pedump 0.5.0 → 0.6.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 73c28547719cedc77a48cbcd0b519283d09d061c358c24fd14fcff8e130072bf
+  data.tar.gz: 4444e01ee15c6920856ed30e63d118bc027758de0e696ea02d1c1bd3a6486bee
+SHA512:
+  metadata.gz: d35bdf91d6081245a723b569837b7332baf0b61962747d6595a0afed6625fba3f15fa1e7ae5db9734ed7e08f03008031037254fc2df60f655c10b0e95db5d005
+  data.tar.gz: e9ac50ac19c5814f6364dde31dd0a16c0e263015e752c4a82b04e707c08a3e999255572c643da990ce9fabb4d3e624e85bdab53697e702044f941772fc96974e

data/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+#github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+ko_fi: zed_0xff

data/.github/dependabot.yml

@@ -0,0 +1,8 @@
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: bundler
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+ advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at zed.0xff@gmail.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

data/Gemfile

@@ -1,20 +1,15 @@
-source "http://rubygems.org"
-# Add dependencies required to use your gem here.
-# Example:
-#   gem "activesupport", ">= 2.3.5"
-gem "multipart-post", "~> 1.1.4"
-gem "progressbar"
+source "https://rubygems.org"
+#gemspec
+
+gem 'rainbow'
 gem "awesome_print"
-gem "iostruct", ">= 0.0.4"
-gem "zhexdump", ">= 0.0.2"
+gem "iostruct",       ">= 0.0.4"
+gem "multipart-post", ">= 2.0.0"
+gem "zhexdump",       ">= 0.0.2"
 
-# Add dependencies to develop your gem here.
-# Include everything needed to run rake, tests, features, etc.
 group :development do
-  gem "rspec"
-  gem "bundler"
-  gem "jeweler"
-#  gem "rcov", ">= 0"
-  gem "what_methods"
-#  gem "looksee"
+  gem "rspec",   "~> 3.9.0"
+  gem "rspec-its", "~> 1.3.0"
+  gem "bundler", "~> 2.1.4"
+  gem "jeweler", "~> 2.3.9"
 end

data/Gemfile.lock

@@ -1,30 +1,73 @@
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
-    awesome_print (1.1.0)
-    diff-lcs (1.1.3)
-    git (1.2.5)
+    addressable (2.4.0)
+    awesome_print (1.8.0)
+    builder (3.2.4)
+    descendants_tracker (0.0.4)
+      thread_safe (~> 0.3, >= 0.3.1)
+    diff-lcs (1.3)
+    faraday (0.9.2)
+      multipart-post (>= 1.2, < 3)
+    git (1.5.0)
+    github_api (0.16.0)
+      addressable (~> 2.4.0)
+      descendants_tracker (~> 0.0.4)
+      faraday (~> 0.8, < 0.10)
+      hashie (>= 3.4)
+      mime-types (>= 1.16, < 3.0)
+      oauth2 (~> 1.0)
+    hashie (4.0.0)
+    highline (2.0.3)
     iostruct (0.0.4)
-    jeweler (1.8.4)
-      bundler (~> 1.0)
+    jeweler (2.3.9)
+      builder
+      bundler
       git (>= 1.2.5)
+      github_api (~> 0.16.0)
+      highline (>= 1.6.15)
+      nokogiri (>= 1.5.10)
+      psych
       rake
       rdoc
-    json (1.7.5)
-    multipart-post (1.1.5)
-    progressbar (0.12.0)
-    rake (10.0.4)
-    rdoc (3.12)
-      json (~> 1.4)
-    rspec (2.12.0)
-      rspec-core (~> 2.12.0)
-      rspec-expectations (~> 2.12.0)
-      rspec-mocks (~> 2.12.0)
-    rspec-core (2.12.1)
-    rspec-expectations (2.12.0)
-      diff-lcs (~> 1.1.3)
-    rspec-mocks (2.12.0)
-    what_methods (1.0.1)
+      semver2
+    jwt (2.2.1)
+    mime-types (2.99.3)
+    mini_portile2 (2.4.0)
+    multi_json (1.14.1)
+    multi_xml (0.6.0)
+    multipart-post (2.1.1)
+    nokogiri (1.10.8)
+      mini_portile2 (~> 2.4.0)
+    oauth2 (1.4.2)
+      faraday (>= 0.8, < 2.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    psych (3.1.0)
+    rack (2.2.3)
+    rainbow (3.0.0)
+    rake (13.0.1)
+    rdoc (6.2.1)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
+    rspec-expectations (3.9.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-its (1.3.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.2)
+    semver2 (3.4.2)
+    thread_safe (0.3.6)
     zhexdump (0.0.2)
 
