pedump 0.4.7 → 0.4.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/VERSION +1 -1
- data/lib/pedump.rb +4 -15
- data/lib/pedump/packer.rb +40 -1
- data/lib/pedump/version.rb +1 -1
- data/pedump.gemspec +3 -2
- data/spec/imports_badterm_spec.rb +5 -5
- data/spec/imports_vterm_spec.rb +5 -5
- data/spec/packer_spec.rb +17 -0
- data/spec/pedump_spec.rb +16 -4
- data/spec/unpackers/find_spec.rb +4 -0
- metadata +22 -21
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.4.
|
|
1
|
+
0.4.8
|
data/lib/pedump.rb
CHANGED
|
@@ -6,6 +6,7 @@ require 'pedump/resources'
|
|
|
6
6
|
require 'pedump/version_info'
|
|
7
7
|
require 'pedump/tls'
|
|
8
8
|
require 'pedump/security'
|
|
9
|
+
require 'pedump/packer'
|
|
9
10
|
|
|
10
11
|
# pedump.rb by zed_0xff
|
|
11
12
|
#
|
|
@@ -709,23 +710,11 @@ class PEdump
|
|
|
709
710
|
def packer f=@io
|
|
710
711
|
@packer ||= pe(f) && @pe.ioh &&
|
|
711
712
|
begin
|
|
712
|
-
if
|
|
713
|
-
logger.error "[?]
|
|
714
|
-
nil
|
|
715
|
-
elsif va == 0 && @pe.dll?
|
|
716
|
-
logger.debug "[.] it's a DLL with no EntryPoint"
|
|
717
|
-
nil
|
|
718
|
-
elsif !(ofs = va2file(va))
|
|
719
|
-
logger.error "[?] can't find EntryPoint RVA (0x#{va.to_s(16)}) file offset"
|
|
713
|
+
if PEdump::Packer.all.size == 0
|
|
714
|
+
logger.error "[?] no packer definitions found"
|
|
720
715
|
nil
|
|
721
716
|
else
|
|
722
|
-
|
|
723
|
-
if PEdump::Packer.all.size == 0
|
|
724
|
-
logger.error "[?] no packer definitions found"
|
|
725
|
-
nil
|
|
726
|
-
else
|
|
727
|
-
Packer.of f, :ep_offset => ofs
|
|
728
|
-
end
|
|
717
|
+
Packer.of f, :pedump => self
|
|
729
718
|
end
|
|
730
719
|
end
|
|
731
720
|
end
|
data/lib/pedump/packer.rb
CHANGED
|
@@ -12,6 +12,13 @@ class PEdump
|
|
|
12
12
|
end
|
|
13
13
|
end
|
|
14
14
|
|
|
15
|
+
class Guess < Match
|
|
16
|
+
def initialize name
|
|
17
|
+
self.offset = 0
|
|
18
|
+
self.packer = Packer.new(name, nil, nil, 0)
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
15
22
|
class << self
|
|
16
23
|
def all
|
|
17
24
|
@@all ||=
|
|
@@ -47,13 +54,45 @@ class PEdump
|
|
|
47
54
|
end
|
|
48
55
|
|
|
49
56
|
def of data, h = {}
|
|
50
|
-
if data.respond_to?(:read) && data.respond_to?(:seek) && h[:
|
|
57
|
+
if data.respond_to?(:read) && data.respond_to?(:seek) && h[:pedump]
|
|
58
|
+
of_pedump data, h
|
|
59
|
+
elsif data.respond_to?(:read) && data.respond_to?(:seek) && h[:ep_offset]
|
|
51
60
|
of_pe_file data, h
|
|
52
61
|
else
|
|
53
62
|
of_data data
|
|
54
63
|
end
|
|
55
64
|
end
|
|
56
65
|
|
|
66
|
+
# try to determine packer of FILE f, h[:pedump] is a PEdump instance
|
|
67
|
+
def of_pedump f, h
|
|
68
|
+
pedump = h[:pedump]
|
|
69
|
+
pe = pedump.pe
|
|
70
|
+
if !(va=pe.ioh.AddressOfEntryPoint)
|
|
71
|
+
pedump.logger.error "[?] can't find EntryPoint RVA"
|
|
72
|
+
nil
|
|
73
|
+
elsif va == 0 && pe.dll?
