pedump 0.5.0 → 0.6.0

data/lib/pedump/cli.rb

@@ -33,7 +33,7 @@ class PEdump::CLI
   attr_accessor :data, :argv
 
   KNOWN_ACTIONS = (
-    %w'mz dos_stub rich pe ne data_directory sections tls security' +
+    %w'mz dos_stub rich pe ne te data_directory sections tls security' +
     %w'strings resources resource_directory imports exports version_info packer web console packer_only'
   ).map(&:to_sym)
 
@@ -65,8 +65,8 @@ class PEdump::CLI
         @options[:force] ||= 0
         @options[:force] += 1
       end
-      opts.on "-f", "--format FORMAT", [:binary, :c, :dump, :hex, :inspect, :table, :yaml],
-        "Output format: bin,c,dump,hex,inspect,table,yaml","(default: table)" do |v|
+      opts.on "-f", "--format FORMAT", [:binary, :c, :dump, :hex, :inspect, :json, :table, :yaml],
+        "Output format: bin,c,dump,hex,inspect,json,table,yaml","(default: table)" do |v|
         @options[:format] = v
       end
       KNOWN_ACTIONS.each do |t|
@@ -135,7 +135,7 @@ class PEdump::CLI
       File.open(fname,'rb') do |f|
         @pedump = create_pedump fname
 
-        next if !@options[:force] && !@pedump.mz(f)
+        next if !@options[:force] && !@pedump.supported_file?(f)
 
         @actions.each do |action|
           case action
@@ -194,16 +194,14 @@ class PEdump::CLI
   end
 
   class ProgressProxy
-    attr_reader :pbar
-
-    def initialize file
-      @file = file
-      @pbar = ProgressBar.new("[.] uploading", file.size, STDOUT)
-      @pbar.try(:file_transfer_mode)
-      @pbar.bar_mark = '='
+    def initialize file, prefix = "[.] uploading: ", io = STDOUT
+      @file   = file
+      @io     = io
+      @prefix = prefix
     end
     def read *args
-      @pbar.inc args.first
+      @io.write("\r#{@prefix}#{@file.tell}/#{@file.size} ")
+      @io.flush
       @file.read *args
     end
     def method_missing *args
@@ -212,6 +210,10 @@ class PEdump::CLI
     def respond_to? *args
       @file.respond_to?(args.first) || super(*args)
     end
+
+    def finish!
+      @io.write("\r#{@prefix}#{@file.size}/#{@file.size} \n")
+    end
   end
 
   def upload f
@@ -224,7 +226,6 @@ class PEdump::CLI
     require 'open-uri'
     require 'net/http'
     require 'net/http/post/multipart'
-    require 'progressbar'
 
     stdout_sync = STDOUT.sync
     STDOUT.sync = true
@@ -250,15 +251,15 @@ class PEdump::CLI
 
     f.rewind
 
-    # upload with progressbar
+    # upload with progress
     post_url = URI.parse(URL_BASE+'/')
+    # UploadIO is from multipart-post
     uio = UploadIO.new(f, "application/octet-stream", File.basename(f.path))
     ppx = ProgressProxy.new(uio)
     req = Net::HTTP::Post::Multipart.new post_url.path, "file" => ppx
     res = Net::HTTP.start(post_url.host, post_url.port){ |http| http.request(req) }
-    ppx.pbar.finish
+    ppx.finish!
 
-    puts
     puts "[.] analyzing..."
 
     if (r=open(File.join(URL_BASE,md5,'analyze')).read) != "OK"
@@ -326,7 +327,7 @@ class PEdump::CLI
 
     puts action_title(action) unless @options[:format] == :binary
 
-    return dump(data) if [:inspect, :table, :yaml].include?(@options[:format])
+    return dump(data) if [:inspect, :table, :json, :yaml].include?(@options[:format])
 
     dump_opts = {:name => action}
     case action
@@ -376,6 +377,9 @@ class PEdump::CLI
     when :yaml
       require 'yaml'
       puts data.to_yaml
+    when :json
+      require 'json'
+      puts data.to_json
     end
   end
 
@@ -454,6 +458,8 @@ class PEdump::CLI
       case data.first
       when PEdump::IMAGE_DATA_DIRECTORY
         dump_data_dir data
+      when PEdump::EFI_IMAGE_DATA_DIRECTORY
+        dump_efi_data_dir data
       when PEdump::IMAGE_SECTION_HEADER
         dump_sections data
       when PEdump::Resource
@@ -778,13 +784,18 @@ class PEdump::CLI
     end
   end
 
-
   def dump_data_dir data
     data.each do |row|
       printf "  %-12s  rva:0x%8x   size:0x %8x\n", row.type, row.va.to_i, row.size.to_i
     end
   end
 
+  def dump_efi_data_dir data
+    data.each_with_index do |row, idx|
+      printf "  %-12s  rva:0x%8x   size:0x %8x\n", PEdump::EFI_IMAGE_DATA_DIRECTORY::TYPES[idx], row.va.to_i, row.size.to_i
+    end
+  end
+
   def dump_rich_hdr data
     if decoded = data.decode
       puts "    LIB_ID        VERSION        TIMES_USED   "

data/lib/pedump/loader.rb

@@ -263,7 +263,7 @@ class PEdump::Loader
     @pedump.imports.each do |iid| # Image Import Descriptor
       va = iid.FirstThunk + @image_base
       (Array(iid.original_first_thunk) + Array(iid.first_thunk)).uniq.each do |func|
-        name = func.name || "##{func.ordinal}"
+        name = "__imp_" + (func.name || "#{func.ordinal}")
         @names[va] = name
         va += 4
       end

data/lib/pedump/loader/minidump.rb

@@ -53,6 +53,24 @@ class PEdump
     end
   end
 
+  MINIDUMP_MEMORY_DESCRIPTOR = IOStruct.new 'QLL',
+    :StartOfMemoryRange,
+    :DataSize,
+    :Rva
+
+  class MINIDUMP_MEMORY_LIST < IOStruct.new 'L',
+    :NumberOfMemoryRanges,
+    :MemoryRanges
+
+    def self.read io
+      r = super
+      r.MemoryRanges = r.NumberOfMemoryRanges.times.map{ MINIDUMP_MEMORY_DESCRIPTOR.read(io) }
+      r
+    end
+
+    def entries; self.MemoryRanges; end
+  end
+
   MINIDUMP_MEMORY_DESCRIPTOR64 = IOStruct.new 'QQ',
     :StartOfMemoryRange,
     :DataSize
@@ -78,7 +96,7 @@ class PEdump
          2 => :ReservedStream1,
          3 => :ThreadListStream,
          4 => :ModuleListStream,
-         5 => :MemoryListStream,
+         5 => :MemoryListStream,             # MINIDUMP_MEMORY_LIST
          6 => :ExceptionStream,
          7 => :SystemInfoStream,
          8 => :ThreadExListStream,
@@ -92,7 +110,34 @@ class PEdump
         16 => :MemoryInfoListStream,         # MINIDUMP_MEMORY_INFO_LIST
         17 => :ThreadInfoListStream,
         18 => :HandleOperationListStream,
-    0xffff => :LastReservedStream
+    0xffff => :LastReservedStream,
+
+    # Special types saved by google breakpad
+    # https://chromium.googlesource.com/breakpad/breakpad/+/846b6335c5b0ba46dfa2ed96fccfa3f7a02fa2f1/src/google_breakpad/common/minidump_format.h#311
+    0x47670001 => :BreakpadInfoStream,
+    0x47670002 => :BreakpadAssertionInfoStream,
+    0x47670003 => :BreakpadLinuxCpuInfo,
+    0x47670004 => :BreakpadLinuxProcStatus,
+    0x47670005 => :BreakpadLinuxLsbRelease,
+    0x47670006 => :BreakpadLinuxCmdLine,
+    0x47670007 => :BreakpadLinuxEnviron,
+    0x47670008 => :BreakpadLinuxAuxv,
+    0x47670009 => :BreakpadLinuxMaps,
+    0x4767000A => :BreakpadLinuxDsoDebug,
+
+    # Saved by crashpad
+    # https://chromium.googlesource.com/crashpad/crashpad/+/doc/minidump/minidump_extensions.h#95
+    0x43500001 => :CrashpadInfo,
+
+    # Saved by Syzyasan
+    # https://github.com/google/syzygy/blob/c8bb4927f07fec0de8834c4774ddaafef0bc099f/syzygy/kasko/api/client.h#L28
+    # https://github.com/google/syzygy/blob/master/syzygy/crashdata/crashdata.proto
+    0x4B6B0001 => :SyzyasanCrashdata,
+
+    # Saved by Chromium
+    0x4B6B0002 => :ChromiumStabilityReport,
+    0x4B6B0003 => :ChromiumSystemProfile,
+    0x4B6B0004 => :ChromiumGwpAsanData,
   }
 
