pedump 0.5.1 → 0.6.1

data/lib/pedump.rb

@@ -2,6 +2,7 @@
 require 'stringio'
 require 'iostruct'
 require 'zhexdump'
+require 'set'
 
 unless Object.new.respond_to?(:try) && nil.respond_to?(:try)
   require 'pedump/core_ext/try'
@@ -16,6 +17,7 @@ require 'pedump/security'
 require 'pedump/packer'
 require 'pedump/ne'
 require 'pedump/ne/version_info'
+require 'pedump/te'
 
 # pedump.rb by zed_0xff
 #
@@ -27,6 +29,10 @@ class PEdump
 
   VERSION    = Version::STRING
   MAX_ERRORS = 100
+  MAX_IMAGE_IMPORT_DESCRIPTORS = 1000
+  MAX_EXPORT_NUMBER_OF_NAMES = 16384 # got 7977 in http://pedump.me/03ad7400080678c6b1984f995d36fd04
+  GOOD_FUNCTION_NAME_RE = /\A[\x21-\x7f]+\Z/
+  SUPPORTED_SIGNATURES = ['MZ', 'ZM', 'VZ']
 
   @@logger = nil
 
@@ -255,7 +261,7 @@ class PEdump
 
   # http://ntcore.com/files/richsign.htm
   class RichHdr < String
-    attr_accessor :offset, :key # xor key
+    attr_accessor :offset, :skip, :key # xor key
 
     class Entry < Struct.new(:version,:id,:times)
       def inspect
@@ -264,8 +270,21 @@ class PEdump
     end
 
     def self.from_dos_stub stub
+      #stub.hexdump
       key = stub[stub.index('Rich')+4,4]
       start_idx = stub.index(key.xor('DanS'))
+      skip = 0
+      if start_idx
+        skip = 4
+      else
+        PEdump.logger.warn "[?] cannot find rich_hdr start_idx, using heuristics"
+        start_idx = stub.index("$\x00\x00\x00\x00\x00\x00\x00")
+        unless start_idx
+          PEdump.logger.warn "[?] heuristics failed :("
+          return nil
+        end
+        start_idx += 8
+      end
       end_idx   = stub.index('Rich')+8
       if stub[end_idx..-1].tr("\x00",'') != ''
         t = stub[end_idx..-1]
@@ -273,14 +292,16 @@ class PEdump
         PEdump.logger.error "[!] non-zero dos stub after rich_hdr: #{t.inspect}"
         return nil
       end
+      #stub[start_idx, end_idx-start_idx].hexdump
       RichHdr.new(stub[start_idx, end_idx-start_idx]).tap do |x|
         x.key = key
         x.offset = stub.offset + start_idx
+        x.skip = skip
       end
     end
 
     def dexor
-      self[4..-9].sub(/\A(#{Regexp::escape(key)}){3}/,'').xor(key)
+      self[skip..-9].sub(/\A(#{Regexp::escape(key)}){3}/,'').xor(key)
     end
 
     def decode
@@ -318,9 +339,9 @@ class PEdump
     @mz ||= f && MZ.read(f).tap do |mz|
       if mz.signature != 'MZ' && mz.signature != 'ZM'
         if @force
-          logger.warn  "[?] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}"
+          #logger.warn  "[?] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}"
         else
-          logger.error "[!] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}. (not forced)"
+          #logger.error "[!] no MZ signature. want: 'MZ' or 'ZM', got: #{mz.signature.inspect}. (not forced)"
           return nil
         end
       end
@@ -376,6 +397,13 @@ class PEdump
   def va2file va, h={}
     return nil if va.nil?
 
+    va0 = va # save for log output of original addr
+    if pe?
+      # most common case, do nothing
+    elsif te?
+      va = va - te_shift()
+    end
+
     sections.each do |s|
       if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
         offset = va - s.VirtualAddress
@@ -407,9 +435,9 @@ class PEdump
     # TODO: not all VirtualAdresses == 0 case
 
     if h[:quiet]
-      logger.debug "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)} (quiet=true)"
+      logger.debug "[?] can't find file_offset of VA 0x#{va0.to_i.to_s(16)} (quiet=true)"
     else
-      logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
+      logger.error "[?] can't find file_offset of VA 0x#{va0.to_i.to_s(16)}"
     end
     nil
   end
@@ -427,16 +455,22 @@ class PEdump
   end
 
   def _dump_handle h
-    return unless pe(h) # also calls mz(h)
-    rich_hdr h
-    resources h
-    imports h   # also calls tls(h)
-    exports h
-    packer h
+    if pe(h) # also calls mz(h)
+      rich_hdr h
+      resources h
+      imports h   # also calls tls(h)
+      exports h
+      packer h
+    elsif te(h)
+    end
   end
 
   def data_directory f=@io
-    pe(f) && pe.ioh && pe.ioh.DataDirectory
+    if pe(f)
+      pe.ioh && pe.ioh.DataDirectory
+    elsif te(f)
+      te.DataDirectory
+    end
   end
 
   def sections f=@io
@@ -444,16 +478,52 @@ class PEdump
       pe.section_table
     elsif ne(f)
       ne.segments
+    elsif te(f)
+      te.sections
     end
   end
   alias :section_table :sections
 