|
|
74
|
+
pedump.logger.debug "[.] it's a DLL with no EntryPoint"
|
|
75
|
+
nil
|
|
76
|
+
elsif !(ofs = pedump.va2file(va))
|
|
77
|
+
pedump.logger.error "[?] can't find EntryPoint RVA (0x#{va.to_s(16)}) file offset"
|
|
78
|
+
nil
|
|
79
|
+
else
|
|
80
|
+
r = of_pe_file(f, h.merge({:ep_offset => ofs}))
|
|
81
|
+
return r if r && r.any?
|
|
82
|
+
|
|
83
|
+
# nothing found, try to guess by pe section names
|
|
84
|
+
if pedump.sections
|
|
85
|
+
if pedump.sections.any?{ |s| s.Name.to_s =~ /upx/i }
|
|
86
|
+
return [Guess.new('UPX?')]
|
|
87
|
+
end
|
|
88
|
+
if pedump.sections.any?{ |s| s.Name.to_s =~ /aspack/i }
|
|
89
|
+
return [Guess.new('ASPack?')]
|
|
90
|
+
end
|
|
91
|
+
end
|
|
92
|
+
nil
|
|
93
|
+
end
|
|
94
|
+
end
|
|
95
|
+
|
|
57
96
|
# try to determine packer of FILE f, ep_offset - offset to entrypoint from start of file
|
|
58
97
|
def of_pe_file f, h
|
|
59
98
|
h[:deep] = @@deep unless h.key?(:deep)
|
data/lib/pedump/version.rb
CHANGED
data/pedump.gemspec
CHANGED
|
@@ -5,11 +5,11 @@
|
|
|
5
5
|
|
|
6
6
|
Gem::Specification.new do |s|
|
|
7
7
|
s.name = "pedump"
|
|
8
|
-
s.version = "0.4.
|
|
8
|
+
s.version = "0.4.8"
|
|
9
9
|
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
11
11
|
s.authors = ["Andrey \"Zed\" Zaikin"]
|
|
12
|
-
s.date = "2012-01-
|
|
12
|
+
s.date = "2012-01-12"
|
|
13
13
|
s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc"
|
|
14
14
|
s.email = "zed.0xff@gmail.com"
|
|
15
15
|
s.executables = ["pedump"]
|
|
@@ -62,6 +62,7 @@ Gem::Specification.new do |s|
|
|
|
62
62
|
"spec/imports_badterm_spec.rb",
|
|
63
63
|
"spec/imports_vterm_spec.rb",
|
|
64
64
|
"spec/manyimportsW7_spec.rb",
|
|
65
|
+
"spec/packer_spec.rb",
|
|
65
66
|
"spec/pe_spec.rb",
|
|
66
67
|
"spec/pedump_spec.rb",
|
|
67
68
|
"spec/resource_spec.rb",
|
|
@@ -16,11 +16,11 @@ describe 'corkami/imports_badterm.exe' do
|
|
|
16
16
|
@imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
it "should have all entries thunks equal" do
|
|
20
|
-
@imports.each do |iid|
|
|
21
|
-
iid.first_thunk.should == iid.original_first_thunk
|
|
22
|
-
end
|
|
23
|
-
end
|
|
19
|
+
# it "should have all entries thunks equal" do
|
|
20
|
+
# @imports.each do |iid|
|
|
21
|
+
# iid.first_thunk.should == iid.original_first_thunk
|
|
22
|
+
# end
|
|
23
|
+
# end
|
|
24
24
|
|
|
25
25
|
describe "1st image_import_descriptor" do
|
|
26
26
|
it "should be from kernel32.dll" do
|
data/spec/imports_vterm_spec.rb
CHANGED
|
@@ -16,11 +16,11 @@ describe 'corkami/imports_vterm.exe' do
|
|
|
16
16
|
@imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
it "should have all entries thunks equal" do
|
|
20
|
-
@imports.each do |iid|
|
|
21
|
-
iid.first_thunk.should == iid.original_first_thunk
|
|
22
|
-
end
|
|
23
|
-
end
|
|
19
|
+
# it "should have all entries thunks equal" do
|
|
20
|
+
# @imports.each do |iid|
|
|
21
|
+
# iid.first_thunk.should == iid.original_first_thunk
|
|
22
|
+
# end
|
|
23
|
+
# end
|
|
24
24
|
|
|
25
25
|
describe "1st image_import_descriptor" do
|
|
26
26
|
it "should be from kernel32.dll" do
|
data/spec/packer_spec.rb
ADDED
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
|
|
2
|
+
require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
|
|
3
|
+
|
|
4
|
+
%w'calc_upx.exe arm_upx.exe'.each do |fname|
|
|
5
|
+
describe fname do
|
|
6
|
+
before :all do
|
|
7
|