 PLATFORMS
@@ -32,11 +75,14 @@ PLATFORMS
 
 DEPENDENCIES
   awesome_print
-  bundler
+  bundler (~> 2.1.4)
   iostruct (>= 0.0.4)
-  jeweler
-  multipart-post (~> 1.1.4)
-  progressbar
-  rspec
-  what_methods
+  jeweler (~> 2.3.9)
+  multipart-post (>= 2.0.0)
+  rainbow
+  rspec (~> 3.9.0)
+  rspec-its (~> 1.3.0)
   zhexdump (>= 0.0.2)
+
+BUNDLED WITH
+   2.1.4

data/README.md

@@ -1,6 +1,11 @@
-pedump    [![Build Status](https://travis-ci.org/zed-0xff/pedump.png?branch=master)](https://travis-ci.org/zed-0xff/pedump) [![Dependency Status](https://gemnasium.com/zed-0xff/pedump.png)](https://gemnasium.com/zed-0xff/pedump)
+pedump    [![Build Status](https://travis-ci.org/zed-0xff/pedump.png?branch=master)](https://travis-ci.org/zed-0xff/pedump) [![ko-fi](https://www.ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/K3K81Z3W5)
 ======
 
+News
+----
+2020.07.26 - now travis autotests run on ARM and OSX too!
+2020.07.25 - added EFI TE parsing; removed 'progressbar' gem dependency
+
 Description
 -----------
 A pure ruby implementation of win32 PE binary files dumper.
@@ -11,6 +16,7 @@ Supported formats:
  * win16 NE
  * win32 PE
  * win64 PE
+ * EFI TE
 
 Can dump:
 
@@ -43,13 +49,14 @@ Usage
                                          (can be used multiple times)
         -F, --force                      Try to dump by all means
                                          (can cause exceptions & heavy wounds)
-        -f, --format FORMAT              Output format: bin,c,dump,hex,inspect,table,yaml
+        -f, --format FORMAT              Output format: bin,c,dump,hex,inspect,json,table,yaml
                                          (default: table)
             --mz
             --dos-stub
             --rich
             --pe
             --ne
+            --te
             --data-directory
         -S, --sections
             --tls
@@ -67,9 +74,11 @@ Usage
         -r, --recursive                  recurse dirs in packer detect
             --all                        Dump all but resource-directory (default)
             --va2file VA                 Convert RVA to file offset
+    
         -W, --web                        Uploads files to a http://pedump.me
                                          for a nice HTML tables with image previews,
                                          candies & stuff
+        -C, --console                    opens IRB console with specified file loaded
 
 ### MZ Header
 
@@ -107,10 +116,10 @@ Usage
 
     === DOS STUB ===
     
-    00000000:  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
-    00000010:  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
-    00000020:  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
-    00000030:  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
+    00000000: 0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
+    00000010: 69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
+    00000020: 74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
+    00000030: 6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
 
 ### 'Rich' Header
 

data/Rakefile

@@ -23,59 +23,20 @@ Jeweler::Tasks.new do |gem|
   gem.authors = ["Andrey \"Zed\" Zaikin"]
   gem.executables = %w'pedump'
   gem.files.include "lib/**/*.rb"
-  gem.files.include "data/*.bin"
-  gem.files.include "data/*.txt"
-
-  gem.files.exclude "samples/*", "README.md.tpl"
-  gem.extra_rdoc_files.exclude "README.md.tpl"
+  gem.files.exclude %w'samples/**/* spec/**/* tmp/**/* tmp/.keep .* README.md.tpl'
+  gem.extra_rdoc_files.exclude 'README.md.tpl'
+  # dependencies defined in Gemfile
 end
 Jeweler::RubygemsDotOrgTasks.new
 
 require 'rspec/core'
 require 'rspec/core/rake_task'
-RSpec::Core::RakeTask.new(:spec) do |spec|
-  spec.pattern = FileList['spec/**/*_spec.rb']
-end
 