-  def ne?
-    @pe ? false : (@ne ? true : (pe ? false : (ne ? true : false)))
+  def supported_file? f=@io
+    pos = f.tell
+    sig = f.read(2)
+    f.seek(pos)
+    if SUPPORTED_SIGNATURES.include?(sig)
+      true
+    else
+      unless @not_supported_sig_warned
+        msg = "no supported signature. want: #{SUPPORTED_SIGNATURES.join("/")}, got: #{sig.inspect}"
+        if @force
+          logger.warn  "[?] #{msg}"
+        else
+          logger.error "[!] #{msg}. (not forced)"
+        end
+        @not_supported_sig_warned = true
+      end
+      false
+    end
+  end
+
+  def _detect_format
+    return :pe if @pe
+    return :ne if @ne
+    return :te if @te
+    return :pe if pe()
+    return :ne if ne()
+    return :te if te()
+    nil
   end
 
   def pe?
-    @pe ? true  : (@ne ? false : (pe ? true : false ))
+    _detect_format() == :pe
+  end
+
+  def ne?
+    _detect_format() == :ne
+  end
+
+  def te?
+    _detect_format() == :te
   end
 
   ##############################################################################
@@ -498,6 +568,8 @@ class PEdump
       pe_imports(f)
     elsif ne(f)
       ne(f).imports
+    else
+      []
     end
   end
 
@@ -527,7 +599,11 @@ class PEdump
           # http://code.google.com/p/corkami/source/browse/trunk/asm/PE/manyimportsW7.asm
           break
         end
-        t=IMAGE_IMPORT_DESCRIPTOR.read(f)
+        if r.size >= MAX_IMAGE_IMPORT_DESCRIPTORS
+          logger.warn "[!] too many IMAGE_IMPORT_DESCRIPTORs, not reading more than #{r.size}"
+          break
+        end
+        t = IMAGE_IMPORT_DESCRIPTOR.read(f)
         break if t.Name.to_i == 0 # also catches EOF
         r << t
         file_offset += IMAGE_IMPORT_DESCRIPTOR::SIZE
@@ -536,8 +612,16 @@ class PEdump
       logger.warn "[?] imports info beyond EOF"
     end
 
+    n_bad_names = 0
     logger.warn "[?] non-empty last IMAGE_IMPORT_DESCRIPTOR: #{t.inspect}" if t && !t.empty?
-    @imports = r.each do |x|
+    @imports = r
+    r = nil
+    @imports.each_with_index do |x, iidx|
+      if n_bad_names > MAX_ERRORS
+        logger.warn "[!] too many bad imported function names. skipping further imports parsing"
+        @imports = @imports[0,iidx]
+        break
+      end
       if x.Name.to_i != 0 && (ofs = va2file(x.Name))
         begin
         f.seek ofs
@@ -572,12 +656,18 @@ class PEdump
                 logger.warn "[?] import ofs 0x#{ofs.to_s(16)} VA=0x#{t.to_s(16)} beyond EOF"
                 nil
               else
-                ImportedFunction.new(
-                  f.read(2).unpack('v').first,
-                  f.gets("\x00").chomp("\x00"),
-                  nil,
-                  va
-                )
+                hint = f.read(2).unpack('v').first
+                name = f.gets("\x00").to_s.chomp("\x00")
+                if !name.empty? && name !~ GOOD_FUNCTION_NAME_RE
+                  n_bad_names += 1
+                  if n_bad_names > MAX_ERRORS
+                    nil
+                  else
+                    ImportedFunction.new(hint, name, nil, va)
+                  end
+                else
+                  ImportedFunction.new(hint, name, nil, va)
+                end
               end
             elsif tbl == :original_first_thunk
               # OriginalFirstThunk entries can not be invalid, show a warning msg
@@ -592,7 +682,7 @@ class PEdump
             end
         end
         x[tbl] && x[tbl].compact!
-      end
+      end # [:original_first_thunk, :first_thunk].each
       if x.original_first_thunk && !x.first_thunk
         logger.warn "[?] import table: empty FirstThunk for #{x.module_name}"
       elsif !x.original_first_thunk && x.first_thunk
@@ -603,7 +693,8 @@ class PEdump
           logger.debug "[?] import table: OriginalFirstThunk != FirstThunk for #{x.module_name}"
         end
       end
-    end
+    end # r.each
+    @imports
   end
 
