pedump 0.4.6 → 0.4.7

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. data/VERSION +1 -1
  2. data/lib/pedump.rb +1 -0
  3. data/lib/pedump/cli.rb +17 -1
  4. data/lib/pedump/security.rb +58 -0
  5. data/lib/pedump/version.rb +1 -1
  6. data/pedump.gemspec +3 -2
  7. metadata +22 -21
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.4.6
1
+ 0.4.7
data/lib/pedump.rb CHANGED
@@ -5,6 +5,7 @@ require 'pedump/pe'
5
5
  require 'pedump/resources'
6
6
  require 'pedump/version_info'
7
7
  require 'pedump/tls'
8
+ require 'pedump/security'
8
9
 
9
10
  # pedump.rb by zed_0xff
10
11
  #
data/lib/pedump/cli.rb CHANGED
@@ -41,7 +41,7 @@ class PEdump::CLI
41
41
  attr_accessor :data, :argv
42
42
 
43
43
  KNOWN_ACTIONS = (
44
- %w'mz dos_stub rich pe data_directory sections tls' +
44
+ %w'mz dos_stub rich pe data_directory sections tls security' +
45
45
  %w'strings resources resource_directory imports exports version_info packer web packer_only'
46
46
  ).map(&:to_sym)
47
47
 
@@ -439,6 +439,8 @@ class PEdump::CLI
439
439
  dump_version_info data
440
440
  when PEdump::IMAGE_TLS_DIRECTORY32, PEdump::IMAGE_TLS_DIRECTORY64
441
441
  dump_tls data
442
+ when PEdump::WIN_CERTIFICATE
443
+ dump_security data
442
444
  else
443
445
  puts "[?] don't know how to dump: #{data.inspect[0,50]}" unless data.empty?
444
446
  end
@@ -451,6 +453,20 @@ class PEdump::CLI
451
453
  end
452
454
  end
453
455
 
