pedump 0.5.0 → 0.6.0

data/.document

@@ -1,5 +0,0 @@
-lib/**/*.rb
-bin/*
-- 
-features/**/*.feature
-LICENSE.txt

data/.rspec

@@ -1 +0,0 @@
---color

data/.travis.yml

@@ -1,4 +0,0 @@
-language: ruby
-before_install:
-  - sudo apt-get update -qq
-  - sudo apt-get install -qq upx-ucl p7zip

data/spec/65535sects_spec.rb

@@ -1,8 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-describe 'corkami/65535sects.exe' do
-  it "should have 65535 sections" do
-    sample.sections.size.should == 65535
-  end
-end

data/spec/bad_imports_spec.rb

@@ -1,20 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-describe 'bad_imports.exe' do
-  before :all do
-    @imports = sample.imports
-  end
-
-  it "should have IMAGE_IMPORT_DESCRIPTOR" do
-    @imports.size.should == 1
-  end
-
-  it "should have only IMAGE_IMPORT_DESCRIPTORs" do
-    @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
-  end
-
-  it "should not detect packer" do
-    sample.packer.should be_nil
-  end
-end

data/spec/bad_samples_spec.rb

@@ -1,13 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-PEDUMP_BINARY = File.expand_path(File.dirname(__FILE__) + '/../bin/pedump')
-
-Dir[File.join(SAMPLES_DIR,"bad","*.exe")].each do |fname|
-  describe fname do
-    it "should not cause exception" do
-      system "#{PEDUMP_BINARY} -qqq #{fname} > /dev/null"
-      $?.should be_success
-    end
-  end
-end

data/spec/composite_io_spec.rb

@@ -1,122 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump/composite_io')
-
-describe PEdump::CompositeIO do
-  it "concatenates" do
-    io = PEdump::CompositeIO.new(
-      StringIO.new('foo'),
-      StringIO.new('bar'),
-      StringIO.new('baz')
-    )
-    io.read.should == 'foobarbaz'
-  end
-
-  it "reads sequentally" do
-    io = PEdump::CompositeIO.new(
-      StringIO.new('foo1'),
-      StringIO.new('bar2'),
-      StringIO.new('baz')
-    )
-    io.read(3).should == 'foo'
-    io.read(3).should == '1ba'
-    io.read(3).should == 'r2b'
-    io.read(3).should == 'az'
-  end
-
-  it "behaves like StringIO" do
-    io1 = StringIO.new('foo')
-    io2 = PEdump::CompositeIO.new(StringIO.new('foo'))
-
-    io1.read.should == io2.read       # 'foo'
-    io1.read.should == io2.read       # ''
-    io1.read(3).should == io2.read(3) # nil
-  end
-
-  it "tracks number of bytes read" do
-    io = PEdump::CompositeIO.new(
-      StringIO.new('foo1'),
-      StringIO.new('bar2'),
-      StringIO.new('baz')
-    )
-    io.tell.should == 0
-    io.read(3)
-    io.tell.should == 3
-    io.read(4)
-    io.tell.should == 7
-    io.read
-    io.tell.should == 11
-    io.read
-    io.tell.should == 11
-    io.read 10
-    io.tell.should == 11
-  end
-
-  it "chains eof? call" do
-    io = PEdump::CompositeIO.new(
-      StringIO.new('foo1'),
-      StringIO.new('bar2'),
-      StringIO.new('baz')
-    )
-    io.eof?.should be_false
-    io.read(3)
-    io.eof?.should be_false
-    io.read(4)
-    io.eof?.should be_false
-    io.read
-    io.eof?.should be_true
-    io.read
-    io.eof?.should be_true
-    io.read 10
-    io.eof?.should be_true
-  end
-
-  it "seeks" do
-    io = PEdump::CompositeIO.new(
-      StringIO.new('foo1'),
-      StringIO.new('bar2'),
-      StringIO.new('baz')
-    )
-
-    io.seek(5)
-    io.tell.should == 5
-    io.read(4).should == "ar2b"
-
-    io.seek(0)
-    io.tell.should == 0
-    io.read.should == "foo1bar2baz"
-
-    io.seek(1)
-    io.tell.should == 1
-    io.read.should == "oo1bar2baz"
-  end
-
-  it "respects start positions" do
-    ios = [
-      StringIO.new('foo1'),
-      StringIO.new('bar2'),
-      StringIO.new('baz3')
-    ]
-    ios.each_with_index{ |io,idx| io.seek(idx+1) }
-
-    s = "oo1r23"
-
-    io = PEdump::CompositeIO.new(*ios)
-    io.tell.should == 0
-    io.read.should == s
-
-    s.size.times do |pos|
-      io.seek(pos)
-      io.tell.should == pos
-      io.read.should == s[pos..-1]
-    end
-  end
-
-  it "summarizes size" do
-    io = PEdump::CompositeIO.new(
-      StringIO.new('foo1'),
-      StringIO.new('bar2'),
-      StringIO.new('baz')
-    )
-    io.size.should == 11
-  end
-end

data/spec/data/calc.exe_sections.yml

@@ -1,49 +0,0 @@
----
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary |-
-    LnRleHQ=
-  VirtualSize: 305562
-  VirtualAddress: 4096
-  SizeOfRawData: 305664
-  PointerToRawData: 1024
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 1610612768
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary |-
-    LmRhdGE=
-  VirtualSize: 17180
-  VirtualAddress: 311296
-  SizeOfRawData: 12288
-  PointerToRawData: 306688
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 3221225536
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary |-
-    LnJzcmM=
-  VirtualSize: 305927
-  VirtualAddress: 331776
-  SizeOfRawData: 306176
-  PointerToRawData: 318976
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 1073741888
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary |-
-    LnJlbG9j
-  VirtualSize: 16886
-  VirtualAddress: 638976
-  SizeOfRawData: 16896
-  PointerToRawData: 625152
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 1107296320

data/spec/data/data_dir_15_entries.exe_sections.yml

@@ -1,95 +0,0 @@
----
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary ""
-  VirtualSize: 245760
-  VirtualAddress: 8192
-  SizeOfRawData: 103936
-  PointerToRawData: 8192
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 3758096448
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary |-
-    LnJzcmM=
-  VirtualSize: 2624
-  VirtualAddress: 253952
-  SizeOfRawData: 1536
-  PointerToRawData: 112128
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 3221225536
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary |-
-    LmlkYXRh
-  VirtualSize: 8192
-  VirtualAddress: 262144
-  SizeOfRawData: 1024
-  PointerToRawData: 113664
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 3221225536
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary ""
-  VirtualSize: 1679360
-  VirtualAddress: 270336
-  SizeOfRawData: 512
-  PointerToRawData: 114688
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 3758096448
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary |-
-    cnVsbm1kdnE=
-  VirtualSize: 1613824
-  VirtualAddress: 1949696
-  SizeOfRawData: 1607680
-  PointerToRawData: 115200
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 3758096448
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary |-
-    Ym5uYm1jcWY=
-  VirtualSize: 8192
-  VirtualAddress: 3563520
-  SizeOfRawData: 512
-  PointerToRawData: 1722880
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 3758096448
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary |-
-    Ym5uYm1jcWY=
-  VirtualSize: 8192
-  VirtualAddress: 3571712
-  SizeOfRawData: 3072
-  PointerToRawData: 1723392
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 3758096448
-- !ruby/struct:PEdump::IMAGE_SECTION_HEADER
-  Name: !binary |-
-    LmRhdGEAQXA=
-  VirtualSize: 8192
-  VirtualAddress: 3579904
-  SizeOfRawData: 0
-  PointerToRawData: 1726464
-  PointerToRelocations: 0
-  PointerToLinenumbers: 0
-  NumberOfRelocations: 0
-  NumberOfLinenumbers: 0
-  Characteristics: 3758096448

data/spec/dllord_spec.rb

@@ -1,21 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-describe 'corkami/dllord.dll' do
-  it "should have 1 import" do
-    sample.imports.size.should == 1
-    sample.imports.map(&:module_name).should == %w'msvcrt.dll'
-    sample.imports.map do |iid|
-      (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
-    end.flatten.should == ["printf"]
-  end
-
-  it "exports at least 2 entries" do
-    sample.exports.Base.should == 0x313
-    sample.exports.name.should be_nil
-    sample.exports.names.should be_empty
-    sample.exports.name_ordinals.should be_empty
-    sample.exports.entry_points[0].should == 0xffff_ffff
-    sample.exports.entry_points[1].should == 0x1008
-  end
-end

