pedump 0.4.5 → 0.4.6

data/lib/pedump/cli.rb

@@ -3,6 +3,32 @@ require 'pedump/packer'
 require 'pedump/version_info'
 require 'optparse'
 
+begin
+  require 'shellwords' # from ruby 1.9.3
+rescue LoadError
+  unless ''.respond_to?(:shellescape)
+    class String
+      # File shellwords.rb, line 72
+      def shellescape
+        # An empty argument will be skipped, so return empty quotes.
+        return "''" if self.empty?
+
+        str = self.dup
+
+        # Process as a single byte sequence because not all shell
+        # implementations are multibyte aware.
+        str.gsub!(/([^A-Za-z0-9_\-.,:\/@\n])/, "\\\\\\1")
+
+        # A LF cannot be escaped with a backslash because a backslash + LF
+        # combo is regarded as line continuation and simply ignored.
+        str.gsub!(/\n/, "'\n'")
+
+        str
+      end
+    end
+  end
+end
+
 unless Object.instance_methods.include?(:try)
   class Object
     def try(*x)
@@ -71,6 +97,10 @@ class PEdump::CLI
         @actions << :packer_only
       end
 
+      opts.on '-r', "--recursive", "recurse dirs in packer detect" do
+        @options[:recursive] = true
+      end
+
       opts.on "--all", "Dump all but resource-directory (default)" do
         @actions = DEFAULT_ALL_ACTIONS
       end
@@ -146,12 +176,20 @@ class PEdump::CLI
   def dump_packer_only fnames
     max_fname_len = fnames.map(&:size).max
     fnames.each do |fname|
-      File.open(fname,'rb') do |f|
-        @pedump = create_pedump fname
-        packers = @pedump.packers(f)
-        pname = Array(packers).first.try(:packer).try(:name)
-        pname ||= "unknown" if @options[:verbose] > 0
-        printf("%-*s %s\n", max_fname_len+1, "#{fname}:", pname) if pname
+      if File.directory?(fname)
+        if @options[:recursive]
+          dump_packer_only(Dir[File.join(fname.shellescape,"*")])
+        else
+          STDERR.puts "[?] #{fname} is a directory, and recursive flag is not set"
+        end
+      else
+        File.open(fname,'rb') do |f|
+          @pedump = create_pedump fname
+          packers = @pedump.packers(f)
+          pname = Array(packers).first.try(:packer).try(:name)
+          pname ||= "unknown" if @options[:verbose] > 0
+          printf("%-*s %s\n", max_fname_len+1, "#{fname}:", pname) if pname
+        end
       end
     end
   end
@@ -267,9 +305,7 @@ class PEdump::CLI
     dump_opts = {:name => action}
     case action
       when :pe
-        @pedump.pe.ifh.TimeDateStamp = @pedump.pe.ifh.TimeDateStamp.to_i
-        data = @pedump.pe.signature + (@pedump.pe.ifh.try(:pack)||'') + (@pedump.pe.ioh.try(:pack)||'')
-        @pedump.pe.ifh.TimeDateStamp = Time.at(@pedump.pe.ifh.TimeDateStamp).utc
+        data = @pedump.pe.pack
       when :resources
         return dump_resources(data)
       when :strings
@@ -420,12 +456,12 @@ class PEdump::CLI
     printf fmt.tr('x','s'), *%w'RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS'
     data.each do |tls|
       printf fmt,
-        tls.StartAddressOfRawData,
-        tls.EndAddressOfRawData,
-        tls.AddressOfIndex,
-        tls.AddressOfCallBacks,
-        tls.SizeOfZeroFill,
-        tls.Characteristics
+        tls.StartAddressOfRawData.to_i,
+        tls.EndAddressOfRawData.to_i,
+        tls.AddressOfIndex.to_i,
+        tls.AddressOfCallBacks.to_i,
+        tls.SizeOfZeroFill.to_i,
+        tls.Characteristics.to_i
     end
   end
 