+
File.open(File.join("samples",fname),"rb") do |f|
|
|
8
|
+
@packer = PEdump.new(f).packer.first
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
it "should detect UPX" do
|
|
13
|
+
@packer.should_not be_nil
|
|
14
|
+
@packer.name.should include 'UPX'
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
data/spec/pedump_spec.rb
CHANGED
|
@@ -1,7 +1,19 @@
|
|
|
1
1
|
require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
|
|
2
2
|
|
|
3
|
-
describe "
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
3
|
+
describe "PEdump#dump" do
|
|
4
|
+
describe "should save packer" do
|
|
5
|
+
it "when arg is a filename" do
|
|
6
|
+
dump = PEdump.dump("samples/arm_upx.exe", :log_level => Logger::FATAL)
|
|
7
|
+
dump.packers.size.should == 1
|
|
8
|
+
dump.packers.first.name.should =~ /UPX/
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
it "when arg is an IO" do
|
|
12
|
+
File.open("samples/arm_upx.exe", "rb") do |f|
|
|
13
|
+
dump = PEdump.dump(f, :log_level => Logger::FATAL)
|
|
14
|
+
dump.packers.size.should == 1
|
|
15
|
+
dump.packers.first.name.should =~ /UPX/
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
7
19
|
end
|
data/spec/unpackers/find_spec.rb
CHANGED
|
@@ -7,6 +7,10 @@ describe PEdump::Unpacker do
|
|
|
7
7
|
PEdump::Unpacker.find("#{root}/samples/calc_upx.exe").should == PEdump::Unpacker::UPX
|
|
8
8
|
end
|
|
9
9
|
|
|
10
|
+
it "finds ARM UPX" do
|
|
11
|
+
PEdump::Unpacker.find("#{root}/samples/arm_upx.exe").should == PEdump::Unpacker::UPX
|
|
12
|
+
end
|
|
13
|
+
|
|
10
14
|
it "finds ASPack" do
|
|
11
15
|
PEdump::Unpacker.find("#{root}/samples/calc.asp212.exe").should == PEdump::Unpacker::ASPack
|
|
12
16
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pedump
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.8
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,11 +9,11 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2012-01-
|
|
12
|
+
date: 2012-01-12 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: multipart-post
|
|
16
|
-
requirement: &
|
|
16
|
+
requirement: &70206434654160 !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ~>
|
|
@@ -21,10 +21,10 @@ dependencies:
|
|
|
21
21
|
version: 1.1.4
|
|
22
22
|
type: :runtime
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements: *
|
|
24
|
+
version_requirements: *70206434654160
|
|
25
25
|
- !ruby/object:Gem::Dependency
|
|
26
26
|
name: progressbar
|
|
27
|
-
requirement: &
|
|
27
|
+
requirement: &70206434650540 !ruby/object:Gem::Requirement
|
|
28
28
|
none: false
|
|
29
29
|
requirements:
|
|
30
30
|
- - ~>
|
|
@@ -32,10 +32,10 @@ dependencies:
|
|
|
32
32
|
version: 0.9.2
|
|
33
33
|
type: :runtime
|
|
34
34
|
prerelease: false
|
|
35
|
-
version_requirements: *
|
|
35
|
+
version_requirements: *70206434650540
|
|
36
36
|
- !ruby/object:Gem::Dependency
|
|
37
37
|
name: awesome_print
|
|
38
|
-
requirement: &
|
|
38
|
+
requirement: &70206434649280 !ruby/object:Gem::Requirement
|
|
39
39
|
none: false
|
|
40
40
|
requirements:
|
|
41
41
|
- - ! '>='
|
|
@@ -43,10 +43,10 @@ dependencies:
|
|
|
43
43
|
version: '0'
|
|
44
44
|
type: :runtime
|
|
45
45
|
prerelease: false
|
|
46
|
-
version_requirements: *
|
|
46
|
+
version_requirements: *70206434649280
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: rspec
|
|
49
|
-
requirement: &
|
|
49
|
+