   class Loader
@@ -116,17 +161,32 @@ class PEdump
           end
       end
 
+      def stream_by_name(name)
+        type = MINIDUMP_STREAM_TYPE.invert[name]
+        raise "Unknown type symbol #{name}!" if !type
+
+        streams.find { |s| s.StreamType == type }
+      end
+
       def memory_info_list
         # MINIDUMP_MEMORY_INFO_LIST
-        stream = streams.find{ |s| s.StreamType == 16 }
+        stream = stream_by_name(:MemoryInfoListStream)
         return nil unless stream
         io.seek stream.Location.Rva
         MINIDUMP_MEMORY_INFO_LIST.read io
       end
 
       def memory_list
+        # MINIDUMP_MEMORY_LIST
+        stream = stream_by_name(:MemoryListStream)
+        return nil unless stream
+        io.seek stream.Location.Rva
+        MINIDUMP_MEMORY_LIST.read io
+      end
+
+      def memory64_list
         # MINIDUMP_MEMORY64_LIST
-        stream = streams.find{ |s| s.StreamType == 9 }
+        stream = stream_by_name(:Memory64ListStream)
         return nil unless stream
         io.seek stream.Location.Rva
         MINIDUMP_MEMORY64_LIST.read io
@@ -136,27 +196,50 @@ class PEdump
 
       # set options[:merge] = true to merge adjacent memory ranges
       def memory_ranges options = {}
-        ml = memory_list
-        file_offset = ml.BaseRva
-        r = []
-        if options[:merge]
-          ml.entries.each do |x|
-            if r.last && r.last.va + r.last.size == x.StartOfMemoryRange
-              # if section VA == prev_section.VA + prev_section.SIZE
-              # then just increase the size of previous section
-              r.last.size += x.DataSize
-            else
+        if memory64_list
+          ml = memory64_list
+          file_offset = ml.BaseRva
+          r = []
+          if options[:merge]
+            ml.entries.each do |x|
+              if r.last && r.last.va + r.last.size == x.StartOfMemoryRange
+                # if section VA == prev_section.VA + prev_section.SIZE
+                # then just increase the size of previous section
+                r.last.size += x.DataSize
+              else
+                r << MemoryRange.new( file_offset, x.StartOfMemoryRange, x.DataSize )
+              end
+              file_offset += x.DataSize
+            end
+          else
+            ml.entries.each do |x|
               r << MemoryRange.new( file_offset, x.StartOfMemoryRange, x.DataSize )
+              file_offset += x.DataSize
             end
-            file_offset += x.DataSize
           end
-        else
-          ml.entries.each do |x|
-            r << MemoryRange.new( file_offset, x.StartOfMemoryRange, x.DataSize )
-            file_offset += x.DataSize
+          return r
+        elsif memory_list
+          ml = memory_list
+          r = []
+          if options[:merge]
+            ml.entries.each do |x|
+              if r.last && r.last.va + r.last.size == x.StartOfMemoryRange
+                # if section VA == prev_section.VA + prev_section.SIZE
+                # then just increase the size of previous section
+                r.last.size += x.DataSize
+              else
+                r << MemoryRange.new( x.Rva, x.StartOfMemoryRange, x.DataSize )
+              end
+            end
+          else
+            ml.entries.each do |x|
+              r << MemoryRange.new( x.Rva, x.StartOfMemoryRange, x.DataSize )
+            end
           end
+          return r
+        else
+          raise "Could not find memory ranges"
         end
-        r
       end
 
     end # class Minidump
@@ -167,21 +250,102 @@ end # module PEdump
 
 if $0 == __FILE__
   require 'pp'
+  require 'optparse'
 
-  raise "gimme a fname" if ARGV.empty?
-  io = open(ARGV.first,"rb")
+  options = {}
+  opt_parse = OptionParser.new do |opts|
+    opts.banner = "Usage: #{$0} [options] <minidump>"
 
+    opts.on("--all", "Print all of the following sections") do
+      options[:all] = true
+    end
+    opts.on("--header", "Print minidump header") do
+      options[:header] = true
+    end
+    opts.on("--streams", "Print out the streams present") do
+      options[:streams] = true
+    end
+    opts.on("--memory-ranges", "Print out memory ranges included in the minidump") do
+      options[:memory_ranges] = true
+    end
+    opts.on("--breakpad", "Print out breakpad text sections if present") do
+      options[:breakpad] = true
+    end
+    opts.separator ''
+
+    opts.on("--memory <address>", "Print the memory range beginning at address") do |m|
+      options[:memory] = m.hex
+    end
+    opts.separator ''
+
+    opts.on("-h", "--help", "Help") do
+      puts opts
+      exit 0
+    end
+  end
+
+  opt_parse.parse!
+
+  if ARGV.empty?
+    $stderr.puts opt_parse.help
+    exit 1
+  end
+
+  io = open(ARGV.first, "rb")
   md = PEdump::Loader::Minidump.new io
-  pp md.hdr
-  puts
-  puts "[.] #{md.memory_ranges.size} memory ranges"
-  puts "[.] #{md.memory_ranges(:merge => true).size} merged memory ranges"
-  puts
 
