RubyGems - pedump - Versions diffs - 0.4.6 → 0.4.7 - Mend

pedump 0.4.6 → 0.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.4.6
1	+ 0.4.7

data/lib/pedump.rb CHANGED Viewed

@@ -5,6 +5,7 @@ require 'pedump/pe'
 require 'pedump/resources'
 require 'pedump/version_info'
 require 'pedump/tls'
+require 'pedump/security'
 # pedump.rb by zed_0xff
 #

data/lib/pedump/cli.rb CHANGED Viewed

@@ -41,7 +41,7 @@ class PEdump::CLI
   attr_accessor :data, :argv
   KNOWN_ACTIONS = (
-    %w'mz dos_stub rich pe data_directory sections tls' +
+    %w'mz dos_stub rich pe data_directory sections tls security' +
     %w'strings resources resource_directory imports exports version_info packer web packer_only'
   ).map(&:to_sym)
@@ -439,6 +439,8 @@ class PEdump::CLI
         dump_version_info data
       when PEdump::IMAGE_TLS_DIRECTORY32, PEdump::IMAGE_TLS_DIRECTORY64
         dump_tls data
+      when PEdump::WIN_CERTIFICATE
+        dump_security data
       else
         puts "[?] don't know how to dump: #{data.inspect[0,50]}" unless data.empty?
       end
@@ -451,6 +453,20 @@ class PEdump::CLI
     end
   end
+  def dump_security data
+    return unless data
+    data.each do |win_cert|
+      if win_cert.data.respond_to?(:certificates)
+        win_cert.data.certificates.each do |cert|
+          puts cert.to_text
+          puts
+        end
+      else
+        @pedump.logger.error "[?] no certificates in #{win_cert.class}"
+      end
+    end
+  end
   def dump_tls data
     fmt = "%10x %10x %8x  %8x  %8x  %8x\n"
     printf fmt.tr('x','s'), *%w'RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS'

data/lib/pedump/security.rb ADDED Viewed

@@ -0,0 +1,58 @@
+class PEdump
+  def security f=@io
+    return nil unless pe(f) && pe(f).ioh && f
+    dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::SECURITY]
+    return nil if !dir || dir.va == 0
+    # IMAGE_DIRECTORY_ENTRY_SECURITY
+    # Points to a list of WIN_CERTIFICATE structures, defined in WinTrust.H.
+    # Not mapped into memory as part of the image.
+    # Therefore, the VirtualAddress field is a file offset, rather than an RVA.
+    #
+    # http://msdn.microsoft.com/en-us/magazine/bb985997.aspx
+    f.seek dir.va
+    r = []
+    ofs = f.tell
+    while !f.eof? && (f.tell-ofs < dir.size)
+      r << WIN_CERTIFICATE.read(f)
+    end
+    r
+  end
+  alias :signature :security
+  # WIN_CERT_TYPE_X509             (0x0001) bCertificate contains an X.509 certificate.
+  # WIN_CERT_TYPE_PKCS_SIGNED_DATA (0x0002) bCertificate contains a PKCS SignedData structure.
+  # WIN_CERT_TYPE_RESERVED_1       (0x0003) Reserved.
+  # WIN_CERT_TYPE_PKCS1_SIGN       (0x0009) bCertificate contains PKCS1_MODULE_SIGN fields.
+  # http://msdn.microsoft.com/en-us/library/aa447037.aspx
+  class WIN_CERTIFICATE < create_struct 'Vvv',
+    :dwLength,
+    :wRevision,
+    :wCertificateType,
+    # manual
+    :data
+    def self.read f
+      super.tap do |x|
+        if x.dwLength.to_i < 8
+          PEdump.logger.error "[!] #{x.class}: too small length #{x.dwLength}"
+        elsif x.dwLength.to_i > 0x100_000
+          PEdump.logger.error "[!] #{x.class}: too big length #{x.dwLength}"
+        else
+          x.data = f.read(x.dwLength - 8)
+          begin
+            case x.wCertificateType
+            when 2
+              require 'openssl'
+              x.data = OpenSSL::PKCS7.new(x.data)
+            end
+          rescue
+            PEdump.logger.error "[!] #{$!}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pedump/version.rb CHANGED Viewed

@@ -2,7 +2,7 @@ class PEdump
   module Version
     MAJOR = 0
     MINOR = 4
-    PATCH = 6
+    PATCH = 7
     BUILD = nil
     STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')

data/pedump.gemspec CHANGED Viewed

@@ -5,11 +5,11 @@
 Gem::Specification.new do |s|
   s.name = "pedump"
-  s.version = "0.4.6"
+  s.version = "0.4.7"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Andrey \"Zed\" Zaikin"]
-  s.date = "2012-01-02"
+  s.date = "2012-01-07"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
   s.email = "zed.0xff@gmail.com"
   s.executables = ["pedump"]
@@ -42,6 +42,7 @@ Gem::Specification.new do |s|
     "lib/pedump/packer.rb",
     "lib/pedump/pe.rb",
     "lib/pedump/resources.rb",
+    "lib/pedump/security.rb",
     "lib/pedump/sig_parser.rb",
     "lib/pedump/tls.rb",
     "lib/pedump/unpacker.rb",

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.4.6
+  version: 0.4.7
   prerelease:
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-01-02 00:00:00.000000000 Z
+date: 2012-01-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multipart-post
-  requirement: &70220274686500 !ruby/object:Gem::Requirement
+  requirement: &70164154992620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70220274686500
+  version_requirements: *70164154992620
 - !ruby/object:Gem::Dependency
   name: progressbar
-  requirement: &70220274684420 !ruby/object:Gem::Requirement
+  requirement: &70164154991900 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 0.9.2
   type: :runtime
   prerelease: false
-  version_requirements: *70220274684420
+  version_requirements: *70164154991900
 - !ruby/object:Gem::Dependency
   name: awesome_print
-  requirement: &70220274683420 !ruby/object:Gem::Requirement
+  requirement: &70164154990160 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70220274683420
+  version_requirements: *70164154990160
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70220274682560 !ruby/object:Gem::Requirement
+  requirement: &70164154989100 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 2.3.0
   type: :development
   prerelease: false
-  version_requirements: *70220274682560
+  version_requirements: *70164154989100
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70220274681480 !ruby/object:Gem::Requirement
+  requirement: &70164155003740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *70220274681480
+  version_requirements: *70164155003740
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70220274680660 !ruby/object:Gem::Requirement
+  requirement: &70164155002640 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -76,10 +76,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70220274680660
+  version_requirements: *70164155002640
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70220274695800 !ruby/object:Gem::Requirement
+  requirement: &70164155001260 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,10 +87,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70220274695800
+  version_requirements: *70164155001260
 - !ruby/object:Gem::Dependency
   name: what_methods
-  requirement: &70220274692960 !ruby/object:Gem::Requirement
+  requirement: &70164154999840 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -98,10 +98,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70220274692960
+  version_requirements: *70164154999840
 - !ruby/object:Gem::Dependency
   name: looksee
-  requirement: &70220274691880 !ruby/object:Gem::Requirement
+  requirement: &70164154998320 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -109,7 +109,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70220274691880
+  version_requirements: *70164154998320
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -143,6 +143,7 @@ files:
 - lib/pedump/packer.rb
 - lib/pedump/pe.rb
 - lib/pedump/resources.rb
+- lib/pedump/security.rb
 - lib/pedump/sig_parser.rb
 - lib/pedump/tls.rb
 - lib/pedump/unpacker.rb
@@ -186,7 +187,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 1478998611787411165
+      hash: 2471928743190601423
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: