pedump 0.5.0 → 0.6.0

data/spec/loader/names_spec.rb

@@ -1,24 +0,0 @@
-require 'spec_helper'
-require 'pedump/loader'
-
-describe PEdump::Loader do
-  it "should read names from imports" do
-    io = open("samples/calc.exe","rb")
-    @ldr = PEdump::Loader.new io
-
-    @ldr.names.should_not be_nil
-    @ldr.names.should_not be_empty
-    @ldr.names.size.should >= 343
-    @ldr.names[0x10010d0].should == 'GetStartupInfoA'
-  end
-
-  it "should read names from exports" do
-    io = open("samples/zlib.dll","rb")
-    @ldr = PEdump::Loader.new io
-
-    @ldr.names.should_not be_nil
-    @ldr.names.should_not be_empty
-    @ldr.names.size.should >= 69
-    @ldr.names[0x1000e340].should == 'zlib_version'
-  end
-end

data/spec/loader/va_spec.rb

@@ -1,44 +0,0 @@
-require 'spec_helper'
-require 'pedump/loader'
-
-describe PEdump::Loader do
-  describe "#valid_va?" do
-    describe "samples/calc.exe" do
-      before do
-        io = open("samples/calc.exe","rb")
-        @ldr = PEdump::Loader.new io
-      end
-
-      %w'1001000 1010000 104b999 104c000 1051000 109c000 10a01f5'.each do |x|
-        it "returns true for 0x#{x}" do
-          @ldr.valid_va?(x.to_i(16)).should be_true
-        end
-      end
-
-      %w'0 1 1000 1000fff 104b99a 104bfff 1050fff 109bfff 10a01f6'.each do |x|
-        it "returns false for 0x#{x}" do
-          @ldr.valid_va?(x.to_i(16)).should be_false
-        end
-      end
-    end
-
-    describe "samples/upx.exe" do
-      before do
-        io = open("samples/upx.exe","rb")
-        @ldr = PEdump::Loader.new io
-      end
-
-      %w'401000 541000 589000 589fff'.each do |x|
-        it "returns true for 0x#{x}" do
-          @ldr.valid_va?(x.to_i(16)).should be_true
-        end
-      end
-
-      %w'0 1 1000 400000 58a000'.each do |x|
-        it "returns false for 0x#{x}" do
-          @ldr.valid_va?(x.to_i(16)).should be_false
-        end
-      end
-    end
-  end
-end

data/spec/manyimportsW7_spec.rb

@@ -1,22 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-describe "corkami/manyimportsW7.exe" do
-  before :all do
-    @sample = sample
-  end
-
-  it "should have 2 imports" do
-    @sample.imports.size.should == 2
-    @sample.imports.map(&:module_name).should == %w'kernel32.dll msvcrt.dll'
-    @sample.imports.map do |iid|
-      (iid.original_first_thunk + iid.first_thunk).uniq.map(&:name)
-    end.flatten.should == ["ExitProcess", "printf"]
-  end
-
-  it "should have 1 TLS" do
-    @sample.tls.size.should == 1
-    @sample.tls.first.AddressOfIndex.should == 0x401148
-    @sample.tls.first.AddressOfCallBacks.should == 0x401100
-  end
-end

