pedump 0.4.7 → 0.4.8
Sign up to get free protection for your applications and to get access to all the features.
- data/VERSION +1 -1
- data/lib/pedump.rb +4 -15
- data/lib/pedump/packer.rb +40 -1
- data/lib/pedump/version.rb +1 -1
- data/pedump.gemspec +3 -2
- data/spec/imports_badterm_spec.rb +5 -5
- data/spec/imports_vterm_spec.rb +5 -5
- data/spec/packer_spec.rb +17 -0
- data/spec/pedump_spec.rb +16 -4
- data/spec/unpackers/find_spec.rb +4 -0
- metadata +22 -21
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.4.
|
|
1
|
+
0.4.8
|
data/lib/pedump.rb
CHANGED
|
@@ -6,6 +6,7 @@ require 'pedump/resources'
|
|
|
6
6
|
require 'pedump/version_info'
|
|
7
7
|
require 'pedump/tls'
|
|
8
8
|
require 'pedump/security'
|
|
9
|
+
require 'pedump/packer'
|
|
9
10
|
|
|
10
11
|
# pedump.rb by zed_0xff
|
|
11
12
|
#
|
|
@@ -709,23 +710,11 @@ class PEdump
|
|
|
709
710
|
def packer f=@io
|
|
710
711
|
@packer ||= pe(f) && @pe.ioh &&
|
|
711
712
|
begin
|
|
712
|
-
if
|
|
713
|
-
logger.error "[?]
|
|
714
|
-
nil
|
|
715
|
-
elsif va == 0 && @pe.dll?
|
|
716
|
-
logger.debug "[.] it's a DLL with no EntryPoint"
|
|
717
|
-
nil
|
|
718
|
-
elsif !(ofs = va2file(va))
|
|
719
|
-
logger.error "[?] can't find EntryPoint RVA (0x#{va.to_s(16)}) file offset"
|
|
713
|
+
if PEdump::Packer.all.size == 0
|
|
714
|
+
logger.error "[?] no packer definitions found"
|
|
720
715
|
nil
|
|
721
716
|
else
|
|
722
|
-
|
|
723
|
-
if PEdump::Packer.all.size == 0
|
|
724
|
-
logger.error "[?] no packer definitions found"
|
|
725
|
-
nil
|
|
726
|
-
else
|
|
727
|
-
Packer.of f, :ep_offset => ofs
|
|
728
|
-
end
|
|
717
|
+
Packer.of f, :pedump => self
|
|
729
718
|
end
|
|
730
719
|
end
|
|
731
720
|
end
|
data/lib/pedump/packer.rb
CHANGED
|
@@ -12,6 +12,13 @@ class PEdump
|
|
|
12
12
|
end
|
|
13
13
|
end
|
|
14
14
|
|
|
15
|
+
class Guess < Match
|
|
16
|
+
def initialize name
|
|
17
|
+
self.offset = 0
|
|
18
|
+
self.packer = Packer.new(name, nil, nil, 0)
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
15
22
|
class << self
|
|
16
23
|
def all
|
|
17
24
|
@@all ||=
|
|
@@ -47,13 +54,45 @@ class PEdump
|
|
|
47
54
|
end
|
|
48
55
|
|
|
49
56
|
def of data, h = {}
|
|
50
|
-
if data.respond_to?(:read) && data.respond_to?(:seek) && h[:
|
|
57
|
+
if data.respond_to?(:read) && data.respond_to?(:seek) && h[:pedump]
|
|
58
|
+
of_pedump data, h
|
|
59
|
+
elsif data.respond_to?(:read) && data.respond_to?(:seek) && h[:ep_offset]
|
|
51
60
|
of_pe_file data, h
|
|
52
61
|
else
|
|
53
62
|
of_data data
|
|
54
63
|
end
|
|
55
64
|
end
|
|
56
65
|
|
|
66
|
+
# try to determine packer of FILE f, h[:pedump] is a PEdump instance
|
|
67
|
+
def of_pedump f, h
|
|
68
|
+
pedump = h[:pedump]
|
|
69
|
+
pe = pedump.pe
|
|
70
|
+
if !(va=pe.ioh.AddressOfEntryPoint)
|
|
71
|
+
pedump.logger.error "[?] can't find EntryPoint RVA"
|
|
72
|
+
nil
|
|
73
|
+
elsif va == 0 && pe.dll?
|
|
74
|
+
pedump.logger.debug "[.] it's a DLL with no EntryPoint"
|
|
75
|
+
nil
|
|
76
|
+
elsif !(ofs = pedump.va2file(va))
|
|
77
|
+
pedump.logger.error "[?] can't find EntryPoint RVA (0x#{va.to_s(16)}) file offset"
|
|
78
|
+
nil
|
|
79
|
+
else
|
|
80
|
+
r = of_pe_file(f, h.merge({:ep_offset => ofs}))
|
|
81
|
+
return r if r && r.any?
|
|
82
|
+
|
|
83
|
+
# nothing found, try to guess by pe section names
|
|
84
|
+
if pedump.sections
|
|
85
|
+
if pedump.sections.any?{ |s| s.Name.to_s =~ /upx/i }
|
|
86
|
+
return [Guess.new('UPX?')]
|
|
87
|
+
end
|
|
88
|
+
if pedump.sections.any?{ |s| s.Name.to_s =~ /aspack/i }
|
|
89
|
+
return [Guess.new('ASPack?')]
|
|
90
|
+
end
|
|
91
|
+
end
|
|
92
|
+
nil
|
|
93
|
+
end
|
|
94
|
+
end
|
|
95
|
+
|
|
57
96
|
# try to determine packer of FILE f, ep_offset - offset to entrypoint from start of file
|
|
58
97
|
def of_pe_file f, h
|
|
59
98
|
h[:deep] = @@deep unless h.key?(:deep)
|
data/lib/pedump/version.rb
CHANGED
data/pedump.gemspec
CHANGED
|
@@ -5,11 +5,11 @@
|
|
|
5
5
|
|
|
6
6
|
Gem::Specification.new do |s|
|
|
7
7
|
s.name = "pedump"
|
|
8
|
-
s.version = "0.4.
|
|
8
|
+
s.version = "0.4.8"
|
|
9
9
|
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
11
11
|
s.authors = ["Andrey \"Zed\" Zaikin"]
|
|
12
|
-
s.date = "2012-01-
|
|
12
|
+
s.date = "2012-01-12"
|
|
13
13
|
s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
|
|
14
14
|
s.email = "zed.0xff@gmail.com"
|
|
15
15
|
s.executables = ["pedump"]
|
|
@@ -62,6 +62,7 @@ Gem::Specification.new do |s|
|
|
|
62
62
|
"spec/imports_badterm_spec.rb",
|
|
63
63
|
"spec/imports_vterm_spec.rb",
|
|
64
64
|
"spec/manyimportsW7_spec.rb",
|
|
65
|
+
"spec/packer_spec.rb",
|
|
65
66
|
"spec/pe_spec.rb",
|
|
66
67
|
"spec/pedump_spec.rb",
|
|
67
68
|
"spec/resource_spec.rb",
|
|
@@ -16,11 +16,11 @@ describe 'corkami/imports_badterm.exe' do
|
|
|
16
16
|
@imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
it "should have all entries thunks equal" do
|
|
20
|
-
@imports.each do |iid|
|
|
21
|
-
iid.first_thunk.should == iid.original_first_thunk
|
|
22
|
-
end
|
|
23
|
-
end
|
|
19
|
+
# it "should have all entries thunks equal" do
|
|
20
|
+
# @imports.each do |iid|
|
|
21
|
+
# iid.first_thunk.should == iid.original_first_thunk
|
|
22
|
+
# end
|
|
23
|
+
# end
|
|
24
24
|
|
|
25
25
|
describe "1st image_import_descriptor" do
|
|
26
26
|
it "should be from kernel32.dll" do
|
data/spec/imports_vterm_spec.rb
CHANGED
|
@@ -16,11 +16,11 @@ describe 'corkami/imports_vterm.exe' do
|
|
|
16
16
|
@imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
it "should have all entries thunks equal" do
|
|
20
|
-
@imports.each do |iid|
|
|
21
|
-
iid.first_thunk.should == iid.original_first_thunk
|
|
22
|
-
end
|
|
23
|
-
end
|
|
19
|
+
# it "should have all entries thunks equal" do
|
|
20
|
+
# @imports.each do |iid|
|
|
21
|
+
# iid.first_thunk.should == iid.original_first_thunk
|
|
22
|
+
# end
|
|
23
|
+
# end
|
|
24
24
|
|
|
25
25
|
describe "1st image_import_descriptor" do
|
|
26
26
|
it "should be from kernel32.dll" do
|
data/spec/packer_spec.rb
ADDED
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
|
|
2
|
+
require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
|
|
3
|
+
|
|
4
|
+
%w'calc_upx.exe arm_upx.exe'.each do |fname|
|
|
5
|
+
describe fname do
|
|
6
|
+
before :all do
|
|
7
|