   ##############################################################################
@@ -720,9 +811,9 @@ class PEdump
       ord2name = {}
       if x.names && x.names.any?
         n = x.NumberOfNames
-        if n > 2048
-          logger.warn "[?] NumberOfNames too big (#{x.NumberOfNames}), limiting to 2048"
-          n = 2048
+        if n > MAX_EXPORT_NUMBER_OF_NAMES
+          logger.warn "[?] NumberOfNames too big (#{x.NumberOfNames}), limiting to #{MAX_EXPORT_NUMBER_OF_NAMES}"
+          n = MAX_EXPORT_NUMBER_OF_NAMES
         end
         n.times do |i|
           ord2name[x.name_ordinals[i]] ||= []

data/lib/pedump/cli.rb

@@ -1,5 +1,6 @@
 require 'pedump'
 require 'pedump/packer'
+require 'pedump/rich'
 require 'pedump/version_info'
 require 'optparse'
 
@@ -33,7 +34,7 @@ class PEdump::CLI
   attr_accessor :data, :argv
 
   KNOWN_ACTIONS = (
-    %w'mz dos_stub rich pe ne data_directory sections tls security' +
+    %w'mz dos_stub rich pe ne te data_directory sections tls security' +
     %w'strings resources resource_directory imports exports version_info packer web console packer_only'
   ).map(&:to_sym)
 
@@ -65,8 +66,8 @@ class PEdump::CLI
         @options[:force] ||= 0
         @options[:force] += 1
       end
-      opts.on "-f", "--format FORMAT", [:binary, :c, :dump, :hex, :inspect, :table, :yaml],
-        "Output format: bin,c,dump,hex,inspect,table,yaml","(default: table)" do |v|
+      opts.on "-f", "--format FORMAT", [:binary, :c, :dump, :hex, :inspect, :json, :table, :yaml],
+        "Output format: bin,c,dump,hex,inspect,json,table,yaml","(default: table)" do |v|
         @options[:format] = v
       end
       KNOWN_ACTIONS.each do |t|
@@ -135,7 +136,7 @@ class PEdump::CLI
       File.open(fname,'rb') do |f|
         @pedump = create_pedump fname
 
-        next if !@options[:force] && !@pedump.mz(f)
+        next if !@options[:force] && !@pedump.supported_file?(f)
 
         @actions.each do |action|
           case action
@@ -194,16 +195,14 @@ class PEdump::CLI
   end
 
   class ProgressProxy
-    attr_reader :pbar
-
-    def initialize file
-      @file = file
-      @pbar = ProgressBar.new("[.] uploading", file.size, STDOUT)
-      @pbar.try(:file_transfer_mode)
-      @pbar.bar_mark = '='
+    def initialize file, prefix = "[.] uploading: ", io = STDOUT
+      @file   = file
+      @io     = io
+      @prefix = prefix
     end
     def read *args
-      @pbar.inc args.first
+      @io.write("\r#{@prefix}#{@file.tell}/#{@file.size} ")
+      @io.flush
       @file.read *args
     end
     def method_missing *args
@@ -212,6 +211,10 @@ class PEdump::CLI
     def respond_to? *args
       @file.respond_to?(args.first) || super(*args)
     end
+
+    def finish!
+      @io.write("\r#{@prefix}#{@file.size}/#{@file.size} \n")
+    end
   end
 
   def upload f
@@ -224,7 +227,6 @@ class PEdump::CLI
     require 'open-uri'
     require 'net/http'
     require 'net/http/post/multipart'
-    require 'progressbar'
 
     stdout_sync = STDOUT.sync
     STDOUT.sync = true
@@ -250,15 +252,15 @@ class PEdump::CLI
 
     f.rewind
 
-    # upload with progressbar
+    # upload with progress
     post_url = URI.parse(URL_BASE+'/')
+    # UploadIO is from multipart-post
     uio = UploadIO.new(f, "application/octet-stream", File.basename(f.path))
     ppx = ProgressProxy.new(uio)
     req = Net::HTTP::Post::Multipart.new post_url.path, "file" => ppx
     res = Net::HTTP.start(post_url.host, post_url.port){ |http| http.request(req) }
-    ppx.pbar.finish
+    ppx.finish!
 