-#  pp md.memory_info_list
-#  pp md.memory_list
+  if options[:all] || options[:header]
+    pp md.hdr
+    puts
+  end
+
+  if options[:all] || options[:streams]
+    puts "[.] Streams present in the minidump:"
+    md.streams.each do |s|
+      if PEdump::MINIDUMP_STREAM_TYPE[s.StreamType]
+        puts "[.] #{PEdump::MINIDUMP_STREAM_TYPE[s.StreamType]}"
+      else
+        puts "[.] Unknown stream type #{s.StreamType}"
+      end
+    end
+    puts
+  end
+
+  if options[:all] || options[:breakpad]
+    [ :BreakpadLinuxCpuInfo, :BreakpadLinuxProcStatus, :BreakpadLinuxMaps,
+      :BreakpadLinuxCmdLine, :BreakpadLinuxEnviron ].each { |name|
+      stream = md.stream_by_name(name)
+      next if !stream
+
+      io.seek stream.Location.Rva
+      contents = io.read(stream.Location.DataSize)
+
+      if contents !~ /[^[:print:][:space:]]/
+        puts "[.] Section #{name}:"
+        puts contents
+      else
+        puts "[.] Section #{name}: #{contents.inspect}"
+      end
+      puts
+    }
+  end
+
+  if options[:all] || options[:memory_ranges]
+    puts "[.] #{md.memory_ranges.size} memory ranges"
+    puts "[.] #{md.memory_ranges(:merge => true).size} merged memory ranges"
+    puts
+
+    printf "[.] %16s %8s\n", "addr", "size"
+    md.memory_ranges(:merge => true).sort_by { |mr| mr.va }.each do |mr|
+      printf "[.] %16x %8x\n", mr.va, mr.size
+    end
+  end
+
+  if options[:memory]
+    mr = md.memory_ranges(:merge => true).find { |r| r.va == options[:memory] }
+    raise "Could not find the specified region" if !mr
 
-  md.memory_ranges(:merge => true).each do |mr|
-    printf "[.] %8x %8x %8x\n", mr.file_offset, mr.va, mr.size
+    io.seek(mr.file_offset)
+    print io.read(mr.size)
   end
 end

data/lib/pedump/ne.rb

@@ -405,7 +405,7 @@ class PEdump
       begin
         ne_offset = mz(f) && mz(f).lfanew
         if ne_offset.nil?
-          logger.fatal "[!] NULL NE offset (e_lfanew)."
+          logger.debug "[!] NULL NE offset (e_lfanew)."
           nil
         elsif ne_offset > f.size
           logger.fatal "[!] NE offset beyond EOF."

data/lib/pedump/pe.rb

@@ -24,78 +24,87 @@ class PEdump
       signature + ifh.pack + ioh.pack
     end
 
-    def self.read f, args = {}
+    def self.read_sections f, nToRead, args = {}
       force = args[:force]
 
+      if nToRead > 0xffff
+        if force.is_a?(Numeric) && force > 1
+          PEdump.logger.warn "[!] too many sections (#{nToRead}). forced. reading all"
+        else
+          PEdump.logger.warn "[!] too many sections (#{nToRead}). not forced, reading first 65535"
+          nToRead = 65535
+        end
+      end
+
+      sections = []
+      nToRead.times do
+        break if f.eof?
+        sections << IMAGE_SECTION_HEADER.read(f)
+      end
+
+      if sections.any?
+        # zero all missing values of last section
+        sections.last.tap do |last_section|
+          last_section.each_pair do |k,v|
+            last_section[k] = 0 if v.nil?
+          end
+        end
+      end
+
+      sections
+    end
+
+    def self.read f, args = {}
       pe_offset = f.tell
       pe_sig = f.read 4
       #logger.error "[!] 'NE' format is not supported!" if pe_sig == "NE\x00\x00"
       if pe_sig != "PE\x00\x00"
-        if force
+        if args[:force]
           logger.warn  "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect})"
         else
           logger.debug "[?] no PE signature (want: 'PE\\x00\\x00', got: #{pe_sig.inspect}). (not forced)"
           return nil
         end
       end
-      PE.new(pe_sig).tap do |pe|
-        pe.image_file_header = IMAGE_FILE_HEADER.read(f)
-        ioh_offset = f.tell # offset to IMAGE_OPTIONAL_HEADER
-        if pe.ifh.SizeOfOptionalHeader.to_i > 0
-          if pe.x64?
-            pe.image_optional_header = IMAGE_OPTIONAL_HEADER64.read(f, pe.ifh.SizeOfOptionalHeader)
-          else
-            pe.image_optional_header = IMAGE_OPTIONAL_HEADER32.read(f, pe.ifh.SizeOfOptionalHeader)
-          end
+      pe = PE.new(pe_sig)
+      pe.image_file_header = IMAGE_FILE_HEADER.read(f)
+      ioh_offset = f.tell # offset to IMAGE_OPTIONAL_HEADER
+      if pe.ifh.SizeOfOptionalHeader.to_i > 0
+        if pe.x64?
+          pe.image_optional_header = IMAGE_OPTIONAL_HEADER64.read(f, pe.ifh.SizeOfOptionalHeader)
+        else
+          pe.image_optional_header = IMAGE_OPTIONAL_HEADER32.read(f, pe.ifh.SizeOfOptionalHeader)
         end
+      end
 