data/spec/ne_spec.rb

@@ -1,125 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-5.times do |idx|
-  fname = "ne#{idx}." + (idx==4 ? "dll" : "exe")
-
-  modulenames = %w"_DELIS VISTA21P ISSET_SE HORSNCF MAPI"
-  exports = []
-
-  # ne0.exe
-  exports << [
-    PEdump::ExportedFunction.new("WNDPROC", 1, 0x10258)
-  ]
-
-  # ne1.exe
-  exports << []
-
-  # ne2.exe
-  exports << [
-    PEdump::ExportedFunction.new("LOGODLGPROC", 1, 0x13ACA),
-    PEdump::ExportedFunction.new("BARWNDPROC",  2, 0x15FF0),
-    PEdump::ExportedFunction.new("SETUPWNDPROC",3, 0x100B2),
-    PEdump::ExportedFunction.new("LOGOBWNDPROC",4, 0x147B4),
-  ]
-
-  # ne3.exe
-  exports << [
-    PEdump::ExportedFunction.new("___EXPORTEDSTUB", 1, 0x63cf4),
-    PEdump::ExportedFunction.new("_AFX_VERSION",    2, 0x4272c),
-  ]
-
-  # ne4.dll
-  exports << [
-    PEdump::ExportedFunction.new("WEP", 1, 0x10000),
-    PEdump::ExportedFunction.new("BMAPIGETREADMAIL",  33, 0x7020A),
-    PEdump::ExportedFunction.new("BMAPIRESOLVENAME",  38, 0x7077C),
-    PEdump::ExportedFunction.new("BMAPIGETADDRESS",   36, 0x70692),
-    PEdump::ExportedFunction.new("BMAPIFINDNEXT",     34, 0x70074),
-    PEdump::ExportedFunction.new("BMAPIDETAILS",      37, 0x706F1),
-    PEdump::ExportedFunction.new("MAPIFREEBUFFER",    18, 0xb0A71),
-    PEdump::ExportedFunction.new("MAPIFINDNEXT",      16, 0xa0000),
-    PEdump::ExportedFunction.new("MAPIDELETEMAIL",    17, 0x90000),
-    PEdump::ExportedFunction.new("MAPIREADMAIL",      15, 0x100000),
-    PEdump::ExportedFunction.new("BMAPIADDRESS",      35, 0x7051D),
-    PEdump::ExportedFunction.new("MAPIADDRESS",       19, 0x60139),
-    PEdump::ExportedFunction.new("MAPILOGON",         11, 0xc0000),
-    PEdump::ExportedFunction.new("MAPISENDMAIL",      13, 0x130000),
-    PEdump::ExportedFunction.new("MAPIRESOLVENAME",   21, 0x60A3F),
-    PEdump::ExportedFunction.new("MAPIDETAILS",       20, 0x60752),
-    PEdump::ExportedFunction.new("BMAPISAVEMAIL",     31, 0x70455),
-    PEdump::ExportedFunction.new("MAPISAVEMAIL",      14, 0x1302BE),
-    PEdump::ExportedFunction.new("BMAPIREADMAIL",     32, 0x70141),
-    PEdump::ExportedFunction.new("MAPISENDDOCUMENTS", 10, 0x120703),
-    PEdump::ExportedFunction.new("MAPILOGOFF",        12, 0xc00D2),
-    PEdump::ExportedFunction.new("BMAPISENDMAIL",     30, 0x70000),
-  ]
-
-  imports = [
-    ['KERNEL',   0x80],
-    ['VBRUN300', 0x64],
-    ['GDI',      0x15f],
-    ['FINSTDLL', nil,  'FILECOPY'],
-    ['DEMILAYR', 0x6f]
-  ]
-
-  versions = %w'2.20.900.0 - 3.0.111.0 1.0.0.1 3.2.0.4057'
-
-  describe fname do
-    it "should have NE header" do
-      sample do |f|
-        f.ne.should_not be_nil
-      end
-    end
-
-    it "should not have PE header" do
-      sample do |f|
-        f.pe.should be_nil
-      end
-    end
-
-    it "should have NE segments" do
-      sample do |f|
-        f.ne.segments.size.should == f.ne.ne_cseg
-      end
-    end
-
-    it "should have NE resources" do
-      sample do |f|
-        f.ne.resources.should_not be_nil
-        ver = f.ne.resources.find{ |res| res.type == 'VERSION' }
-        expected = versions[idx]
-        if expected == '-'
-          ver.should be_nil
-        else
-          vi = ver.data.first
-          [
-            vi.Value.dwFileVersionMS.to_i >> 16,
-            vi.Value.dwFileVersionMS.to_i &  0xffff,
-            vi.Value.dwFileVersionLS.to_i >> 16,
-            vi.Value.dwFileVersionLS.to_i &  0xffff
-          ].join('.').should == expected
-        end
-      end
-    end
-
-    it "should have imports" do
-      sample do |f|
-        f.ne.imports.should_not be_nil
-        func = PEdump::ImportedFunction.new
-        func.module_name = imports[idx][0]
-        func.ordinal     = imports[idx][1]
-        func.name        = imports[idx][2]
-
-        f.ne.imports.should include(func)
-      end
-    end
-    it "should have exports" do
-      sample do |f|
-        f.ne.exports.should_not be_nil
-        f.ne.exports.name.should == modulenames[idx]
-        f.ne.exports.functions.should == exports[idx]
-      end
-    end
-  end
-end