requirement: &70206434647680 !ruby/object:Gem::Requirement
|
|
50
50
|
none: false
|
|
51
51
|
requirements:
|
|
52
52
|
- - ~>
|
|
@@ -54,10 +54,10 @@ dependencies:
|
|
|
54
54
|
version: 2.3.0
|
|
55
55
|
type: :development
|
|
56
56
|
prerelease: false
|
|
57
|
-
version_requirements: *
|
|
57
|
+
version_requirements: *70206434647680
|
|
58
58
|
- !ruby/object:Gem::Dependency
|
|
59
59
|
name: bundler
|
|
60
|
-
requirement: &
|
|
60
|
+
requirement: &70206434646960 !ruby/object:Gem::Requirement
|
|
61
61
|
none: false
|
|
62
62
|
requirements:
|
|
63
63
|
- - ~>
|
|
@@ -65,10 +65,10 @@ dependencies:
|
|
|
65
65
|
version: 1.0.0
|
|
66
66
|
type: :development
|
|
67
67
|
prerelease: false
|
|
68
|
-
version_requirements: *
|
|
68
|
+
version_requirements: *70206434646960
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: jeweler
|
|
71
|
-
requirement: &
|
|
71
|
+
requirement: &70206434677380 !ruby/object:Gem::Requirement
|
|
72
72
|
none: false
|
|
73
73
|
requirements:
|
|
74
74
|
- - ~>
|
|
@@ -76,10 +76,10 @@ dependencies:
|
|
|
76
76
|
version: 1.6.4
|
|
77
77
|
type: :development
|
|
78
78
|
prerelease: false
|
|
79
|
-
version_requirements: *
|
|
79
|
+
version_requirements: *70206434677380
|
|
80
80
|
- !ruby/object:Gem::Dependency
|
|
81
81
|
name: rcov
|
|
82
|
-
requirement: &
|
|
82
|
+
requirement: &70206434676480 !ruby/object:Gem::Requirement
|
|
83
83
|
none: false
|
|
84
84
|
requirements:
|
|
85
85
|
- - ! '>='
|
|
@@ -87,10 +87,10 @@ dependencies:
|
|
|
87
87
|
version: '0'
|
|
88
88
|
type: :development
|
|
89
89
|
prerelease: false
|
|
90
|
-
version_requirements: *
|
|
90
|
+
version_requirements: *70206434676480
|
|
91
91
|
- !ruby/object:Gem::Dependency
|
|
92
92
|
name: what_methods
|
|
93
|
-
requirement: &
|
|
93
|
+
requirement: &70206434675740 !ruby/object:Gem::Requirement
|
|
94
94
|
none: false
|
|
95
95
|
requirements:
|
|
96
96
|
- - ! '>='
|
|
@@ -98,10 +98,10 @@ dependencies:
|
|
|
98
98
|
version: '0'
|
|
99
99
|
type: :development
|
|
100
100
|
prerelease: false
|
|
101
|
-
version_requirements: *
|
|
101
|
+
version_requirements: *70206434675740
|
|
102
102
|
- !ruby/object:Gem::Dependency
|
|
103
103
|
name: looksee
|
|
104
|
-
requirement: &
|
|
104
|
+
requirement: &70206434674700 !ruby/object:Gem::Requirement
|
|
105
105
|
none: false
|
|
106
106
|
requirements:
|
|
107
107
|
- - ! '>='
|
|
@@ -109,7 +109,7 @@ dependencies:
|
|
|
109
109
|
version: '0'
|
|
110
110
|
type: :development
|
|
111
111
|
prerelease: false
|
|
112
|
-
version_requirements: *
|
|
112
|
+
version_requirements: *70206434674700
|
|
113
113
|
description: dump headers, sections, extract resources of win32 PE exe,dll,etc
|
|
114
114
|
email: zed.0xff@gmail.com
|
|
115
115
|
executables:
|
|
@@ -163,6 +163,7 @@ files:
|
|
|
163
163
|
- spec/imports_badterm_spec.rb
|
|
164
164
|
- spec/imports_vterm_spec.rb
|
|
165
165
|
- spec/manyimportsW7_spec.rb
|
|
166
|
+
- spec/packer_spec.rb
|
|
166
167
|
- spec/pe_spec.rb
|
|
167
168
|
- spec/pedump_spec.rb
|
|
168
169
|
- spec/resource_spec.rb
|
|
@@ -187,7 +188,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
187
188
|
version: '0'
|
|
188
189
|
segments:
|
|
189
190
|
- 0
|
|
190
|
-
hash:
|
|
191
|
+
hash: -1408674862654916848
|
|
191
192
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
192
193
|
none: false
|
|
193
194
|
requirements:
|