-RSpec::Core::RakeTask.new(:rcov) do |spec|
-  spec.pattern = 'spec/**/*_spec.rb'
-  spec.rcov = true
-end
+desc "run specs"
+RSpec::Core::RakeTask.new
 
 task :default => :spec
 
-#require 'rake/rdoctask'
-#Rake::RDocTask.new do |rdoc|
-#  version = File.exist?('VERSION') ? File.read('VERSION') : ""
-#
-#  rdoc.rdoc_dir = 'rdoc'
-#  rdoc.title = "pedump #{version}"
-#  rdoc.rdoc_files.include('README*')
-#  rdoc.rdoc_files.include('lib/**/*.rb')
-#end
-
-class Jeweler::Commands::Version::Base
-  alias :commit_version_old :commit_version
-  def commit_version
-    code = <<-EOF
-class PEdump
-  module Version
-    MAJOR = #{version_helper.major}
-    MINOR = #{version_helper.minor}
-    PATCH = #{version_helper.patch}
-    BUILD = nil
-
-    STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')
-  end
-end
-    EOF
-    vfile = working_subdir.join("lib/pedump/version.rb")
-    File.open(vfile,"w"){ |f| f << code }
-    self.repo.add vfile if self.repo
-    commit_version_old
-  end
-end
-
 namespace :test do
   desc "test on all files in given path"
   task :all_files do

data/VERSION

@@ -1 +1 @@
-0.5.0
+0.6.0

data/lib/pedump.rb

@@ -2,6 +2,7 @@
 require 'stringio'
 require 'iostruct'
 require 'zhexdump'
+require 'set'
 
 unless Object.new.respond_to?(:try) && nil.respond_to?(:try)
   require 'pedump/core_ext/try'
@@ -16,6 +17,7 @@ require 'pedump/security'
 require 'pedump/packer'
 require 'pedump/ne'
 require 'pedump/ne/version_info'
+require 'pedump/te'
 
 # pedump.rb by zed_0xff
 #
@@ -27,6 +29,10 @@ class PEdump
 
   VERSION    = Version::STRING
   MAX_ERRORS = 100
+  MAX_IMAGE_IMPORT_DESCRIPTORS = 1000
+  MAX_EXPORT_NUMBER_OF_NAMES = 16384 # got 7977 in http://pedump.me/03ad7400080678c6b1984f995d36fd04
+  GOOD_FUNCTION_NAME_RE = /\A[\x21-\x7f]+\Z/
+  SUPPORTED_SIGNATURES = ['MZ', 'ZM', 'VZ']
 
   @@logger = nil
 
@@ -318,9 +324,9 @@ class PEdump
     @mz ||= f && MZ.read(f).tap do |mz|
       if mz.signature != 'MZ' && mz.signature != 'ZM'
         if @force
-          logger.warn  "[?] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}"
+          #logger.warn  "[?] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}"
         else
-          logger.error "[!] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}. (not forced)"
+          #logger.error "[!] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}. (not forced)"
           return nil
         end
       end
@@ -427,16 +433,22 @@ class PEdump
   end
 
   def _dump_handle h
-    return unless pe(h) # also calls mz(h)
-    rich_hdr h
-    resources h
-    imports h   # also calls tls(h)
-    exports h
-    packer h
+    if pe(h) # also calls mz(h)
+      rich_hdr h
+      resources h
+      imports h   # also calls tls(h)
+      exports h
+      packer h
+    elsif te(h)
+    end
   end
 
   def data_directory f=@io
-    pe(f) && pe.ioh && pe.ioh.DataDirectory
+    if pe(f)
+      pe.ioh && pe.ioh.DataDirectory
+    elsif te(f)
+      te.DataDirectory
+    end
   end
 
   def sections f=@io
@@ -444,16 +456,52 @@ class PEdump
       pe.section_table
     elsif ne(f)
       ne.segments
+    elsif te(f)
+      te.sections
     end
   end
   alias :section_table :sections
 
-  def ne?
-    @pe ? false : (@ne ? true : (pe ? false : (ne ? true : false)))
+  def supported_file? f=@io
+    pos = f.tell
+    sig = f.read(2)
+    f.seek(pos)
+    if SUPPORTED_SIGNATURES.include?(sig)
+      true
+    else
+      unless @not_supported_sig_warned
+        msg = "no supported signature. want: #{SUPPORTED_SIGNATURES.join("/")}, got: #{sig.inspect}"
+        if @force
+          logger.warn  "[?] #{msg}"
+        else
+          logger.error "[!] #{msg}. (not forced)"
+        end
+        @not_supported_sig_warned = true
+      end
+      false
+    end
+  end
+
+  def _detect_format
+    return :pe if @pe
+    return :ne if @ne
+    return :te if @te
+    return :pe if pe()
+    return :ne if ne()
+    return :te if te()
+    nil
   end
 
   def pe?
-    @pe ? true  : (@ne ? false : (pe ? true : false ))
+    _detect_format() == :pe
+  end
+
+  def ne?
+    _detect_format() == :ne
+  end
+
+  def te?
+    _detect_format() == :te
   end
 