+
File.open(File.join("samples",fname),"rb") do |f|
|
|
8
|
+
@packer = PEdump.new(f).packer.first
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
it "should detect UPX" do
|
|
13
|
+
@packer.should_not be_nil
|
|
14
|
+
@packer.name.should include 'UPX'
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
data/spec/pedump_spec.rb
CHANGED
|
@@ -1,7 +1,19 @@
|
|
|
1
1
|
require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
|
|
2
2
|
|
|
3
|
-
describe "
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
3
|
+
describe "PEdump#dump" do
|
|
4
|
+
describe "should save packer" do
|
|
5
|
+
it "when arg is a filename" do
|
|
6
|
+
dump = PEdump.dump("samples/arm_upx.exe", :log_level => Logger::FATAL)
|
|
7
|
+
dump.packers.size.should == 1
|
|
8
|
+
dump.packers.first.name.should =~ /UPX/
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
it "when arg is an IO" do
|
|
12
|
+
File.open("samples/arm_upx.exe", "rb") do |f|
|
|
13
|
+
dump = PEdump.dump(f, :log_level => Logger::FATAL)
|
|
14
|
+
dump.packers.size.should == 1
|
|
15
|
+
dump.packers.first.name.should =~ /UPX/
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
7
19
|
end
|
data/spec/unpackers/find_spec.rb
CHANGED
|
@@ -7,6 +7,10 @@ describe PEdump::Unpacker do
|
|
|
7
7
|
PEdump::Unpacker.find("#{root}/samples/calc_upx.exe").should == PEdump::Unpacker::UPX
|
|
8
8
|
end
|
|
9
9
|
|
|
10
|
+
it "finds ARM UPX" do
|
|
11
|
+
PEdump::Unpacker.find("#{root}/samples/arm_upx.exe").should == PEdump::Unpacker::UPX
|
|
12
|
+
end
|
|
13
|
+
|
|
10
14
|
it "finds ASPack" do
|
|
11
15
|
PEdump::Unpacker.find("#{root}/samples/calc.asp212.exe").should == PEdump::Unpacker::ASPack
|
|
12
16
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pedump
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.8
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,11 +9,11 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2012-01-
|
|
12
|
+
date: 2012-01-12 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: multipart-post
|
|
16
|
-
requirement: &
|
|
16
|
+
requirement: &70206434654160 !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ~>
|
|
@@ -21,10 +21,10 @@ dependencies:
|
|
|
21
21
|
version: 1.1.4
|
|
22
22
|
type: :runtime
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements: *
|
|
24
|
+
version_requirements: *70206434654160
|
|
25
25
|
- !ruby/object:Gem::Dependency
|
|
26
26
|
name: progressbar
|
|
27
|
-
requirement: &
|
|
27
|
+
requirement: &70206434650540 !ruby/object:Gem::Requirement
|
|
28
28
|
none: false
|
|
29
29
|
requirements:
|
|
30
30
|
- - ~>
|
|
@@ -32,10 +32,10 @@ dependencies:
|
|
|
32
32
|
version: 0.9.2
|
|
33
33
|
type: :runtime
|
|
34
34
|
prerelease: false
|
|
35
|
-
version_requirements: *
|
|
35
|
+
version_requirements: *70206434650540
|
|
36
36
|
- !ruby/object:Gem::Dependency
|
|
37
37
|
name: awesome_print
|
|
38
|
-
requirement: &
|
|
38
|
+
requirement: &70206434649280 !ruby/object:Gem::Requirement
|
|
39
39
|
none: false
|
|
40
40
|
requirements:
|
|
41
41
|
- - ! '>='
|
|
@@ -43,10 +43,10 @@ dependencies:
|
|
|
43
43
|
version: '0'
|
|
44
44
|
type: :runtime
|
|
45
45
|
prerelease: false
|
|
46
|
-
version_requirements: *
|
|
46
|
+
version_requirements: *70206434649280
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: rspec
|
|
49
|
-
requirement: &
|
|
49
|
+
requirement: &70206434647680 !ruby/object:Gem::Requirement
|
|
50
50
|
none: false
|
|
51
51
|
requirements:
|
|
52
52
|
- - ~>
|
|
@@ -54,10 +54,10 @@ dependencies:
|
|
|
54
54
|
version: 2.3.0
|
|
55
55
|
type: :development
|
|
56
56
|
prerelease: false
|
|
57
|
-
version_requirements: *
|
|
57
|
+
version_requirements: *70206434647680
|
|
58
58
|
- !ruby/object:Gem::Dependency
|
|
59
59
|
name: bundler
|
|
60
|
-
requirement: &
|
|
60
|
+
requirement: &70206434646960 !ruby/object:Gem::Requirement
|
|
61
61
|
none: false
|
|
62
62
|
requirements:
|
|
63
63
|
- - ~>
|
|
@@ -65,10 +65,10 @@ dependencies:
|
|
|
65
65
|
version: 1.0.0
|
|
66
66
|
type: :development
|
|
67
67
|
prerelease: false
|
|
68
|
-
version_requirements: *
|
|
68
|
+
version_requirements: *70206434646960
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: jeweler
|
|
71
|
-
requirement: &
|
|
71
|
+
requirement: &70206434677380 !ruby/object:Gem::Requirement
|
|
72
72
|
none: false
|
|
73
73
|
requirements:
|
|
74
74
|
- - ~>
|
|
@@ -76,10 +76,10 @@ dependencies:
|
|
|
76
76
|
version: 1.6.4
|
|
77
77
|
type: :development
|
|
78
78
|
prerelease: false
|
|
79
|
-
version_requirements: *
|
|
79
|
+
version_requirements: *70206434677380
|
|
80
80
|
- !ruby/object:Gem::Dependency
|
|
81
81
|
name: rcov
|
|
82
|
-
requirement: &
|
|
82
|
+
requirement: &70206434676480 !ruby/object:Gem::Requirement
|
|
83
83
|
none: false
|
|
84
84
|
requirements:
|
|
85
85
|
- - ! '>='
|
|
@@ -87,10 +87,10 @@ dependencies:
|
|
|
87
87
|
version: '0'
|
|
88
88
|
type: :development
|
|
89
89
|
prerelease: false
|
|
90
|
-
version_requirements: *
|
|
90
|
+
version_requirements: *70206434676480
|
|
91
91
|
- !ruby/object:Gem::Dependency
|
|
92
92
|
name: what_methods
|
|
93
|
-
requirement: &
|
|
93
|
+
requirement: &70206434675740 !ruby/object:Gem::Requirement
|
|
94
94
|
none: false
|
|
95
95
|
requirements:
|
|
96
96
|
- - ! '>='
|
|
@@ -98,10 +98,10 @@ dependencies:
|
|
|
98
98
|
version: '0'
|
|
99
99
|
type: :development
|
|
100
100
|
prerelease: false
|
|
101
|
-
version_requirements: *
|
|
101
|
+
version_requirements: *70206434675740
|
|
102
102
|
- !ruby/object:Gem::Dependency
|
|
103
103
|
name: looksee
|
|
104
|
-
requirement: &
|
|
104
|
+
requirement: &70206434674700 !ruby/object:Gem::Requirement
|
|
105
105
|
none: false
|
|
106
106
|
requirements:
|
|
107
107
|
- - ! '>='
|
|
@@ -109,7 +109,7 @@ dependencies:
|
|
|
109
109
|
version: '0'
|
|
110
110
|
type: :development
|
|
111
111
|
prerelease: false
|
|
112
|
-
version_requirements: *
|
|
112
|
+
version_requirements: *70206434674700
|
|
113
113
|
description: dump headers, sections, extract resources of win32 PE exe,dll,etc
|
|
114
114
|
email: zed.0xff@gmail.com
|
|
115
115
|
executables:
|
|
@@ -163,6 +163,7 @@ files:
|
|
|
163
163
|
- spec/imports_badterm_spec.rb
|
|
164
164
|
- spec/imports_vterm_spec.rb
|
|
165
165
|
- spec/manyimportsW7_spec.rb
|
|
166
|
+
- spec/packer_spec.rb
|
|
166
167
|
- spec/pe_spec.rb
|
|
167
168
|
- spec/pedump_spec.rb
|
|
168
169
|
- spec/resource_spec.rb
|
|
@@ -187,7 +188,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
187
188
|
version: '0'
|
|
188
189
|
segments:
|
|
189
190
|
- 0
|
|
190
|
-
hash:
|
|
191
|
+
hash: -1408674862654916848
|
|
191
192
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
192
193
|
none: false
|
|
193
194
|
requirements:
|