@@ -694,7 +730,11 @@ class PEdump::CLI
     end
   end
 
-  def hexdump data, h = {}
+  def hexdump *args
+    self.class.hexdump(*args)
+  end
+
+  def self.hexdump data, h = {}
     offset = h[:offset] || 0
     add    = h[:add]    || 0
     size   = h[:size]   || (data.size-offset)

data/lib/pedump/comparer.rb

@@ -0,0 +1,147 @@
+require 'pedump'
+require 'pedump/loader'
+
+########################################################################
+# comparing 2 binaries
+########################################################################
+
+class PEdump::Comparer
+  attr_accessor :verbose
+  attr_accessor :ignored_data_dirs, :ignored_sections
+
+  METHODS = [:sections, :data_dirs, :imports, :resources, :pe_hdr]
+
+  def initialize ldr1, ldr2
+    @ldr1,@ldr2 = ldr1,ldr2
+    @ignored_data_dirs = []
+    @ignored_sections  = []
+  end
+
+  def equal?
+    METHODS.map{ |m| send("cmp_#{m}") }.uniq == [true]
+  end
+
+  def diff
+    METHODS.map{ |m| send("cmp_#{m}") ? nil : m }.compact
+  end
+
+  def cmp_pe_hdr
+    @ldr1.pe.ioh.AddressOfEntryPoint == @ldr2.pe.ioh.AddressOfEntryPoint &&
+    @ldr1.pe.ioh.ImageBase           == @ldr2.pe.ioh.ImageBase
+  end
+
+  def cmp_resources
+    PEdump.quiet do
+      #@ldr1.pedump.resources == @ldr2.pedump.resources
+      @ldr1.pedump.resources.each_with_index do |r1,idx|
+       r2 = @ldr2.pedump.resources[idx]
+       if (r1.to_a - [r1.file_offset]) != (r2.to_a - [r2.file_offset])
+         p r1
+         p r2
+         return false
+       end
+      end
+    end
+    true
+  end
+
+  def cmp_sections
+    r = true
+    @ldr1.sections.each_with_index do |s1,idx|
+      next if @ignored_sections.include?(s1.name)
+      s2 = @ldr2.sections[idx]
+
+      if !s2
+        r = false
+        printf "[!] extra section %-12s in %s\n".red, s1.name.inspect, f1
+      elsif s1.data == s2.data
+        printf "[.] section: %s == %s\n".green, s1.name, s2.name if @verbose
+      else
+        r = false
+        printf "[!] section: %s != %s\n".red, s1.name, s2.name
+        self.class.cmp_ios *[s1,s2].map{ |section| StringIO.new(section.data) }
+      end
+    end
+    r
+  end
+
+  def cmp_data_dirs
+    r = true
+    @ldr1.pe.ioh.DataDirectory.each_with_index do |d1,idx|
+      break if idx == 15
+      d2 = @ldr2.pe.ioh.DataDirectory[idx]
+
+      case idx
+        when PEdump::IMAGE_DATA_DIRECTORY::BASERELOC
+          # total 8-byte size relocs == no relocs at all
+          next if [d1.va, d2.va].min == 0 && [d1.size, d2.size].max == 8
+      end
+
+      next if @ignored_data_dirs.include?(idx)
+
+      if d1.va != d2.va && d1.size != d2.size
+        r = false
+        printf "[!] data_dir: %-12s:  SIZE & VA: %6x %6x  |  %6x %6x\n".red, d1.type,
+          d1.va, d1.size, d2.va, d2.size
+      elsif d1.va != d2.va
+        r = false
+        printf "[!] data_dir: %-12s:  VA       : %x != %x\n".red, d1.type, d1.va, d2.va
+      elsif d1.size != d2.size
+        r = false
+        printf "[!] data_dir: %-12s:  SIZE     : %x != %x\n".red, d1.type, d1.size, d2.size
+      end
+    end
+    r
+  end
+
+  def cmp_imports
+    @ldr1.pedump.imports.each_with_index do |iid1,idx|
+      iid2 = @ldr2.pedump.imports[idx]
+      if iid1 != iid2
+        puts "[!] diff imports".red
+        return false
+      end
+    end
+    true
+  end
+
+  class << self
+    # arguments can be:
+    #   a) filenames
+    #   b) IO instances
+    #   c) PEdump::Loader instances
+    def cmp *args
+      handles = []
+      if args.all?{|x| x.is_a?(String)}
+        handles = args.map{|x| File.open(x,"rb")}
+        _cmp(*handles.map{|h| PEdump::Loader.new(h)})
+      else
+        _cmp(*args)
+      end
+    ensure
+      handles.each(&:close)
+    end
+
+    # each arg is a PEdump::Loader
+    def _cmp ldr1, ldr2
+      new(ldr1, ldr2).equal?
+    end
+
+    def cmp_ios *ios
+      ndiff = 0
+      while !ios.any?(&:eof)
+        bytes = ios.map(&:readbyte)
+        if bytes.uniq.size > 1
+          ndiff += 1
+          printf ("\t%08x:"+" %02x"*ios.size).yellow+"\n", ios[0].pos-1, *bytes
+          if ndiff >= 5
+            puts "\t...".yellow
+            break
+          end
+        end
+      end
+      puts if ndiff > 0
+    end
+
+  end
+end