data/spec/foldedhdr_spec.rb

@@ -1,28 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-[ 'corkami/foldedhdr.exe', 'corkami/foldedhdrW7.exe' ].each do |fname|
-  describe fname do
-    before :all do
-      @sample = sample
-    end
-
-    it "should have 2 imports" do
-      @sample.imports.size.should == 2
-      @sample.imports.map(&:module_name).should == %w'kernel32.dll msvcrt.dll'
-      @sample.imports.map do |iid|
-        (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
-      end.flatten.should == ["ExitProcess", "printf"]
-    end
-
-    it "should have 1 section" do
-      @sample.sections.size.should == 1
-      s = @sample.sections.first
-      s.VirtualSize.should == 0x1000
-      s.VirtualAddress.should == 0x1000
-      s.SizeOfRawData.should == 0x200
-      s.PointerToRawData.should == 0x200
-      s.flags.should == 0xa0000000
-    end
-  end
-end

data/spec/imports_badterm_spec.rb

@@ -1,52 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-describe 'corkami/imports_badterm.exe' do
-  # PE with a 'bad' imports terminator, just the dll name is empty
-  # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/imports_badterm.asm
-  before :all do
-    @imports = sample.imports
-  end
-
-  it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
-    @imports.size.should == 2
-  end
-
-  it "should have only IMAGE_IMPORT_DESCRIPTORs" do
-    @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
-  end
-
-#  it "should have all entries thunks equal" do
-#    @imports.each do |iid|
-#      iid.first_thunk.should == iid.original_first_thunk
-#    end
-#  end
-
-  describe "1st image_import_descriptor" do
-    it "should be from kernel32.dll" do
-      @imports[0].module_name.should == "kernel32.dll"
-    end
-    it "should have 1 function" do
-      @imports[0].first_thunk.size.should == 1
-    end
-    it "should have ExitProcess" do
-      @imports[0].first_thunk.first.name.should == "ExitProcess"
-      @imports[0].first_thunk.first.hint.should == 0
-      @imports[0].first_thunk.first.ordinal.should be_nil
-    end
-  end
-
-  describe "2nd image_import_descriptor" do
-    it "should be from msvcrt.dll" do
-      @imports[1].module_name.should == "msvcrt.dll"
-    end
-    it "should have 1 function" do
-      @imports[1].first_thunk.size.should == 1
-    end
-    it "should have printf" do
-      @imports[1].first_thunk.first.name.should == "printf"
-      @imports[1].first_thunk.first.hint.should == 0
-      @imports[1].first_thunk.first.ordinal.should be_nil
-    end
-  end
-end

data/spec/imports_vterm_spec.rb

@@ -1,52 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-describe 'corkami/imports_vterm.exe' do
-  # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/imports_vterm.asm
-  #describe "import terminator in virtual space" do
-  before :all do
-    @imports = sample.imports
-  end
-
-  it "should have 2 IMAGE_IMPORT_DESCRIPTORs" do
-    @imports.size.should == 2
-  end
-
-  it "should have only IMAGE_IMPORT_DESCRIPTORs" do
-    @imports.map(&:class).uniq.should == [PEdump::IMAGE_IMPORT_DESCRIPTOR]
-  end
-
-#  it "should have all entries thunks equal" do
-#    @imports.each do |iid|
-#      iid.first_thunk.should == iid.original_first_thunk
-#    end
-#  end
-
-  describe "1st image_import_descriptor" do
-    it "should be from kernel32.dll" do
-      @imports[0].module_name.should == "kernel32.dll"
-    end
-    it "should have 1 function" do
-      @imports[0].first_thunk.size.should == 1
-    end
-    it "should have ExitProcess" do
-      @imports[0].first_thunk.first.name.should == "ExitProcess"
-      @imports[0].first_thunk.first.hint.should == 0
-      @imports[0].first_thunk.first.ordinal.should be_nil
-    end
-  end
-
-  describe "2nd image_import_descriptor" do
-    it "should be from msvcrt.dll" do
-      @imports[1].module_name.should == "msvcrt.dll"
-    end
-    it "should have 1 function" do
-      @imports[1].first_thunk.size.should == 1
-    end
-    it "should have printf" do
-      @imports[1].first_thunk.first.name.should == "printf"
-      @imports[1].first_thunk.first.hint.should == 0
-      @imports[1].first_thunk.first.ordinal.should be_nil
-    end
-  end
-end