-        if (nToRead=pe.ifh.NumberOfSections.to_i) > 0xffff
-          if force.is_a?(Numeric) && force > 1
-            logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). forced. reading all"
-          else
-            logger.warn "[!] too many sections (#{pe.ifh.NumberOfSections}). not forced, reading first 65535"
-            nToRead = 65535
-          end
-        end
+      nToRead=pe.ifh.NumberOfSections.to_i
 
-        # The Windows loader expects to find the PE section headers after the optional header. It calculates the address of the first section header by adding SizeOfOptionalHeader to the beginning of the optional header.
-        # // http://www.phreedom.org/research/tinype/
-        f.seek( ioh_offset + pe.ifh.SizeOfOptionalHeader.to_i )
-        pe.sections = []
-        nToRead.times do
-          break if f.eof?
-          pe.sections << IMAGE_SECTION_HEADER.read(f)
-        end
+      # The Windows loader expects to find the PE section headers after the optional header. It calculates the address of the first section header by adding SizeOfOptionalHeader to the beginning of the optional header.
+      # // http://www.phreedom.org/research/tinype/
+      f.seek( ioh_offset + pe.ifh.SizeOfOptionalHeader.to_i )
+      pe.sections = read_sections(f, nToRead, args)
 
-        if pe.sections.any?
-          # zero all missing values of last section
-          pe.sections.last.tap do |last_section|
-            last_section.each_pair do |k,v|
-              last_section[k] = 0 if v.nil?
-            end
-          end
-        end
+      pe_end = f.tell
+      if s=pe.sections.find{ |s| (pe_offset...pe_end).include?(s.va) }
+        if args[:pass2]
+          # already called with CompositeIO ?
+          PEdump.logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! 2nd time?!"
 
-        pe_end = f.tell
-        if s=pe.sections.find{ |s| (pe_offset...pe_end).include?(s.va) }
-          if args[:pass2]
-            # already called with CompositeIO ?
-            logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! 2nd time?!"
-
-          elsif pe_end-pe_offset < 0x100_000
-            logger.warn "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! trying to rebuild..."
-            f.seek pe_offset
-            data = f.read(s.va-pe_offset)
-            f.seek s.PointerToRawData
-            io = CompositeIO.new(StringIO.new(data), f)
-            args1 = args.dup
-            args1[:pass2] = true
-            return PE.read(io, args1)
-          else
-            logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! too big to rebuild!"
-          end
+        elsif pe_end-pe_offset < 0x100_000
+          PEdump.logger.warn "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! trying to rebuild..."
+          f.seek pe_offset
+          data = f.read(s.va-pe_offset)
+          f.seek s.PointerToRawData
+          io = CompositeIO.new(StringIO.new(data), f)
+          args1 = args.dup
+          args1[:pass2] = true
+          return PE.read(io, args1)
+        else
+          PEdump.logger.error "[!] section with va=0x#{s.va.to_s(16)} overwrites PE header! too big to rebuild!"
         end
       end
+
+      pe
     end
 
     def self.logger; PEdump.logger; end
@@ -106,7 +115,7 @@ class PEdump
       begin
         pe_offset = mz(f) && mz(f).lfanew
         if pe_offset.nil?
-          logger.fatal "[!] NULL PE offset (e_lfanew). cannot continue."
+          logger.debug "[!] NULL PE offset (e_lfanew). cannot continue."
           nil
         elsif pe_offset > f.size
           logger.fatal "[!] PE offset beyond EOF. cannot continue."