   ##############################################################################
@@ -474,9 +522,10 @@ class PEdump
     :first_thunk
 
   class ImportedFunction < Struct.new(:hint, :name, :ordinal, :va, :module_name)
-#    def == x
-#      self.hint == x.hint && self.name == x.name && self.ordinal == x.ordinal
-#    end
+    def == x
+      self.hint == x.hint && self.name == x.name && self.ordinal == x.ordinal &&
+        self.module_name == x.module_name
+    end
 #    def <=> x
 #      self.to_a[0..-2] <=> x.to_a[0..-2]
 #    end
@@ -526,7 +575,11 @@ class PEdump
           # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/manyimportsW7.asm
           break
         end
-        t=IMAGE_IMPORT_DESCRIPTOR.read(f)
+        if r.size >= MAX_IMAGE_IMPORT_DESCRIPTORS
+          logger.warn "[!] too many IMAGE_IMPORT_DESCRIPTORs, not reading more than #{r.size}"
+          break
+        end
+        t = IMAGE_IMPORT_DESCRIPTOR.read(f)
         break if t.Name.to_i == 0 # also catches EOF
         r << t
         file_offset += IMAGE_IMPORT_DESCRIPTOR::SIZE
@@ -535,8 +588,16 @@ class PEdump
       logger.warn "[?] imports info beyond EOF"
     end
 
+    n_bad_names = 0
     logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" if t && !t.empty?
-    @imports = r.each do |x|
+    @imports = r
+    r = nil
+    @imports.each_with_index do |x, iidx|
+      if n_bad_names > MAX_ERRORS
+        logger.warn "[!] too many bad imported function names. skipping further imports parsing"
+        @imports = @imports[0,iidx]
+        break
+      end
       if x.Name.to_i != 0 && (ofs = va2file(x.Name))
         begin
         f.seek ofs
@@ -571,12 +632,18 @@ class PEdump
                 logger.warn "[?] import ofs 0x#{ofs.to_s(16)} VA=0x#{t.to_s(16)} beyond EOF"
                 nil
               else
-                ImportedFunction.new(
-                  f.read(2).unpack('v').first,
-                  f.gets("\x00").chomp("\x00"),
-                  nil,
-                  va
-                )
+                hint = f.read(2).unpack('v').first
+                name = f.gets("\x00").chomp("\x00")
+                if !name.empty? && name !~ GOOD_FUNCTION_NAME_RE
+                  n_bad_names += 1
+                  if n_bad_names > MAX_ERRORS
+                    nil
+                  else
+                    ImportedFunction.new(hint, name, nil, va)
+                  end
+                else
+                  ImportedFunction.new(hint, name, nil, va)
+                end
               end
             elsif tbl == :original_first_thunk
               # OriginalFirstThunk entries can not be invalid, show a warning msg
@@ -591,7 +658,7 @@ class PEdump
             end
         end
         x[tbl] && x[tbl].compact!
-      end
+      end # [:original_first_thunk, :first_thunk].each
       if x.original_first_thunk && !x.first_thunk
         logger.warn "[?] import table: empty FirstThunk for #{x.module_name}"
       elsif !x.original_first_thunk && x.first_thunk
@@ -602,7 +669,8 @@ class PEdump
           logger.debug "[?] import table: OriginalFirstThunk != FirstThunk for #{x.module_name}"
         end
       end
-    end
+    end # r.each
+    @imports
   end
 
   ##############################################################################
@@ -626,7 +694,11 @@ class PEdump
     :name, :entry_points, :names, :name_ordinals, :functions,
     :description # NE only
 
-  ExportedFunction = Struct.new :name, :ord, :va, :file_offset
+  class ExportedFunction < Struct.new :name, :ord, :va, :file_offset
+    def ordinal
+      self.ord
+    end
+  end
 
   def exports f=@io
     if pe(f)
@@ -715,9 +787,9 @@ class PEdump
       ord2name = {}
       if x.names && x.names.any?
         n = x.NumberOfNames
-        if n > 2048
-          logger.warn "[?] NumberOfNames too big (#{x.NumberOfNames}), limiting to 2048"
-          n = 2048
+        if n > MAX_EXPORT_NUMBER_OF_NAMES
+          logger.warn "[?] NumberOfNames too big (#{x.NumberOfNames}), limiting to #{MAX_EXPORT_NUMBER_OF_NAMES}"
+          n = MAX_EXPORT_NUMBER_OF_NAMES
         end
         n.times do |i|
           ord2name[x.name_ordinals[i]] ||= []