data/lib/pedump/core.rb

@@ -1,5 +1,6 @@
 require 'logger'
 require 'pedump/version'
+require 'pedump/logger'
 
 class String
   def xor x
@@ -30,26 +31,19 @@ class File
 end
 
 class PEdump
-  class Logger < ::Logger
-    def initialize *args
-      super
-      @formatter = proc do |severity,_,_,msg|
-        # quick and dirty way to remove duplicate messages
-        if @prevmsg == msg && severity != 'DEBUG' && severity != 'INFO'
-          ''
-        else
-          @prevmsg = msg
-          "#{msg}\n"
-        end
-      end
-      @level = Logger::WARN
-    end
-  end
 
   module Readable
-    def read file, size = nil
+    # src can be IO or String, or anything that responds to :read or :unpack
+    def read src, size = nil
       size ||= const_get 'SIZE'
-      data = file.read(size).to_s
+      data =
+        if src.respond_to?(:read)
+          src.read(size).to_s
+        elsif src.respond_to?(:unpack)
+          src
+        else
+          raise "[?] don't know how to read from #{src.inspect}"
+        end
       if data.size < size && PEdump.logger
         PEdump.logger.error "[!] #{self.to_s} want #{size} bytes, got #{data.size}"
       end
@@ -67,7 +61,7 @@ class PEdump
           case f
           when /[aAC]/ then 1
           when 'v' then 2
-          when 'V' then 4
+          when 'V','l' then 4
           when 'Q' then 8
           else raise "unknown fmt #{f.inspect}"
           end