-    puts
     puts "[.] analyzing..."
 
     if (r=open(File.join(URL_BASE,md5,'analyze')).read) != "OK"
@@ -326,7 +328,7 @@ class PEdump::CLI
 
     puts action_title(action) unless @options[:format] == :binary
 
-    return dump(data) if [:inspect, :table, :yaml].include?(@options[:format])
+    return dump(data) if [:inspect, :table, :json, :yaml].include?(@options[:format])
 
     dump_opts = {:name => action}
     case action
@@ -376,6 +378,9 @@ class PEdump::CLI
     when :yaml
       require 'yaml'
       puts data.to_yaml
+    when :json
+      require 'json'
+      puts data.to_json
     end
   end
 
@@ -454,6 +459,8 @@ class PEdump::CLI
       case data.first
       when PEdump::IMAGE_DATA_DIRECTORY
         dump_data_dir data
+      when PEdump::EFI_IMAGE_DATA_DIRECTORY
+        dump_efi_data_dir data
       when PEdump::IMAGE_SECTION_HEADER
         dump_sections data
       when PEdump::Resource
@@ -778,19 +785,26 @@ class PEdump::CLI
     end
   end
 
-
   def dump_data_dir data
     data.each do |row|
       printf "  %-12s  rva:0x%8x   size:0x %8x\n", row.type, row.va.to_i, row.size.to_i
     end
   end
 
+  def dump_efi_data_dir data
+    data.each_with_index do |row, idx|
+      printf "  %-12s  rva:0x%8x   size:0x %8x\n", PEdump::EFI_IMAGE_DATA_DIRECTORY::TYPES[idx], row.va.to_i, row.size.to_i
+    end
+  end
+
   def dump_rich_hdr data
     if decoded = data.decode
-      puts "    LIB_ID        VERSION        TIMES_USED   "
+      puts "   ID   VER         COUNT  DESCRIPTION"
       decoded.each do |row|
-        printf " %5d  %2x    %7d  %4x   %7d %3x\n",
-          row.id, row.id, row.version, row.version, row.times, row.times
+#        printf " %5d  %4x    %7d  %4x   %12d %8x\n",
+#          row.id, row.id, row.version, row.version, row.times, row.times
+        printf " %4x  %4x  %12d  %s\n",
+          row.id, row.version, row.times, ::PEdump::RICH_IDS[(row.id<<16) + row.version]
       end
     else
       puts "# raw:"

data/lib/pedump/loader.rb

@@ -15,7 +15,15 @@ class PEdump::Loader
 
   # shortcuts
   alias :pe :pe_hdr
-  def ep; @pe_hdr.ioh.AddressOfEntryPoint; end
+
+  def ep
+    if @pe_hdr
+      @pe_hdr.try(:ioh).try(:AddressOfEntryPoint)
+    elsif @te_hdr
+      @te_hdr.AddressOfEntryPoint - @delta
+    end
+  end
+
   def ep= v; @pe_hdr.ioh.AddressOfEntryPoint=v; end
 
   ########################################################################
@@ -23,12 +31,24 @@ class PEdump::Loader
   ########################################################################
 
   def initialize io = nil, params = {}
+    # @delta is for EFI TE loading, based on https://github.com/gdbinit/TELoader/blob/master/teloader.cpp
+    @delta = 0
     @pedump = PEdump.new(io, params)
     if io
       @mz_hdr     = @pedump.mz
       @dos_stub   = @pedump.dos_stub
       @pe_hdr     = @pedump.pe
-      @image_base = params[:image_base] || @pe_hdr.try(:ioh).try(:ImageBase) || 0
+      @te_hdr     = @pedump.te
+
+      @image_base = params[:image_base]
+      if @pe_hdr
+        @image_base ||= @pe_hdr.try(:ioh).try(:ImageBase)
+      elsif @te_hdr
+        @image_base ||= @te_hdr.ImageBase
+        @delta = @pedump.te_shift
+      end
+      @image_base ||= 0
+
       load_sections @pedump.sections, io
     end
     @find_limit = params[:find_limit] || DEFAULT_FIND_LIMIT
@@ -38,7 +58,7 @@ class PEdump::Loader
     if section_hdrs.is_a?(Array)
       @sections = section_hdrs.map do |x|
         raise "unknown section hdr: #{x.inspect}" unless x.is_a?(PEdump::IMAGE_SECTION_HEADER)
-        Section.new(x, :deferred_load_io => f, :image_base => @image_base )
+        Section.new(x, :deferred_load_io => f, :image_base => @image_base, :delta => @delta )
       end
       if f.respond_to?(:seek) && f.respond_to?(:read)
         #
@@ -249,10 +269,12 @@ class PEdump::Loader
   def names
     return @names if @names
     @names = {}
-    if oep = @pe_hdr.try(:ioh).try(:AddressOfEntryPoint)
-      oep += @image_base
-      @names[oep] = 'start'
+
+    oep = ep()
+    if oep
+      @names[oep + @image_base] = 'start'
     end
+
     _parse_imports
     _parse_exports
     #TODO: debug info