456
+ def dump_security data
457
+ return unless data
458
+ data.each do |win_cert|
459
+ if win_cert.data.respond_to?(:certificates)
460
+ win_cert.data.certificates.each do |cert|
461
+ puts cert.to_text
462
+ puts
463
+ end
464
+ else
465
+ @pedump.logger.error "[?] no certificates in #{win_cert.class}"
466
+ end
467
+ end
468
+ end
469
+
454
470
  def dump_tls data
455
471
  fmt = "%10x %10x %8x %8x %8x %8x\n"
456
472
  printf fmt.tr('x','s'), *%w'RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS'
data/lib/pedump/security.rb ADDED
@@ -0,0 +1,58 @@
1
+ class PEdump
2
+ def security f=@io
3
+ return nil unless pe(f) && pe(f).ioh && f
4
+ dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::SECURITY]
5
+ return nil if !dir || dir.va == 0
6
+
7
+ # IMAGE_DIRECTORY_ENTRY_SECURITY
8
+ # Points to a list of WIN_CERTIFICATE structures, defined in WinTrust.H.
9
+ # Not mapped into memory as part of the image.
10
+ # Therefore, the VirtualAddress field is a file offset, rather than an RVA.
11
+ #
12
+ # http://msdn.microsoft.com/en-us/magazine/bb985997.aspx
13
+
14
+ f.seek dir.va
15
+ r = []
16
+ ofs = f.tell
17
+ while !f.eof? && (f.tell-ofs < dir.size)
18
+ r << WIN_CERTIFICATE.read(f)
19
+ end
20
+ r
21
+ end
22
+ alias :signature :security
23
+
24
+ # WIN_CERT_TYPE_X509 (0x0001) bCertificate contains an X.509 certificate.
25
+ # WIN_CERT_TYPE_PKCS_SIGNED_DATA (0x0002) bCertificate contains a PKCS SignedData structure.
26
+ # WIN_CERT_TYPE_RESERVED_1 (0x0003) Reserved.
27
+ # WIN_CERT_TYPE_PKCS1_SIGN (0x0009) bCertificate contains PKCS1_MODULE_SIGN fields.
28
+
29
+ # http://msdn.microsoft.com/en-us/library/aa447037.aspx
30
+ class WIN_CERTIFICATE < create_struct 'Vvv',
31
+ :dwLength,
32
+ :wRevision,
33
+ :wCertificateType,
34
+ # manual
35
+ :data
36
+
37
+ def self.read f
38
+ super.tap do |x|
39
+ if x.dwLength.to_i < 8
40
+ PEdump.logger.error "[!] #{x.class}: too small length #{x.dwLength}"
41
+ elsif x.dwLength.to_i > 0x100_000
42
+ PEdump.logger.error "[!] #{x.class}: too big length #{x.dwLength}"
43
+ else
44
+ x.data = f.read(x.dwLength - 8)
45
+ begin
46
+ case x.wCertificateType
47
+ when 2
48
+ require 'openssl'
49
+ x.data = OpenSSL::PKCS7.new(x.data)
50
+ end
51
+ rescue
52
+ PEdump.logger.error "[!] #{$!}"
53
+ end
54
+ end
55
+ end
56
+ end
57
+ end
58
+ end
data/lib/pedump/version.rb CHANGED
@@ -2,7 +2,7 @@ class PEdump
2
2
  module Version
3
3
  MAJOR = 0
4
4
  MINOR = 4
5
- PATCH = 6
5
+ PATCH = 7
6
6
  BUILD = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')
data/pedump.gemspec CHANGED
@@ -5,11 +5,11 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = "pedump"
8
- s.version = "0.4.6"
8
+ s.version = "0.4.7"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Andrey \"Zed\" Zaikin"]
12
- s.date = "2012-01-02"
12
+ s.date = "2012-01-07"
13
13
  s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
14
14
  s.email = "zed.0xff@gmail.com"
15
15
  s.executables = ["pedump"]
@@ -42,6 +42,7 @@ Gem::Specification.new do |s|
42
42
  "lib/pedump/packer.rb",
43
43
  "lib/pedump/pe.rb",
44
44
  "lib/pedump/resources.rb",
45
+ "lib/pedump/security.rb",
45
46
  "lib/pedump/sig_parser.rb",
46
47
  "lib/pedump/tls.rb",
47
48
  "lib/pedump/unpacker.rb",
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: pedump
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.6
4
+ version: 0.4.7
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,11 +9,11 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-01-02 00:00:00.000000000 Z
12
+ date: 2012-01-07 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: multipart-post
16
- requirement: &70220274686500 !ruby/object:Gem::Requirement
16
+ requirement: &70164154992620 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ~>
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: 1.1.4
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *70220274686500
24
+ version_requirements: *70164154992620
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: progressbar
27
- requirement: &70220274684420 !ruby/object:Gem::Requirement
27
+ requirement: &70164154991900 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - ~>
@@ -32,10 +32,10 @@ dependencies:
32
32
  version: 0.9.2
33
33
  type: :runtime
34
34
  prerelease: false
35
- version_requirements: *70220274684420
35
+ version_requirements: *70164154991900
36
36
  - !ruby/object:Gem::Dependency
37
37
  name: awesome_print
38
- requirement: &70220274683420 !ruby/object:Gem::Requirement
38
+ requirement: &70164154990160 !ruby/object:Gem::Requirement
39
39
  none: false
40
40
  requirements:
41
41
  - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
43
43
  version: '0'
44
44
  type: :runtime
45
45
  prerelease: false
46
- version_requirements: *70220274683420
46
+ version_requirements: *70164154990160
47
47
  - !ruby/object:Gem::Dependency
48
48
  name: rspec
49
- requirement: &70220274682560 !ruby/object:Gem::Requirement
49
+ requirement: &70164154989100 !ruby/object:Gem::Requirement
50
50
  none: false
51
51
  requirements:
52
52
  - - ~>
@@ -54,10 +54,10 @@ dependencies:
54
54
  version: 2.3.0
55
55
  type: :development
56
56
  prerelease: false
57
- version_requirements: *70220274682560
57
+ version_requirements: *70164154989100
58
58
  - !ruby/object:Gem::Dependency
59
59
  name: bundler
60
- requirement: &70220274681480 !ruby/object:Gem::Requirement
60
+ requirement: &70164155003740 !ruby/object:Gem::Requirement
61
61
  none: false
62
62
  requirements:
63
63
  - - ~>
@@ -65,10 +65,10 @@ dependencies:
65
65
  version: 1.0.0
66
66
  type: :development
67
67
  prerelease: false
68
- version_requirements: *70220274681480
68
+ version_requirements: *70164155003740
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: jeweler
71
- requirement: &70220274680660 !ruby/object:Gem::Requirement
71
+ requirement: &70164155002640 !ruby/object:Gem::Requirement
72
72
  none: false
73
73
  requirements:
74
74
  - - ~>
@@ -76,10 +76,10 @@ dependencies:
76
76
  version: 1.6.4
77
77
  type: :development
78
78
  prerelease: false
79
- version_requirements: *70220274680660
79
+ version_requirements: *70164155002640
80
80
  - !ruby/object:Gem::Dependency
81
81
  name: rcov
82
- requirement: &70220274695800 !ruby/object:Gem::Requirement
82
+ requirement: &70164155001260 !ruby/object:Gem::Requirement
83
83
  none: false
84
84
  requirements:
85
85
  - - ! '>='
@@ -87,10 +87,10 @@ dependencies:
87
87
  version: '0'
88
88
  type: :development
89
89
  prerelease: false
90
- version_requirements: *70220274695800
90
+ version_requirements: *70164155001260
91
91
  - !ruby/object:Gem::Dependency
92
92
  name: what_methods
93
- requirement: &70220274692960 !ruby/object:Gem::Requirement
93
+ requirement: &70164154999840 !ruby/object:Gem::Requirement
94
94
  none: false
95
95
  requirements:
96
96
  - - ! '>='
@@ -98,10 +98,10 @@ dependencies:
98
98
  version: '0'
99
99
  type: :development
100
100
  prerelease: false
101
- version_requirements: *70220274692960
101
+ version_requirements: *70164154999840
102
102
  - !ruby/object:Gem::Dependency
103
103
  name: looksee
104
- requirement: &70220274691880 !ruby/object:Gem::Requirement
104
+ requirement: &70164154998320 !ruby/object:Gem::Requirement
105
105
  none: false
106
106
  requirements:
107
107
  - - ! '>='
@@ -109,7 +109,7 @@ dependencies:
109
109
  version: '0'
110
110
  type: :development
111
111
  prerelease: false
112
- version_requirements: *70220274691880
112
+ version_requirements: *70164154998320
113
113
  description: dump headers, sections, extract resources of win32 PE exe,dll,etc
114
114
  email: zed.0xff@gmail.com
115
115
  executables:
@@ -143,6 +143,7 @@ files:
143
143
  - lib/pedump/packer.rb
144
144
  - lib/pedump/pe.rb
145
145
  - lib/pedump/resources.rb
146
+ - lib/pedump/security.rb
146
147
  - lib/pedump/sig_parser.rb
147
148
  - lib/pedump/tls.rb
148
149
  - lib/pedump/unpacker.rb
@@ -186,7 +187,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
186
187
  version: '0'
187
188
  segments:
188
189
  - 0
189
- hash: 1478998611787411165
190
+ hash: 2471928743190601423
190
191
  required_rubygems_version: !ruby/object:Gem::Requirement
191
192
  none: false
192
193
  requirements: