
+          src.read(size).to_s
+        elsif src.respond_to?(:unpack)
+          src
+        else
+          raise "[?] don't know how to read from #{src.inspect}"
+        end
       if data.size < size && PEdump.logger
         PEdump.logger.error "[!] #{self.to_s} want #{size} bytes, got #{data.size}"
       end
@@ -67,7 +61,7 @@ class PEdump
           case f
           when /[aAC]/ then 1
           when 'v' then 2
-          when 'V' then 4
+          when 'V','l' then 4
           when 'Q' then 8
           else raise "unknown fmt #{f.inspect}"
           end

data/lib/pedump/loader.rb ADDED

@@ -0,0 +1,131 @@
+require 'pedump'
+require 'stringio'
+require 'pedump/loader/section'
+class PEdump::Loader
+  attr_accessor :mz_hdr, :dos_stub, :pe_hdr, :sections, :pedump
+  # shortcuts
+  alias :pe :pe_hdr
+  def ep; @pe_hdr.ioh.AddressOfEntryPoint; end
+  def ep= v; @pe_hdr.ioh.AddressOfEntryPoint=v; end
+  ########################################################################
+  # constructors
+  ########################################################################
+  def initialize io = nil, pedump_params = {}
+    @pedump = PEdump.new(io, pedump_params)
+    if io
+      @mz_hdr     = @pedump.mz
+      @dos_stub   = @pedump.dos_stub
+      @pe_hdr     = @pedump.pe
+      load_sections @pedump.sections, io
+    end
+  end
+  def load_sections section_hdrs, f = nil
+    if section_hdrs.is_a?(Array) && section_hdrs.map(&:class).uniq == [PEdump::IMAGE_SECTION_HEADER]
+      @sections = section_hdrs.map{ |x| Section.new(x, :deferred_load_io => f) }
+      if f.respond_to?(:seek) && f.respond_to?(:read)
+        #
+        # converted to deferred loading
+        #
+#        section_hdrs.each_with_index do |sect_hdr, idx|
+#          f.seek sect_hdr.PointerToRawData
+#          @sections[idx].data = f.read(sect_hdr.SizeOfRawData)
+#        end
+      elsif f
+        raise "invalid 2nd arg: #{f.inspect}"
+      end
+    else
+      raise "invalid arg: #{section_hdrs.inspect}"
+    end
+  end
+  ########################################################################
+  # VA conversion
+  ########################################################################
+  def va2section va
+    @sections.find{ |x| x.range.include?(va) }
+  end
+  def va2stream va
+    return nil unless section = va2section(va)
+    StringIO.new(section.data).tap do |io|
+      io.seek va-section.va
+    end
+  end
+  ########################################################################
+  # virtual memory read/write
+  ########################################################################
+  def [] va, size
+    section = va2section(va)
+    raise "no section for va=0x#{va.to_s 16}" unless section
+    offset = va - section.va
+    raise "negative offset #{offset}" if offset < 0
+    r = section.data[offset,size]
+    if r.size < size
+      # append some empty data
+      r << ("\x00".force_encoding('binary')) * (size - r.size)
+    end
+    r
+  end
+  def []= va, size, data
+    raise "data.size != size" if data.size != size
+    section = va2section(va)
+    raise "no section for va=0x#{va.to_s 16}" unless section
+    offset = va - section.va
+    raise "negative offset #{offset}" if offset < 0
+    if section.data.size < offset
+      # append some empty data
+      section.data << ("\x00".force_encoding('binary') * (offset-section.data.size))
+    end
+    section.data[offset, data.size] = data
+  end
+  ########################################################################
+  # generating PE binary
+  ########################################################################
+  def section_table
+    @sections.map do |section|
+      section.hdr.SizeOfRawData = section.data.size
+      section.hdr.pack
+    end.join
+  end
+  def dump f
+    align = @pe_hdr.ioh.FileAlignment
+    mz_size = @mz_hdr.pack.size
+    raise "odd mz_size #{mz_size}" if mz_size % 0x10 != 0
+    @mz_hdr.header_paragraphs = mz_size / 0x10              # offset of dos_stub
+    @mz_hdr.lfanew = mz_size + @dos_stub.size               # offset of PE hdr
+    f.write @mz_hdr.pack
+    f.write @dos_stub
+    f.write @pe_hdr.pack
+    f.write @pe_hdr.ioh.DataDirectory.map(&:pack).join
+    section_tbl_offset = f.tell # store offset for 2nd write of section table
+    f.write section_table
+    @sections.each do |section|
+      f.seek(align - (f.tell % align), IO::SEEK_CUR) if f.tell % align != 0
+      section.hdr.PointerToRawData = f.tell  # fix raw_ptr
+      f.write(section.data)
+    end
+    eof = f.tell
+    # 2nd write of section table with correct raw_ptr's
+    f.seek section_tbl_offset
+    f.write section_table
+    f.seek eof
+  end
+end

data/lib/pedump/loader/section.rb ADDED

@@ -0,0 +1,51 @@
+class PEdump::Loader
+  class Section
+    attr_accessor :hdr
+    attr_writer :data
+    EMPTY_DATA = ''.force_encoding('binary')
+    def initialize x = nil, args = {}
+      if x.is_a?(PEdump::IMAGE_SECTION_HEADER)
+        @hdr = x.dup
+      end
+      @data = EMPTY_DATA.dup
+      @deferred_load_io   = args[:deferred_load_io]
+      @deferred_load_pos  = args[:deferred_load_pos]  || (@hdr && @hdr.PointerToRawData)
+      @deferred_load_size = args[:deferred_load_size] || (@hdr && @hdr.SizeOfRawData)
+    end
+    def name;  @hdr.Name; end
+    def va  ;  @hdr.VirtualAddress; end
+    def vsize; @hdr.VirtualSize; end
+    def flags; @hdr.Characteristics; end
+    def flags= f; @hdr.Characteristics= f; end
+    def data
+      if @data.empty? && @deferred_load_io && @deferred_load_pos && @deferred_load_size.to_i > 0
+        begin
+          old_pos = @deferred_load_io.tell
+          @deferred_load_io.seek @deferred_load_pos
+          @data = @deferred_load_io.binmode.read(@deferred_load_size) || EMPTY_DATA.dup
+        ensure
+          if @deferred_load_io && old_pos
+            @deferred_load_io.seek old_pos
+            @deferred_load_io = nil # prevent read only on 1st access to data
+          end
+        end
+      end
+      @data
+    end
+    def range
+      va...(va+vsize)
+    end
+    def inspect
+      "#<Section name=%-10s va=%8x vsize=%8x rawsize=%8s>" % [
+        name.inspect, va, vsize,
+        @data.size > 0 ? @data.size.to_s(16) : (@deferred_load_io ? "<defer>" : 0)
+      ]
+    end
+  end
+end