data/spec/packer_spec.rb

@@ -1,17 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-%w'calc_upx.exe arm_upx.exe'.each do |fname|
-  describe fname do
-    before :all do
-      File.open(File.join("samples",fname),"rb") do |f|
-        @packer = PEdump.new(f).packer.first
-      end
-    end
-
-    it "should detect UPX" do
-      @packer.should_not be_nil
-      @packer.name.should include 'UPX'
-    end
-  end
-end

data/spec/pe_spec.rb

@@ -1,67 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-describe 'PE' do
-  it "should assume TimeDateStamp is in UTC"
-
-  KLASS = PEdump::ImportedFunction
-
-  describe KLASS do
-    it "should be equal" do
-      pending "necessary?"
-      a = []
-      KLASS.new(*a).should == KLASS.new(*a)
-      a = ['a']
-      KLASS.new(*a).should == KLASS.new(*a)
-      a = ['a','b']
-      KLASS.new(*a).should == KLASS.new(*a)
-      a = ['a','b','c']
-      KLASS.new(*a).should == KLASS.new(*a)
-      a = ['a','b','c','d']
-      KLASS.new(*a).should == KLASS.new(*a)
-    end
-
-    it "should not be equal" do
-      a = ['a']
-      b = []
-      KLASS.new(*a).should_not == KLASS.new(*b)
-      a = ['a']
-      b = ['b']
-      KLASS.new(*a).should_not == KLASS.new(*b)
-      a = ['a','B']
-      b = ['a','b']
-      KLASS.new(*a).should_not == KLASS.new(*b)
-      a = ['a','b','c']
-      b = ['a','b']
-      KLASS.new(*a).should_not == KLASS.new(*b)
-      a = ['a','b','c']
-      b = ['a','b','X']
-      KLASS.new(*a).should_not == KLASS.new(*b)
-    end
-
-    it "should be equal with different VA's" do
-      pending "necessary?"
-      a = ['a','b','c',nil]
-      b = ['a','b','c','d']
-      KLASS.new(*a).should == KLASS.new(*b)
-      a = ['a','b','c',0x1000]
-      b = ['a','b','c',0x2000]
-      KLASS.new(*a).should == KLASS.new(*b)
-      a = ['a','b','c',0x1000]
-      b = ['a','b','c',0x1000]
-      KLASS.new(*a).should == KLASS.new(*b)
-    end
-
-    it "should be equal in uniq() with different VA's" do
-      a = ['a','b','c',nil]
-      b = ['a','b','c','d']
-      [KLASS.new(*a), KLASS.new(*b)].uniq.size.should == 1
-      a = ['a','b','c',0x1000]
-      b = ['a','b','c',0x2000]
-      [KLASS.new(*a), KLASS.new(*b)].uniq.size.should == 1
-      a = ['a','b','c',0x1000]
-      b = ['a','b','c',0x1000]
-      [KLASS.new(*a), KLASS.new(*b)].uniq.size.should == 1
-    end
-  end
-end

data/spec/pedump_spec.rb

@@ -1,19 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-
-describe "PEdump#dump" do
-  describe "should save packer" do
-    it "when arg is a filename" do
-      dump = PEdump.dump("samples/arm_upx.exe", :log_level => Logger::FATAL)
-      dump.packers.size.should == 1
-      dump.packers.first.name.should =~ /UPX/
-    end
-
-    it "when arg is an IO" do
-      File.open("samples/arm_upx.exe", "rb") do |f|
-        dump = PEdump.dump(f, :log_level => Logger::FATAL)
-        dump.packers.size.should == 1
-        dump.packers.first.name.should =~ /UPX/
-      end
-    end
-  end
-end