data/lib/pedump/loader.rb

@@ -0,0 +1,131 @@
+require 'pedump'
+require 'stringio'
+require 'pedump/loader/section'
+
+class PEdump::Loader
+  attr_accessor :mz_hdr, :dos_stub, :pe_hdr, :sections, :pedump
+
+  # shortcuts
+  alias :pe :pe_hdr
+  def ep; @pe_hdr.ioh.AddressOfEntryPoint; end
+  def ep= v; @pe_hdr.ioh.AddressOfEntryPoint=v; end
+
+  ########################################################################
+  # constructors
+  ########################################################################
+
+  def initialize io = nil, pedump_params = {}
+    @pedump = PEdump.new(io, pedump_params)
+    if io
+      @mz_hdr     = @pedump.mz
+      @dos_stub   = @pedump.dos_stub
+      @pe_hdr     = @pedump.pe
+      load_sections @pedump.sections, io
+    end
+  end
+
+  def load_sections section_hdrs, f = nil
+    if section_hdrs.is_a?(Array) && section_hdrs.map(&:class).uniq == [PEdump::IMAGE_SECTION_HEADER]
+      @sections = section_hdrs.map{ |x| Section.new(x, :deferred_load_io => f) }
+      if f.respond_to?(:seek) && f.respond_to?(:read)
+        #
+        # converted to deferred loading
+        #
+#        section_hdrs.each_with_index do |sect_hdr, idx|
+#          f.seek sect_hdr.PointerToRawData
+#          @sections[idx].data = f.read(sect_hdr.SizeOfRawData)
+#        end
+      elsif f
+        raise "invalid 2nd arg: #{f.inspect}"
+      end
+    else
+      raise "invalid arg: #{section_hdrs.inspect}"
+    end
+  end
+
+  ########################################################################
+  # VA conversion
+  ########################################################################
+
+  def va2section va
+    @sections.find{ |x| x.range.include?(va) }
+  end
+
+  def va2stream va
+    return nil unless section = va2section(va)
+    StringIO.new(section.data).tap do |io|
+      io.seek va-section.va
+    end
+  end
+
+  ########################################################################
+  # virtual memory read/write
+  ########################################################################
+
+  def [] va, size
+    section = va2section(va)
+    raise "no section for va=0x#{va.to_s 16}" unless section
+    offset = va - section.va
+    raise "negative offset #{offset}" if offset < 0
+    r = section.data[offset,size]
+    if r.size < size
+      # append some empty data
+      r << ("\x00".force_encoding('binary')) * (size - r.size)
+    end
+    r
+  end
+
+  def []= va, size, data
+    raise "data.size != size" if data.size != size
+    section = va2section(va)
+    raise "no section for va=0x#{va.to_s 16}" unless section
+    offset = va - section.va
+    raise "negative offset #{offset}" if offset < 0
+    if section.data.size < offset
+      # append some empty data
+      section.data << ("\x00".force_encoding('binary') * (offset-section.data.size))
+    end
+    section.data[offset, data.size] = data
+  end
+
+  ########################################################################
+  # generating PE binary
+  ########################################################################
+
+  def section_table
+    @sections.map do |section|
+      section.hdr.SizeOfRawData = section.data.size
+      section.hdr.pack
+    end.join
+  end
+
+  def dump f
+    align = @pe_hdr.ioh.FileAlignment
+
+    mz_size = @mz_hdr.pack.size
+    raise "odd mz_size #{mz_size}" if mz_size % 0x10 != 0
+    @mz_hdr.header_paragraphs = mz_size / 0x10              # offset of dos_stub
+    @mz_hdr.lfanew = mz_size + @dos_stub.size               # offset of PE hdr
+    f.write @mz_hdr.pack
+    f.write @dos_stub
+    f.write @pe_hdr.pack
+    f.write @pe_hdr.ioh.DataDirectory.map(&:pack).join
+
+    section_tbl_offset = f.tell # store offset for 2nd write of section table
+    f.write section_table
+
+    @sections.each do |section|
+      f.seek(align - (f.tell % align), IO::SEEK_CUR) if f.tell % align != 0
+      section.hdr.PointerToRawData = f.tell  # fix raw_ptr
+      f.write(section.data)
+    end
+
+    eof = f.tell
+
+    # 2nd write of section table with correct raw_ptr's
+    f.seek section_tbl_offset
+    f.write section_table
+
+    f.seek eof
+  end
+end

data/lib/pedump/loader/section.rb

@@ -0,0 +1,51 @@
+class PEdump::Loader
+  class Section
+    attr_accessor :hdr
+    attr_writer :data
+
+    EMPTY_DATA = ''.force_encoding('binary')
+
+    def initialize x = nil, args = {}
+      if x.is_a?(PEdump::IMAGE_SECTION_HEADER)
+        @hdr = x.dup
+      end
+      @data = EMPTY_DATA.dup
+      @deferred_load_io   = args[:deferred_load_io]
+      @deferred_load_pos  = args[:deferred_load_pos]  || (@hdr && @hdr.PointerToRawData)
+      @deferred_load_size = args[:deferred_load_size] || (@hdr && @hdr.SizeOfRawData)
+    end
+
+    def name;  @hdr.Name; end
+    def va  ;  @hdr.VirtualAddress; end
+    def vsize; @hdr.VirtualSize; end
+    def flags; @hdr.Characteristics; end
+    def flags= f; @hdr.Characteristics= f; end
+
+    def data
+      if @data.empty? && @deferred_load_io && @deferred_load_pos && @deferred_load_size.to_i > 0
+        begin
+          old_pos = @deferred_load_io.tell
+          @deferred_load_io.seek @deferred_load_pos
+          @data = @deferred_load_io.binmode.read(@deferred_load_size) || EMPTY_DATA.dup
+        ensure
+          if @deferred_load_io && old_pos
+            @deferred_load_io.seek old_pos
+            @deferred_load_io = nil # prevent read only on 1st access to data
+          end
+        end
+      end
+      @data
+    end
+
+    def range
+      va...(va+vsize)
+    end
+
+    def inspect
+      "#<Section name=%-10s va=%8x vsize=%8x rawsize=%8s>" % [
+        name.inspect, va, vsize,
+        @data.size > 0 ? @data.size.to_s(16) : (@deferred_load_io ? "<defer>" : 0)
+      ]
+    end
+  end
+end