data/spec/resource_spec.rb

@@ -1,13 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-
-describe 'PEdump' do
-  it "should get all resources" do
-    fname = File.expand_path(File.dirname(__FILE__) + '/../samples/calc.exe')
-    File.open(fname,"rb") do |f|
-      @pedump = PEdump.new(fname)
-      @resources = @pedump.resources(f)
-    end
-    @resources.size.should == 71
-  end
-end

data/spec/sections_spec.rb

@@ -1,11 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump')
-require 'yaml'
-
-['calc.exe', 'bad/data_dir_15_entries.exe'].each do |fname|
-  describe fname do
-    it "should match saved sections info" do
-      sample.sections.should == YAML::load_file(File.join(DATA_DIR,"#{File.basename(fname)}_sections.yml"))
-    end
-  end
-end

data/spec/sig_all_packers_spec.rb

@@ -1,24 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump/packer')
-
-describe "PEdump::Packer" do
-  describe "matchers" do
-    if ENV['SLOW']
-      PEdump::SigParser.parse(:raw => true).each do |sig|
-        data = sig.re.join
-        next if data == "This program cannot be run in DOS mo"
-        it "should find #{sig.name}" do
-          a = PEdump::Packer.of(data).map(&:name)
-          a.size.should > 0
-
-          a = sig.name.split - a.join(' ').split - ['Exe','PE']
-          a.delete_if{ |x| x[/[vV\.\/()\[\]]/] }
-          p a if a.size > 1
-          a.size.should < 2
-        end
-      end
-    else
-      pending "SLOW"
-    end
-  end
-end

data/spec/sig_spec.rb

@@ -1,68 +0,0 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-require File.expand_path(File.dirname(__FILE__) + '/../lib/pedump/packer')
-
-describe "PEdump::Packer" do
-  it "should have enough signatures" do
-    PEdump::Packer.count.should > 1000
-  end
-
-  it "should not match" do
-    maxlen = PEdump::Packer.map(&:size).max
-    s = 'x'*maxlen
-    PEdump::Packer.of_data(s).should be_nil
-  end
-
-  it "should parse" do
-    a = PEdump::SigParser.parse
-    a.should be_instance_of(Array)
-    a.map(&:class).uniq.should == [PEdump::Packer]
-  end
-
-  it "should not react to DOS signature" do
-    data = "This program cannot be run in DOS mode"
-    PEdump::Packer.of(data).should be_nil
-  end
-
-  it "should match sigs" do
-    n = 0
-    File.open('data/signatures.txt', 'r:cp1252') do |f|
-      while row = f.gets
-        row.strip!
-        next unless row =~ /^\[(.*)=(.*)\]$/
-        s = ''
-        title,hexstring = $1,$2
-
-        # bad sigs
-        next if hexstring == '909090909090909090909090909090909090909090909090909090909090909090909090'
-        next if hexstring == 'E9::::0000000000000000'
-
-        (hexstring.size/2).times do |i|
-          c = hexstring[i*2,2]
-          if c == '::'
-            s << '.'
-          else
-            s << c.to_i(16).chr
-          end
-        end
-        packers = PEdump::Packer.of(s)
-        if packers
-          names = packers.map(&:name)
-          next if names.any? do |name|
-            a = name.upcase.tr('V','')
-            b = title.upcase.tr('V','')
-            a[b] || b[a]
-          end
-#          puts "[.] #{title}"
-#          names.each do |x|
-#            puts "\t= #{x}"
-#          end
-        else
-          puts "[?] #{title}: #{hexstring}"
-          n += 1
-        end
-      end
-    end
-    #puts "[.] diff = #{n}"
-    n.should == 0
-  end
-end